Feed on

It´s not often that I conduct computer forensics anymore. There are others that do it a lot better than I do but sometimes my clients want me to have a look at something suspicious when they can´t make head or tail of it.

Yesterday was such a day. When driving home a got a call from a client. He described that they have found some strange programs during a routine cleanup of adware on a client. Beneath all the layers of ads they found a file that apparently did not belong to the original adware. I check it against know hashes but it came up empty as expected. A quick check at VirusTotal also came up empty so I decided to check its traffic. It turned out to be a very talkative little fellow. It acted as an FTP server and siphoned files from the network to an external spy. Sadly it went into a TOR-network making it really hard to follow. For now we closed the laptop and have sent a copy of the drive to my forensics team to find out what is actually happening. Still, information espionage is here to stay.

Last night when having a chat with a friend while flying back home we came to discuss a security dashboard and I gave him the general principles of my thoughts. From my point of view a security dashboard gives me the following:
1. Overview of my environment
2. Clearly marked where my crown jewels are (information)
3. My current patch level
4. The current attacks ongoing
5. The status on security testing
6. The status in possible vulnerabilities
7. The status of my security mechanisms

It´s as easy as that. No more and no less. After describing that I leaned back in my seat as the hour was rather late. Suddenly he said: ‘Have you ever seen one of those in reality?’. I would love to say: ‘Of course! Plenty!’ but the sad reality is that many companies decide that they want to have manual processes instead…or rather purchase the service from their outsourcing partner but refuses to pay more than minimum so the service they get is very seldom more than a simple log review.

Have you ever heard of immediate security? A colleague asked me of my views on it since he heard it at a webinar and that it would be impossible to reach. My simple answer is that rather the opposite is impossible. Impossible as in produces less security. Every single second I need to know if I´m secure or if I´m taking a risk. This cannot, of course, be reached with tools only but automation will still be an important tool.

A tool I often advice my clients to invest in is a security dashboard. A security dashboard is mainly a tool that collects all information needed and combine it with your risk analysis. From that you will get a better view of your current risk.

A CIO at an industry here in Sweden dropped me a mail and told me how they received their reporting. On a monthly basis they get a list of possible patches to deploy, from that list they have to select what to patch and what to not patch. This raises a number of CHRs and updates to their risk registry. A month later they get a list of the patches that were deployed and which that failed with a question if they should retry.

To say the least the CIO was less than happy and asked my viewpoint on this. In short I would say that no matter what they have an assignment to patch, keep on trying! Solve the problem! How hard could it be?

On a more interesting note I would skip the reporting and get a compliance engine that monitors for missing patches. That would be a lot more useful rather than a worthless report.

Vacations are supposed to be a time for contemplating and relaxation but apparently there are no rest for the wicked. I have been stuck with a few contracts regarding security SLAs where I would like to share my thoughts with you all. Security SLA is always a challenge, how to you measure that you are secure enough? Something that struck me while examining the contracts is the reactiveness in the SLAs and reporting. One of my clients have outsourced their infrastructure to a third party and we are discussing patch management and vulnerability scanning. In the contract it states that patches should be deployed every Tuesday on a weekly basis and that reporting of this should be done monthly. And here is my thought of the day for this: It is useless!

The patching in itself is OK, most zero days still take about a month before hitting this target so patching on a weekly basis is in this case good enough (and we have other protections as well), but the monthly reporting…Why on earth should I be interested to get an Excel-sheet with what patches are deployed on what server? It gives me nothing to know the status a month ago. I need to know in this very second what risks I have, not what is patched, but what is unpatched. Any takes for solutions?

I think that no one have missed that we celebrated Midsummer in Sweden, one of our famous public holidays where we mimic frogs and drink a lot of booze. Even if it´s a public holiday in Sweden the rest of the world, especially the criminals, still keep pondering at our doors trying to find a crack. So when all of have hangovers it is imperative that the security still works 24/7. You need to make sure that you not only have juniors but also seniors available to be able to respond to incidents. When I´m out conducting tests it is always during vacations or holidays that process flaws emerge that I could exploit, even with a hangover.

A few days ago I was sitting at a client with a colleague tasked with some simple pentesting to prove that our risk analysis was valid. We had already conducted social engineering to get into the buildings so our test now was to find a way into their Office365. As we had network access with a patch cable (fancy that!) I decided to just test out if my old friend Cain and Able was a possible tool to use. I fired it up and captured about ten computers network traffic. We heard some swearing in the landscape but soon enough we saw something interesting and disturbing. The users ignored the SSL-error and just clicked forward when logging into their mail. And just like that we got their username and passwords in clear text. To add insult to injury as they had ADFS activated the accounts we got hold of was also their AD-accounts. Within a few minutes we got complete access to all their systems.

It was interesting that we, with old tools, still could get complete access in a matter of minutes. The problem turned out to be that they still used Office 2010 and a compatibility setting that allowed this form of attack. When contacting Microsoft, they told me that it was the standard setting but that they will change that now.

I know that a bunch of you have started to look at the new data protection directive. If you have spent some time with it, you probably have read that if you encrypt your data properly you don´t need to inform your customers of a data breach. This is of course good news for encryption developers but even better for most application developers as most encryption changes the data format. I would suggest that you instead start to look at non-intrusive encryption solutions. By doing that you minimise the need for changes in the application and database and hence minimise costs.

Is it possible for a hacker to reduce the carbon footprint? At least it is far easier to reduce the number of password guessed by reusing the passwords stolen from other sites. This means that they don’t need to deploy as much cracking of passwords as otherwise making the use of passwords crackers as low as possible. By reusing your passwords you are helping the world to become a greener and darker place.

My team managers asked me what to look for in a security specialist CV. The quick and direct answer they got from me was: ‘A valid CISSP certification’.

As you could imagine they looked like living question marks so I had to explain it a bit more. A CISSP certification is a very strong certification in the security market. It shows that you both have five years of full-time experience and that you have the skills to manage to answer a very tough set of questions.

Another thing that’s important is that it is very easy to verify that the certification is valid. By entering the candidates full name and Certification number here you get a quick reply on the candidate’s current certification status. As you hopefully are aware of a CISSP is only valid for three years, after that you need to either do the test again or show that you have spent enough time either giving back to the community or educated yourself. Many do take the certification but fails to do the work needed to keep it. Hence a verification should always be made.

If a candidate fails to give you his Certification number, you could bet he has lost their CISSP.

This is how it looks like.

Older Posts »