Monday, January 4, 2016

Information Security Outlook 2016. What's coming?

For me the Top 3 will be:

1. Data breach is the "new normal"

  • The question now is not could or might, rather when. 
  • Are you prepared for it? How is your Cyber Security incident response plan?
  • Many large organisations can absorboperational costs related to data breaches, but how about costs to reputation and brand damage? Reputation risks must be integrated into risk management process. 
  • Become part of cyber security defense/intel sharing community - we cannot fight cybercrime alone
  • Share the 0 days that attacked you. 0 days have less value when they are known to public
  • Have deterrence policies and tactics. Tell attackers what could happen to them but be careful not to send a wrong signal (e.g. taunting)

2. DevOps is coming and will prevail

  • Developers will be the one doing operations making "segregation of duties" principle a challenge. 
  • Information security folks need to adjust to it. Like it or not, more and more businesses are doing this due to adoption of Agile software developments. It does not make business sense if DevOps can spin a server and app in a day or two but Security needs 2 weeks to review it 
  • Adjust, adapt, get involve earlier or we will be "bypassed 
  • Why not share information security budget with other department if it helps to address security weaknesses? Think of the "win-win" situation. 
3. More are moving to Cloud

  • Enterprises are moving more solutions and services to Cloud. Be it software, platform or infrastructure
  • Cloud vendors are growing like mushrooms
  • Vendor risk assessments are becoming more important than ever. Ensure you have one before engaging any cloud vendors. Be careful and do not rush, especially if we are talking about security tools. New vendor may have great ideas and technologies but are they strong enough to last? 


Be prepared for Internet of Things (IoT)

  • It might not become a big thing soon but it certainly walking towards it. Smart fridge, Smart Car, Smart Aircon, Smart Oven will all be connected together and if exploited, could allow adversaries physical alike access. We can't stop IoT from happening. The challenge will be how to make it secure?

Friday, October 9, 2015

Moving to SaaS? How to quickly assess the vendor?

So a Cloud vendor managed to pitch your boss to switch to their SaaS application and your boss has asked you to quickly check out the vendor.

You don't know anything about the vendor nor how the SaaS application works. How to quickly assess something that you don't know? You certainly don't want to be blamed if you missed something. You start entering panic mode... Time to call up your senior cum mentor the Information Security chap.

You: Yo bro! What's up? How's life?

Information Security chap: Hei dude. Long time no see. I'm good! And you? What you have been up to lately?

You: Not too bad, not too bad. I've been busy with all this cloud and SaaS thingy... talking about that, I need to quickly check-out a SaaS vendor. Any tips?

Information Security chap: How quick? You know quick in infosec usually translates to "same as do anything" right?

You: Quick as in like 2 days top? Boss is pushing me left, right and center. Any tips?

Information Security chap: Hahaha.. that's life man. Well, you know that you can't assess them in 2 days right? And you can't depend on what they said on their websites as most are just marketing pitch. What you can do is ask them to provide you any third party independent assurance report.

You: Independent assurance report? Like ISO27001 certification?

Information Security chap: Having ISO27001 certification is good but not good enough. Ask them if they have undergone SOC 2 or SSAE16 audit. There is usually SOC 2 Type 1 and Type 2. If they have done SOC2 Type 2, even better. Ask for a copy of the report and see if there are major issues raised.

You: Why Type 2 is better?

Information Security chap: For Type I, effectiveness of controls are only assessed only one time during the assessment. For Type 2, controls effectiveness are assessed for a period of time so provide a much better assurance of control effectiveness.

You: I see... I will Google for more info about this SOC stuff. Thanks bro! Coffee on me next time we watch up!

Information Security chap:You're welcome man! Good luck! Ciao!

You: Ciao!

Wednesday, November 12, 2014

Not only that.We all are better together

Just read an article published by Darkreading "Better Together: Why Cyber Security Vendors Are Teaming Up".

I always believe that one cannot fight cybercrime alone.

Cybercrimes are organized crime. We all know that there are organized crimes have gone "cyber" for quite some times. They evolve. We must too.

If those bad guys can team up to launch a cyber attack. The vendors are teaming up too, then why can't we - Cyber security representatives of our company - team up to defense ourselves? Start by sharing info, intel and  experiences in mitigating attacks.

If some of us are worried about  disclosing "weaknesses" to competitors, then start with a closed group, for example, amongst "Top 10 public listed companies" in XXX country. Of course it could be that at first few initial meetings, no one would really share a very detailed info but over the time when trust has been built amongst the members, more info and details would flow in.

Most of us security folks are trained to be skeptical and careful in trusting people, but in the matter of countering cybercrimes, I don't think we have much choice there. We have to learn to trust, give and take.

Sunday, September 28, 2014

Bashing the Big Bad Bash "shellshock"

Updated: 29/9/2014:  Updated video from SANS

How bad is it? Very.

What happened? Check out the SANS's video below:

As of today (28 Sep 2014), current patch is not adequate as it only fixed the first problem (CVE-2014-6271) but not the 2nd one (CVE-2014-7169). Vendors are still struggling to fix  , the second problems (CVE-2014-7169 and 4 other new bugs discovered.

Also, the folks at Fireye have written a very good piece about this with sample of attack vectors and exploits included.  Check out their blog post titled "Shellshock in the wild" 

Now, I'm sure by now you have been asked the one million dollar question by your boss or some senior managers:
Are we vulnerable? Can you quickly find out?
Quick is the keyword. You should first check your exposure from the internet.

But how? Ask google. Look for indication of usage of bash script on your website. For example:

filetype:sh OR filetype:bash

If you see URLs with sh or bash extension, be paranoid. Check those first and disable them. Replace the script with something else e.g. Perl or Python.

Next, you may want to add a custom signature to your NIPS to detect/stop any potential exploits. Here is a quick snort signature signature (taken from Volecity's website)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

Or grab the official snort rules from snort's website here

Information security folks: If you play this game well, it could be another good business case for you to push for those legacy systems to be updated/upgraded!

Friday, August 8, 2014

Babusb in enterprise. Why you should not panic over it.

Hot topics of this past 2-3 weeks - Badusb. Until yesterday, most talks or write-ups are just speculations as there are no details released.

Folks at had released more details during their Black Hat 2014 presentation yesterday. You may grab the slides on their website here

As the CISO or Information Security Professional responsible for ensuring security within your organisation, you have every right to be worried. The good news is,  you can stop the panic mode now, if....

You don't allow admin right to your users. 
To successful attack a target machine, the attacker must have/gain access to a machine that has been logged in by a user that has admin privilege.

I find that WIBU Systems's alert explain it very well. Here are the excerpt:

"A BadUSB attack can be successfully accomplished only with logged-in users who have administrator privileges to their computer. In principle, the attack would also work for OS X and Linux; only the actual commands from the “keyboard” would be different."

Nowadays, most enterprise laptops/pcs are hardened and you rarely see users with admin right anymore. Of course, there are exceptions (really? If you are the CISO, shame on you!).

Of course, there are still risks. But I will say, the risk is low - if you have done the right things. 

Friday, June 27, 2014

Booting up evidence E01 image using free tools (FTK Imager & Virtualbox)

Being able to boot an acquired evidence image (hard drive) is always helpful for forensic and investigation. If you would do a Google search, you would find most methods or discussions are referring to usage of Vmware Workstation. As Vmware Workstation is not free, not a good news if you are on low budget or do not have one at all.

Don't worry....I will show you how you could boot an acquired E01 image using freely available tools.

What you will need:
1. FTP Imager 
2. Virtualbox and Virtualbox expansion pack-
3. Admin right (do not have one? You're joking right???)

I'm not going to detail down how you should install FTK and Virtualbox.... those are really easy.

Here are the steps:
1. Open FTK Imager. Go to File -> Image Mounting.

2. Select the E01 image you want to mount.
a) Mount Type: Physical Only
b) Mount Method: Block Device / Writeable (I know what you are thinking.... do not worry about tampering the evidence file. FTK Imager will create a cache file that will temporarily store all the "changes" you made)
c) Write Cache Folder: Take the default or point it to any folder that would make you happy :)

3. Click "Mount". You will see which physical drive the image is mapped to.

4. Create a new folder (for storing the virtual disk file later) e.g. c:\temp\
5. Open a command prompt as administrator. Go to c:\Program Files\Oracle\VirtualBox. Run following command: vboxmanage internalcommands createrawvmdk -filename c:\temp\\securityisfun.vmdk -rawdisk \\.\physicaldrive5

NOTE: Replace the path, file name to be created and physical drive as accordingly.

5. Run Virtualbox as administrator. Create a new virtual machine matching the OS of the image e.g. Windows XP or Windows 7.
a) RAM - set it to any amount you like. For me, normally I will set it to 2GB
b) Hard Drive - point it to the virtual disk file you just created in step 5 above

6. Well, start the virtual machine. It should run now. 

7. In case you get a blue screen.. which is not uncommon. Try changing the HDD controller type, which is IDE by default, to SATA, SCSI or SAS. You can change this by editing the settings of the virtual machine:
a) Delete the existing HDD controller
b) Add a new controller e.g. SATA
c) Add a new disk. Select "Choose an exiting disk". Point it to the virtual disk file you created (e.g. securityisfun.vmdk)

8. If you still get the blue screen... this might be due to Windows could not see the drive. Try following steps which involve editing the registry to enable SCSI and SAS drivers on boot:  
a) Unmount the image you mounted with FTK Imager
b) Mount the same image with FTK Imager but now with the option: 
Mount Type: Physical & Logical
Drive Letter: Take the default
Mount Method: Block Device / Writable
c) You should see the partitions of the image are now mounted and accessible


d) Run "regedit.exe" as administrator.
d) Expand "HKEY_Local_Machine". 
e) Select "Load Hive". Point it to the SYSTEM hive of the Windows partition of your mounted image. For example, if the image's Windows partition is mounted by FTK as K:, point it to K:\Windows\system32\config\SYSTEM

d) Enter any name when prompted e.g. (sorry, a bit of marketing here :) ). You should now see additional registry key with the name you typed appeared.

e)  Navigate to\ControlSet001\Services

 f) Look for "LSI_SCSI". Click on it and set the key "Start" value to "0" (zero). Setting it to "0" means Windows will start/load this driver at boot time. Repeat the same for "LSI_SAS, LSI_SAS2". 

g) Point to the "" hive once you finish editing. Select "File, Unload Hive". Click "Yes". Close regedit.
h) Now try to boot your virtual machine again. Try using difference controllers e.g. SAS, SATA, SCSI if you still getting the blue screen.

9) If you are still getting the blue screen despite doing all this........ two words for you - bad luck! At this moment, I don't have any other solutions or workarounds. I will update this blog post if I (ever) come across something new :) 

Have fun!

Tuesday, June 3, 2014

HiTB Haxpo AMS 2014 - My takeaway

Yup. That's my crew T-shirt of Hack in the Box Amsterdam 2014 or now known as Haxpo. It was nice and fun meeting all the .MY and .NL folks again.

I have to admit, I feel like the presented conference topics are not as exciting as last year's.  However, the Haxpo (the part where you can enter for free) was quite a success.

Nevertheless, there are couple of interesting topics that caught my attention:

1.  Cool idea - splitting java exploits into multiple "innocent" looks Java applets in order to avoid detection. Check out Reloading Java Exploits: Long Live Old JRE! by renown security researcher (read Hacker) LUIGI AURIEMMA .

2. Wanna fly for free? Check-out Exploiting Passbook to Fly for Free by ANTHONY HARITON. This was the most funny presentation that I had seen this year. Full of fun and laughs. NOTE: He did not confirm nor deny whether he did indeed perform the "test: personally :)

See y'all again next year folks!

Friday, April 11, 2014

Heartbleed - A picture that tell a thousand words

20140414 Update #2
The server's private key can be obtained. This is confirmed. See here.

Update #1:
Apparently NSA KNEW about this since years ago. Surprised? Not really...

Well explained. Picture taken from xkcd -

How bad is heartbleed? Very bad. It affects not only https. But all other applications, servers , routers, firewalls that use OpenSSL.

We have heard all the bad news. But, there is a little good news. Retrieving private keys may not be that easy. This post explains it all. However, getting passwords are still easy if you are lucky (well, try a few times). There are a few websites that you can use to check if a website is vulnerable, but done give you the dumps. Here is the python script that give you the dump.
Tips: run it in debug mode.