SSL And The Future Of Authenticity: A talk by Moxie Marlinspike

These lines are a subjective summary and collection of thoughts triggered by the presentation that Mr. Moxie Marlinspike, co-founder of the start-up whispersys (very recently acquired by twitter), offered at Black Hat USA 2011. The title of this talk was SSL And The Future Of Authenticity. It is still available on youtube (with more than 30000 views!). It is a security talk worth watching from both the content and the delivery viewpoints.

The beginning of the presentation is surprisingly not devoted to providing a long and boring bio of the presenter. Let's keep that in mind as a nice intro to a talk: Sharing an anecdote with the audience. They will pay more attention to that than to a long list of achievements. Human beings like stories, remember!

The first part of the presentation deals with the news of the Comodo hack. He remembers that more than a quarter of the Internet's certificates are Comodo's. And, after the hack, actually, nothing happened to Comodo. The cool point here is that Comodo published the IP address from which the attack was supposedly performed and Moxie could identity the same IP address in his servers' logs, a day after the attack, trying to download his tool sslsniff. Moreover, the HTTP referrers that that IP address left in his logs did not hint at all that it was a highly sophisticated State-sponsored attack the one behind Comodo's.

Anyway, the story of Comodo illustrates, according to Moxie, the problem we have today related to the use of SSL as a secure protocol to identify sites on the Internet. He mentions the 3 requirements that a protocol like that should have:
  • secrecy
  • integrity
  • authenticity (something that SSL does not really cater for)
Moxie refers to the inadequacy of SSL, designed in the 90s of the past Century, to solve our current challenges, with more than more than 2 million server certificates in the Internet and more than 600 certificate authorities out there. Worth mentioning is the SSL threat model from Ivan Ristic.

It is then when Moxie introduces the concept of trust agility, something that would enable users to shift trust much quicker than with the current SSL certs. Trust agility should:
  • be very easy to revise
  • let users decide where to place the trust
He then confronts the highly centralised trust model proposed by DNSSEC with the highly uncentralised trust model that certificates require. In a nutshell, that is the reason why he does not think that registrars, top level domain name administrators (e.g. Verisign) and country code domain name administrators will come to save us all. They all provide very reduced trust agility.

What does he proposed then? He revives a Carnegie Mellon proposal called perspectives. It is based on checking that the certificate in the secure site is the same that the one held by an authority, the notary. These notaries will build a constellation of trust. However, perspectives will only validate the initial connection.

Based on perspectives, Moxie expands it and introduces convergence. Convergence includes a new authentication (expandable) protocol and provides a firefox add-on. In convergence, the user initiates the communication to check the certificate and decides the level of trust given to each certificate. The added value that this initiative provide consist of:
  • no notary lag (local caching possibility)
  • no privacy issues (detaching the site name from the requester via a proxy - using notary bouncing)
The hiccups he identifies in the use of convergence are:
  • mega-sites using a hundred different ssl certs (they exist but they are rare)
  • captive portals (where a DNS query would help)
Finally, he poses to telling questions to the audience:
  • who do I have to trust and for how long?
  • a prescribed set of people, forever?
My 2 humble cents on this: I welcome initiatives such as perspectives and convergence. They clearly signpost the need for Internet-based economic activities to come up with something more resilient than our good old friend SSL. However, let's remember Betamax and VHS VCR systems example, where the solution conquering the market was not the most technically viable option. We need more than a good engineered proposal to conquer the secure site market, and sometimes we don't know where is (or will be) the tipping point.

Enjoy the secure browsing!

Where does SSL lead us to?

Book review: Social Engineer - The art of human hacking by Chris Hadnagy


I wanted to post a personal review on a current social engineering reference book. Christopher Hadnagy's book, "the art of human hacking" deserves the label of reference book in the social engineering field.

I enjoyed reading the book. Those who listen to the social engineering podcast, in which the author takes part, will find in the book most of the topics dealt in the first 20 something podcast episodes. This book is the written witness of the spirit present in the social-engineer podcast.

SE book highlights
In this post, I fly over, following a very personal route, the main ideas that the 9 chapters of this book contain. The book is easy to read. Every chapter conveys some summary points plus a brief summary at the end. This facilitates the identification of the learning points.

The lessons learnt are applicable in almost every aspect of our lives. By no means this summary aims to replace the reading of the book. On the contrary, this is a book I recommend to read, not only to information security professionals, but also to anyone interested in knowing how human beings tick. This book is a valuable tool when modelling human behaviour. Actually, if there is intelligent life in outer space and they need to liaise with humans, this is one of the books that they need to read so that they can understand humans.

chapter 1 - introduction to social engineering
This first chapter describes the different types of social engineers. Interesting point: governments are also social engineering actors.

chapter 2 - information gathering
Chapter 2 mentions information gathering tools like BasKet and Dradis. There are also two telling examples, the USB example mixed with an encounter in a cafe and the stamp collector story. Some points that I highlight are the following:
  • Interesting their message that every one can have and have different personal realities (page 44).
  • Most of the time people want to help (page 52).

chapter 3 - elicitation
Elicitation is non-threatening and it is very successful (page 58). It is eye-opening to know that a simple light conversation is all it takes to get some of the best information out of many people (page 58).This chapter mentions the intricacies of elicitation, such as how preloading the target with info or ideas on how we wanted them to react to certain info is a good start (page 62). They mention an example related to "how to convince your partner to go for dinner to a steak house" (page 62) - it is worth-reading it - would that really work?

A basic way of elicitation is to start a conversation with "I would like to tell you a really funny story" (page 63). 

The author also mentions the concept of preloading. From an social engineering (SE) viewpoint, "preloading involves knowing your goals before you start". Expressing a mutual interest is more powerful than appealing to someone's ego: another important learning point (page 67). More information on elicitation can be found in the social-engineer.org site.

Some of the elicitation techniques that the book mentions are:
  • Appealing to one's ego.
  • Expression of mutual interest.
  • Deliberate false statements.
  • Volunteering information.
  • Assumed knowledge.
  • The effects of alcohol (not a different technique but equally effective).
  • Open ended questions, what do you think of the weather today?

Let's define some concepts that the book presents:
  • Elicitation is the process of extracting information from something or someone. Read the definition on the social-engineer.org site.
  • Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action.
  • Preloading is influencing subjects before the event. Think about a movie's pre-release trailers. They use desired outcome words such as “The best film you have ever seen!” This technique works great when introducing anything. Preloading is a component of a social engineer attack.

Some of the techniques the author mentions are:
  • Use open-ended questions to obtain detailed information (page 70).
  • Closed-ended questions are appropriate to lead the target to a goal (page 72).
  • Asking people a leading question in order to manipulate their memory (page 73).
  • Assumptive questions - you need knowledge before hand so they need to be used with care (page 73).

chapter 4 - pretexting 
The ideas mentioned around pretexting i.e. creating the background story that makes up the character you will be for the social engineering audit, rotate on these points:
  • On the Internet you can be anyone you want to be. 
  • Create a scenario where people are comfortable with providing information they would normally not provide. 
  • Practice makes a good pretext.
  • Self-confidence is always related to a situation.
  • Cognitive disonance: People have the tendency to seek consistency among beliefs, opinions and cognitions.
  • Dialect - you need to master the right pretexting dialect - at least spend some time listening to people in public talking to each other.
  • Play it back later (from the recorder) this is recommendable
  • Use an outline script.
  • Use sounds from e.g. thrivingoffice.com
  • Do not try to make the pretext elaborate
  • Keep yourself within the legal arena
chapter 5 - mind tricks
According to this chapter, we need to identify the target dominant's way of thinking. The author refers to Dr. Paul Ekman. He showed that emotions are universal across cultures and biological backgrounds. He worked with  basic emotions through the microexpressions that show those emotions. However, these skilled people could show those microexpressions in a different time.

This chapter mentions a possible way to overcome the client's reluctance to communicate: We need to identify whether they are a fan of sight, hearing or feeling (the site www.examiner.com is mentioned as a source of info).

We also need to try to identify deception by identifying contradiction, hesitation and changes in behaviour and hand gestures. Some of the NLP language patterns to influence change on interlocutors have to do with the voice tone (site mentioned: planetnlp.com).

There is also a general recommendation to watch for a group of signs and not only one sign to determine the baseline of our interlocutor. A set of leads on which we have to focus are microexpressions, body language cues, changes in verb tense and person use. An example of anchoring is linking a statement of a like kind with a certain gesture.

An valuable fact: People retain less than 50% of what they hear. As smart interlocutors, we need to react to the message, not to the person. For example, a way to state something could be "it sounds to me like you are" rather that using "you are" alone.

While practicing all these techniques, we need to develop a genuine interest and let the other person talk about herself until she gets bored of it. Let's remember that people's fundamental needs are:
  • Love/connecting
  • Power/significance
  • Freedom/responsibility
  • Fun/learning
  • The effect of young star photos
  • Breathe at the same pace as your target
  • People like people who are like themselves
  • Human buffer overflow = law of expectation + mental padding + embedded roles 
chapter 6 - influence: The power of perceptionThis chapter mentions concepts such as "kill them (verbally) with kindness", scarcity and concessions and again that 
simply asking the target a question can lead to amazing results. We can manipulate attention through the use of scarcity. Let's remember that people are driven to desire that which is hard to obtain.

Chapter 6 lists these types of authority:
  • Legal authority.
  • Organisational authority.
  • Social authority (in western countries, clothing, cars and titles).
The author also describes the value of commitment and consistency with actions (e.g. people are more prone to help you when you leave a bag unattended if you previously ask someone to look after it) and some additional ideas such as:
  • Liking (people like people who like them).
  • People need to be liked, they change their behaviour to be liked by others.
  • Good-looking people succeed more than not good-looking people.
  • Humans attribute more good traits and skills to good-looking people.
chapter 7 - the tools of the social engineer 
We can read about lock picking, intelligence gathering using public sources, tools like Maltego, SET and password profilers.

chapter 8 - case studies: Dissecting the social engineer 
This chapter provides a valuable set of examples coming from the author and from Mr Mitnick himself.


chapter 9 - prevention and mitigation 
The bottomline: Prevention and mitigation creating a personal security awareness culture and the importance of developing scripts and being aware of the criticality of the information you are dealing with.

Happy social engineering!
Congratulations Mr Hadnagy!



Hardening a wireless DSL router

Avoid that someone else uses your wireless DSL router

Most homes in developed countries use a home wireless DSL router to connect to the Internet. Remember that, in an increasing number of countries, the owner of the router is legally responsible for the data coming in and out of that home network to the Internet. Avoid being in an unwanted legal case by preventing that your DSL router (and your Internet connection) is used by an intruder to commit any illegal action. Make your DSL router relatively secure with the following preventive (and a final one, detective) security measures:

- Change the private IP address that the router has by default. How many routers come with 192.168.1.1 or with 10.0.0.1? Please, let your router be other than 192.168.1.1.

- Change the default IP addressing schema of your home LAN (cable or wireless). There is no obligation to always use 192.168.1.x or 10.0.0.x. As long as it is a private IP address (see RFC 1918), dare trying with e.g. 172.16.x.x.

- Limit the mac addresses that can connect to your router. Find out the mac addresses of all the gadgets that connect to your wireless LAN and input them into your router's mac ACL.

- Use WPA2 with a long password, you can get it for example here.

- Make the admin interface only available to your internal LAN (avoid making it available through the Internet). Easy way to check this: Find out your public IP address (e.g. using myipaddress), try to reach that public IP address and the admin web page.

- Are you a hardliner? Then disable the DHCP server in your router. Add the IP addresses. routing gateway (your router) and DNS servers in each of your wireless clients manually. Use different DNS servers on each of the gadgets (so that no unique DNS server gets a complete idea of your browsing behaviour).

These measures follow a defense-in-depth approach. None of them constitute the silver bullet, but the entire set of measures is a valid starting point.

If you would like to check your router's threat exposure to the Internet:
- Find your public IP address here.
- Install nmap in your box and launch the following two lines:

$ sudo nmap -sT -n -v -T4 -O -p- --reason yourpublicaddress
$ sudo nmap -sV -n -v -T4 -O -open ports coming out from first command yourpublicaddress


The nmap command line usage help can be found here.
- Limit the services you offer to the Internet.
Nmap should produce an output similar to this one:
All 65535 scanned ports on are filtered because of 65350 no-responses and 185 host-unreaches. Too many fingerprints match this host to give specific OS details.

If the result shows some open ports, identified by the -sV option as UPnP, review the expert view of the admin interface in your router, it is probable that you allow some firmware update, or push service provision coming from your ISP or a specific server app. Just check that it corresponds to your needs (e.g. a VPN server, a file server... or maybe, nothing is published to the Internet).
Finally, a detective measure: Check your router's logs frequently. Most routers can send their logs regularly to an email address. Use this feature. It is priceless to identify abnormal uses.

Happy scanning and happy secure home DSL router!
p.s. The "--reason" is a suggestion coming from a network jedi ;-)

Avoid misuses of your DSL router while you are on the beach
Additional measure (inspired by a comment left by an anonymous reader left)
Broadcast (but as little as you need ;-)
Scan the wireless networks that surround your place, choose a wireless channel that is not used, or at least very little used. This will enable you to decrease the level of energy used by your wireless router when broadcasting its signal. 
Fine tune the energy level so that the wireless signal is almost constrained to your place. This will definitely make a wireless attack to your network a little bit more "physically challenging". Here you are some command line tips to scan the wireless spectrum using aircrack-ng from a Linux box.

$ sudo apt-get install aircrack-ng
Information on aircrack-ng installation can be found here
Disconnect from your wireless network (keep the wireless driver working though)
$ sudo airmon-ng start wlan0
airmon will tell you the name of a wireless interface that can be used to scan (it will normally be mon0)
$ sudo airmon-ng start mon0
$ sudo airodump-ng mon0
and you will get a real-time list of active wireless networks (incluing channel numbers)

Thanks to the anonymous reader!

Hacking: The next generation by Dhanjani, Rios and Hardin - Book review

The following is a brief [and biased] review of the pages of Hacking: The Next Generation. In one sentence, I would recommend it to an IT student thinking of getting closer to security as a first-time security flavour.  

Disclaimer: These lines do not substitute the reading of the book. They are meant to provide a global overview of what the reader can find in the book. My kudos to the authors, writing a book is always a big effort. And even a greater effort if the books talks about a changing target as IT security. 

The authors: Nitesh Dhanjani, Billy Rios, Brett Hardin. 
Publication year:  August 2009.
Publisher: O'Reilly Media.



Chapter 1 Intelligence gathering: peering through the windows to your organization
The first chapter gives some actual tips on social engineering and intelligence gathering. They mention the Google Hacking Database and the Search Engine Assessment Tool and the usefulness of metadata and social networks to collect information that for a future attack. Tools like theHarverster.py and metagoofil.py are also mentioned. Syntax in google such as resume filetype:doc "current projects" and even the simple use of public google calendars can also render nice results.

Chapter 2 inside-out attacks: the attacker is the insider
This chapter proposes an easy path to understand how currently an external threat becomes an internal one thanks to threat vectors such as xss and xsrf. After reading this chapter, you will not use the remember password functionality in a browser.
Flash and Java are also mentioned. Another learning point in this chapter is that we should only share documents we trust with people we trust. Difficult task!

Chapter 3 The way it works: There is no patch
A varied chapter. It starts with the traditional description of the insecurities of telnet and ftp, both clear-text protocols. They also mention tools such as wireshark and a little python script named goog-mail.py to carve out email addresses. The authors also suggest the use of a password brute-force attacker tool such as hydra and John the ripper. 

This chapter also deals with session hijacking using tools such as hunt (to hijack clear-text TCP-based sessions). The fact that they are using private IP addresses makes sometimes some examples a little less realistic. On this topic, I miss a reference to the need to have a network card in promiscuous mode, also when we are trying to hijack session in a wireless network.

A basic description of SMTP snooping (with mail snarf) and spoofing is also part of this chapter. They finalise the chapter describing ARP poisoning with tools such as Cain&Abel and DNS Cache snooping with cache_snoop.pl.

Chapter 4 Blended threats: When applications exploit each other
The helicopter-view summary of this chapter is brief. Exploits currently constitute what authors name blended threats i.e. creating a big threat vector out of the combination, or beter said, chaining, of several harmless-looking vulnerabilities. 

The key concept to understand is the application protocol handler: a way for two applications to interact using the operating system. They provide examples both in Windows and Mac OS. 

Finally, the most flashy example of blended threats, conficker, with 9 million infected machines as of January 2009.

Chapter 5 Cloud insecurity: sharing the cloud with your enemy
This chapter presents the differences between cloud services offered by Amazon (based on what they call AMI - Amazon Machine Images) and Google (based on the Google App Engine). It is an eye-opener in the sense that insecurity now has a new meaning if we think of cloud services.

The apply common sense and present the two most visible vulnerability vectors i.e. misconfigured virtual machines and insecure management consoles.

Finally, they also present real vulnerabilities, already solved, (based on CSRF) that the authors discovered in Amazon Web Services.

Chapter 6 Abusing mobile devices: targeting our mobile workforce
These pages deal with ways to compromise corporate networks and information without even connecting ever to the corporate network. The rey resides in the threats targeted at mobile workforces.

First basic step to attack a corporate mobile force, spoof the MAC address of the attacking laptop. Second step, use a mix of common sense and social engineering. Certainly, also useful tools such as Burp Intruder and Cain & Abel. The first one useful to defeat easy entry portals and the second one excellent to get credentials used in services that do not use SSL permanently.

The authors also present man-in-the-middle attacks (e.g. although they don't mention it, they refer to a la ettercap-style attacks) and how easily users double click on any certificate warning appearing in their browsers.

The chapter ends with some words on metasploit, voicemail tapping and exploiting physical access to mobile devices.

Chapter 7 Infiltrating the phishing underground: learning from online criminals?
These pages deal with a real threat to our society and economy i.e. cybercrime and, more specifically, phishing (on page 177 I think there is a typo, when they refer to foreign companies, they really mean foreign countries. Some interesting facts they mention:
- phishing sites have a time to tlive (TTL) of just a few hours.
- www.phishtankcom publishes the URLs of phishing sites that are online. Very interesting for demo purposes!
- often an insecurely configured server becomes a phishing site for different phishers.
- all this points show the importance to securely configure any web server running on the Internet

The authors also mention a very useful tool for web testing, burp proxy and a skill that good phishers have: they know how to use different elements present on the Internet for their evil purposes (and they try to phish other phishers by inserting backdoors!).

They also talk about a phishing toolkit called the loot, offering phishing kits for many institutions, and about some phishing lingo such as "ReZultT" and "fullz" (all information required to steal someone's identity).

Chapter 8 Influencing your victims: do what we tell you, please
This chapter refers to human hacking. Rather than targeting a web application, sometimes accessing someone's calendar or eavesdropping a conference call (by knowing the conference ID) provide juicy information more easily.

The authors also mention the importance of social network in current hacking trends. For example, they created a fake identity in linkedin, or rather, they stole someone's identity and in several minutes this identity had received 82 incoming requests to be part of their network.

They also mention the evilness of the "forgot your password?" questions that some sites use to authenticate users, especially when complemented by facebook or linkedin information.

They complete this chapter with sentiment analysis based on tools such as Yahoo!Pipes,  sites like wefeelfine.org and concepts such a a word cloud.

Chapter 9: Hacking executives: can your CEO spot a targeted attack?
This is the flashiest chapter. Easy to read and really implementable. The authors talk about how to construct personalised attacks, with little effort, against executives based on network analysis (note that network here is a set of acquaintances and not cables and switches). Why attacking executives? They are normally the most informed members of the organisation.

They mention two main motives: financial gains and vengeance. Regarding how to monetise an attack, the authors mention that it is more profitable to try to sell the information to the company that actually owned it rather than trying to go to the competitor.

Information gathering using public sites and social networks is the first step in the attack. The input gathered helps identifying the executive's trusted circle and, specially, those with the most influence over the executive. A little but interesting detail, probably family members will not be in that trusted circle. Another one, sending the attack to the executive's assistant provide promising results given the trust existing between both players.

The authors also mention useful sites such as www.tweetstats.com, namechk.com, the phyton script titled theharvester and the enticing USB data stealer named USB switchblade.

Chapter 10 Case studies: different perspectives
In this last chapter they present two case studies. The first one clearly shows the need to disable old accounts and to control who joins a teleconference.The second one claims the importance of hardening ssh servers, the need not to publish IT information related to a company in Internet and the beauty of XSS based exploits.

Happy next generation hacking reading!

Guest post: 7 Reasons to Monitor Internet Usage

7 Reasons to Monitor Internet Usage

Monitoring internet usage is a popular issue for companies that use the internet irrespective of their size. There are various and valid reasons why a business should monitor internet usage. In this article we’ll discuss some of them and the benefits of doing so:

1. Security – Perhaps the most important reason for internet usage monitoring is to ensure data transferred to and from the internet does not contain malicious code or malware. This type of monitoring can protect your organization from potentially destructive malware infections and Trojan infections that could compromise the company’s intellectual property.

2. Productivity – While there are advantages in allowing people access to the internet, even if this means occasional periods of browsing for personal reasons, monitoring is essential to prevent excessive use by employees. Proper internet usage monitoring and control can work in an organization’s favor if usage is maintained at a level that promotes productivity, rather than a situation that results in multiple incidents of cyberslacking and unacceptable levels of internet usage.

3. Costs – Internet connectivity is not free; bandwidth costs money and there are additional costs if something goes wrong. If an organization monitors Internet usage these costs can be mitigated; proactively reducing unnecessary bandwidth usage and improve the security of internal networks.

4. Confidentiality – Giving employees access to use the internet also opens a door through which confidential information can be leaked, lost or stolen. Adequate monitoring of internet usage can prevent information theft – both intentional and accidental.

5. Legal Liability – There are many ways how an individual can use the internet to commit crime – from infringing on someone else’s intellectual property to actual hacking attempts. Monitor internet usage to prevent and identify such events as they occur and you’ll be able to stop them before they trigger a legal response.

6. Forensics – Monitoring also allows an organization to effectively investigate incidents. If an employee breaches company policy by engaging in prohibited internet activities, you will need the evidence to back up your position. If a workstation is compromised due to inappropriate internet usage, you will want to know what websites were accessed and led to that workstation being compromised. This information can be used to identify areas that needed increased security measures.

7. Reputation – Proper internet monitoring will help an organization to keep its reputation intact and prevent an employee’s actions from causing harm to the company through malware infections or illegal activity.

Each of the above points are strongly interlinked and together provide a robust and valid argument in favor of monitoring internet usage – each point merits equal attention and consideration. Monitor internet usage properly and efficiently to ensure your organization never suffers a fallout due to web threats. Prevention is always better then the cure.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on how to monitor internet usage.

All product and company names herein may be trademarks of their respective owners.

Monitoring filters complexity

Avoid arp poisoning in your LAN

In Linux, rudimentary but effective:

Here you are some quick measures to make arp spoofing in a shared LAN a little bit more difficult. Note, however, that these measures will not protect you from firesheep (cookie-based mechanism to steal non-https sites' credentials).

1. Avoid that the arp protocol constantly asks for the mac address of your router. Add the following line to the /etc/rc.local file:
# arp -s ipaddressofyourrouter  macaddressofyourrouter
This way, this entry will be permanently stored into the ARP cache.

2. Create an alert with arpwatch using e.g. the following line:
# arpwatch -d -i yourinterface
The arp database will reside in /var/lib/arpwatch/arp/dat

3. A way to check that there are less arp probes in the net then will be
# tcpdump -i yourinterface -n -v arp

If you change your router, remember to change your rc.local file accordingly.

In Windows, a nice tool is the one from irongeek called decaffeinatid.

This is not bulletproof but it saves you from the typical arp poisoning attack. If any reader would like to add any additional idea to this topic, please comment.

Happy browsing in a shared network ;-)!

Avoid ARP poisoning

Note to a comment: Arpon is a useful tool for this purpose. Besides, Arpon 2.7 was just release last July. Be aware that, according to Arpon site "it requires a deamon in every host of the connection".

The Value of Vulnerability Assessments

With this out of sequence post we start a series of guest contributions. In these days of complexity in our everybay business of IT security, it is advisable to remember the foundations to protect your boxes from known threats. Here you are 7 down-to-Earth tips to secure your servers:

Do you know how your server measures up to potential threats? If you haven't performed a vulnerability
assessment on your servers yet, you may not be aware of issues that may leave you exposed to hackers and web-based attacks. A vulnerability assessment is the process of inventorying systems to check for possible security problems, and is an important part of system management and administration.

Vulnerabilities are weaknesses within a server or network that can be exploited in order to gain unauthorized access to a system, usually with the intention of performing malicious activities. The most common way to address many software-related vulnerabilities is through patches, which will usually be provided by the software manufacturer to correct security weaknesses or other bugs within a program.

However, there may be times when a patch is not available to address a possible security hole, and not all vulnerabilities are software-related to where a patch would be offered. This is where the concept of vulnerability assessments comes into play. Minimizing the attack surface and the effect that a potential hacking attempt could have on your system is a proactive way of effectively managing a server network.

Protecting your data vault
While there is no 100% way to protect your servers against vulnerabilities, in performing a vulnerability
assessment there are some steps you can take to minimize your risk:

Close unused ports
Ideally, your server network setup should include at least a network firewall and a server-level firewall to block undesired traffic. Undesired traffic would include traffic to ports that are unused or that correspond with services that shouldn't be publicly-available. These ports should be blocked in your firewall(s).

Don't over-share
If servers on your network are set up to share files with others, or to access network shares (such as file servers and other resources), make sure that those shares are configured to only allow access as appropriate. Hosts that don't participate in sharing resources should have that capability turned off completely.

Stop unnecessary services
The more services you have on your server, especially those that listen on network ports, the more avenues a hacker has to get into your system. This is especially true if you have services running that aren't being monitored or used, and therefore are unmaintained. Stop services that are not in use or necessary, and restrict access to others that are not intended for public access.

Remove unnecessary applications
Many operating systems come with a wide set of programs that may not be necessary for normal server
operations. Find out what software is installed on your system, and then determine which of those
applications are not necessary and remove them.

Change your passwords
Using default vendor passwords is more common than you may think – but since those passwords are usually publicly-known, they are often the first ones used during hacking attempts. Secure passwords should always be used in favor of the vendor defaults, and industry experts recommend changing them every 30-60 days.

Do some research
When software or new applications are installed, users often neglect the time needed to review their settings to ensure that everything is up to par with modern security standards. Take some time to research what you are installing and any security implications that it may have, including what features may be enabled that could introduce security problems, and what settings need to be adjusted.

Encrypt when possible
Many services and network hardware have the capability of encrypting traffic, which decreases the likelihood of information being “sniffed” out of your network. When transmitting sensitive data, such as passwords, always use an encrypted connection.

Regular vulnerability assessment is a vital part of maintaining system security. Not only will it help diminish the success or possible effects of malicious activity against your servers, but it's also a requirement for many modern compliance standards such as PCI DSS, HIPAA, SOX, GLB/GLBA, and other regulatory standards.

This guest post was provided by Vanessa Vasile on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI vulnerability assessment.


All product and company names herein may be trademarks of their respective owners. 

SQL injection - Attacks and defense by Justin Clarke et al. - Book review

This book was published by Syngress in 2009. It was the book of the year in 2009 for Richard Bejtlich in taosecurity. It has ten authors, the main one is Justin Clarke.

In my eyes, this is an obliged reference book for everyone testing web applications using a database (most of them, BTW) today (and in the last 10 years!)

The book is broken down into 10 chapters - Let's go one by one:

Chapter 1 - What is SQL injection?
A generic introduction to the topic of the book. A little bit confusing chapter. I would recommend to re-read it at the end. The reader will then have more than one eureka moment.

Chapter 2 - Testing for SQL injection
This chapter wears the "hacker's hat" and shows how to find SQL injection samples in a web application connected to a database. This is a nice intro to the rest of the book. It provides useful tips about displayed SQL errors in MS SQL server, MySQL and Oracle. One of the coolest points of this book is the collection of tools that most of the chapters offer at their end. This is also the case for chapter 2. Worth mentioning, mainly because it is a free tool (and a very good one!) is the Paros Proxy.

Chapter 3 - Reviewing code for SQL injection
This chapter wears the "developer's hat" and shows how to follow user data (the use the nice term of "tainted data") through lines of PHP, Java and C# code. The end of the chapter mentions some source code analysis tools like YASCA or the MS Source Code Analyzer for SQL Injection.

Chapter 4 - Exploiting SQL injection
These pages show the deep foundations of this art, with steps such as identifying the database, extracting data through UNION statements, using conditional statements, enumerating the database schema, escalating privileges, stealing password hashes, out-of-band communication and finally, they present some tools to automate SQL injection exploitation such as sqlmap and bobcat.

Chapter 5 - Blind SQL injection exploitation
This chapter wears the "advance hacker/detective's hat". Using time-based, binary search, bit-by-bit inference and response=based techniques, they present ways to infer knowledge out of the interaction with a database. They also mention some tools such as Absinthe, Sqlninja and Squeeza.

Chapter 6 - Exploiting the operating system
Normally a database is an application software residing on top of an operating system. In this chapter, they keep on wearing the "advanced hacker/detective's hat" and present ways to read and write files and execute OS commands.

Chapter 7 - Advanced topics
Richard Bretjlich considers funny that in this "advanced & technical" book the authors have inserted a chapter for "even more" advanced topics. I agree with him. Whatever our views are, this chapter describes ways to evade input filters, to exploit second-order SQL injection and to use hybrid attacks.

Chapter 8 - Code-level defenses
This is the chapter that "developers" should read without any doubt. The key to avoid SQL injection attacks is to completely code the access to a database based on customised parameters that are out of the users' reach. The authors propose a series of recommendations to validate input and to encode output.

Chapter 9 - Platform-level defenses
Together with excellent coding practices, there are some measures, related to the operating platform, that we can take to avoiod SQL injection. These are, for example, using web application firewalls, web server filters, IDSs and securing the database itself.

Chapter 10 - This chapter is the chapter every "white hat hacker" should have at hand when assessing a web app connected to a database. It is a great reference of SQL commands and SQL injection tweaks for SQL Server, MySQL, Oracle, PostgreSQL and even DB2. If you need to select only one chapter, focus on this
one.

You can also read Richard's reference to this book in Amazon.

All in all, a book worth its price, keep it as a web app pen test reference book! Thanks to the authors for this nice work. And also a special mention to the one who merged and composed the input from 10 different authors into a unique book.

Happy reading!

Brian Snow on Information Security in a malicious environment

Risk based security is incredibly popular in information security nowadays. However, this is not the only way. I listened to the episode 191 of the Risky Business Podcast. In that episode, Patrick Gray interviews Brian Snow, former NSA director. He provides some experience-based thoughts on probabilistic risk assesment (PRA) and proposes alternative approaches in Infosec:

About PRA:
- Useful in scenarios with benign players (e.g. when Nature is the threat agent)
- Useful when there is enough good solid statistical information in the form of distributions curves and failure rates.
- The problem comes when trying to mitigate:
a. high impact risks with very very low probability or
b. a handful of low probability events with low impact that, if all of them happen in concert, the impact is huge.
- Probabilistic risk assessment does not take malice into consideration. When malice comes into play, distribution curves do not matter.
- Attackers do not use PRA as their main methodology to select targets (I would add, they choose their targets based on their relevance - benefit to risk ratio - and potential economic or mental benefit).
- PRA works well for reliability in a benign environment.

Thinking outside PRA (e.g in product security)

Designing security:
- Economic terms help i.e. let's design a system that is cheaper to create than the effort to attack it (this takes even decades!).
- How much (money) can the attacker devote to hit us?
- Forget studying the probability of malice-based acts, get some people in your security team thinking like the opponent. Look for the malice.
- Commercial product creators are not thought to counter malice.
- Military principles e.g. simple interfaces are required when you counter malice.
- It takes time to design security (quick time to market is not possible).
- Will the product work under attack? This is a key question to answer.

Practising security
- Have an holistic attack team, at the design time, to systematically attack the product.
- 3 recommendations:
a. Make sure that you study the interactions among the different scenario dimensions and players. Pay more attention to the interactions.
b. Once you are under attack, whom can you call for help? Look for partnerships (especially intelligence sharing) in the industry arena, even among competitors (e.g. CERTS already do that).
c. Have some attack scenarios that you exercise yourself (even at design time). Think in advance and try to prepare yourself against them already at design time.

Food for thought. Enjoy and digest it!
Happy June!

Black Hat Europe 2011 Keynote by Bruce Schneier

The following lines constitute a subjective summary and/or collection of thoughts triggered by the keynote that Mr. Bruce Schneier offered at Black Hat Europe 2011. The title of the keynote was cyberwar. An exciting word that nowadays reaches TV channels, radios and newspapers around the globe.

- At war, it is always important to know who is at war and why. In the cyber world, these two w-questions usually have no answer.
- The word war is paradoxical: In real wars, media try to avoid the word. However, media use often the word war in a rhetorical manner (the war on terror, the war against poverty, etc.).
- The Internet kill switch idea opens a new threat vector i.e. what about that switch falling into wrong hands?
- Regarding targeted attacks, if a company or individual is targeted, it will eventually be compromised. No doubt. It is only a matter of time and effort.
- Even though international treaties are sometimes of doubtful effectiveness, they could bring good to the cyberspace.
- In a nutshell, the current attacks in Internet increasingly show war-related tactics, strategies and methods. Therefore the hype of the word cyberwar.

Some additional thoughts:
- Skype is not eavesdropping-friendly.
- Commercial companies deal with risk only up to the value of their business. This is the reason why States need to bear residual risks if they can affect citizens (e.g. risk born by critical infrastructures).
- Human beings fear human attackers the most, then animal attackers and finally natural threats.
- Human beings fear invisible threats much more than those visible ones (personal note: this can be the reason why nuclear energy is so much feared).

And finally, a title... "dishonest minorities", his forthcoming book!

The video of the keynote is available at Black Hat Archives Site (not always available) and also in youtube.
Happy viewing!

Enchanting... also in IT security

Intro
A new excellent guest on the Entrepreneurial Thought Leaders Lecture Series - Guy Kawasaki - I recommend viewing the video or, at least, listening to the podcast. The following paragraphs are a personal summary of the ideas presented by Mr Kawasaki. My proposal will be to have the IT security world in mind when reading this text and think how much (or less) of all this we already do (or can do)?

He presented some recommendations on how to be enchanting. He used the 10 point format so that the audience know when the presentation ends. He mentioned that normally CxOs go long and they are boring when they present. Sometimes, in security conferences, I wish the presenter could be both specific and entertaining.

Tips for the art of enchantment
First, you need to be likeable. For this, improve your smile, using the muscles that surround your eyes, and certainly the jaw muscles, dress for a tie with your audience i.e. follow their same level of elegance and have a great handshake because first impressions are important.

Second, after likeability, the next step is trustworthiness. For that, I highlight these points:
- If you can't do something, find someone who could do it for you better.
- Don't ask someone something you would not do yourself.
- Empower people to do tasks.
- Don't micromanage.
- Provide people with a high purpose.

How to enchant as a leader
Provide your people with a MAP:
- Mastery: The possibility to learn and excel on the things they do.
- Autonomy: The chance to perform tasks themselves.
- A higher purpose.

- Any company needs first to trust their people (employees, customers) and then they will trust the company.
- There are 2 kinds of people, eaters and bakers, the first ones see situations as zero sum games, the bakers see ways to get bigger and more pies for everyone.
- If you would like to enchant, then default to yes, think how you can help that person.

How to enchant with your products
Your products need to be DICEE:
- deep
- intelligent
- complete
- elegant
- empowering

- Your message need to be short sweet and "swallowable".
- Important point, present in many thought leaders today, tell a story, why did you start your company, your plan, your adventure?


- Before failing, consider you have failed and conduct a pre-mortem analysis, that way everyone around a product can speak freely and with less emotional load.
- Plant many seeds to obtain your critical mass.
- Use simple and understandable features, salient points, to sell your product.
- Discover who are the influencers? Most of the times, the influencers are not the executives. Executives are very high in the ladder. The air is thinner high in the ladder. Thin air is not good for intelligence.
- Forget the use of money with your customers, it brings complexity and lack of veracity.
- Sharing and glory, people don't do it for money

Invoke reciprocation
More than answering a "thank you" with a "you are welcome", tell them "I know you would do the same thing for me". This way, you tell them that you have class and ...that they owe you. 

Enchanting up
Do what managers tell you to do, create a quick prototype, take little time to come back to show them if you are on the right track and, show them problems early, and preferably, propose a way forward.

Final thoughts
- in every presentation, customise the intro with local photos, sell your dream when you speak, use 10 slides for 20 minutes and 30 points font.
- Eliminate complexity.
- Answer within 24 hours.
- Use social networking, don't leave it only for when you have spare time.

Do you enchant while doing your job in IT security?
Happy enchantment!

Jack Dorsey: Running a business idea - applicable to IT security?

What does this post have to do with security? Well, we will soon see it. Stanford University's entrepreneurship corner is one of those reasons why Internet is, even just for this, a great invention. From your screen at home or from our smartphone or mp3 player, we have access to lectures given my current entrepreneurs.

One of the latest lectures is the one given by Jack Dorsey, creator of  twitter and square. I took note of some learning points, maybe subjective, out of his talk.

They are brilliant points to consider when creating a start-up within the IT security world. Do not forget them!
  • "Instrument" your company from day 1. The first thing he did in square (and not in twitter) is writing an admin control panel for their servers.
  • Be a story teller. You need to inspire your team and your customers with a story, your idea.
  • In the company, you act as the editor, composing the stories.
  • The team you build is not permanent, different players will need to enter and exit according to their profiles, the current story and the "required edition".
  • Internal communication: Everyone in the company will have the same priorities.
  • External communication: You communicate with the product, your product is "your story for your customers".
  • Money in the bank: The company needs it, firstly from investors and secondly, and more critical, from revenue.
  • Limit the number of details. Those details that stay need to be perfect.
  • A last sentence from his side:"expect the unexpected and, whenever possible, be the unexpected".
If you see value in these points, then listen to the entire podcast or watch the lecture.

Happy listening!

ps Thanks to the Stanford's Entrepreneurial Thought Leaders Seminar crew!


Social-engineer.org crew interviews communication expert Joe Navarro

The episode number 14 of the Social Engineer podcast features an interview with the author and expert in non-verbal communications, Joe Navarro. This is a post with learning points extracted from listening to his interview.

Disclaimer: These lines do not substitute the listening of the interview. The statements mentioned are close to literal or slightly summarised or just a subjective interpretation. Kudos to the social-engineer.org crew!

Minute 17: Inmigrants in a country using a different language than their mother tongue need to be sensitive to body language and observe carefully.

Minute 18: Babies mimic gestures since their third week of life.

Minute 19: Babies with eleven months look for mood clues coming from their mothers.

Minute 20: Blue is a smoothing colour. Blue is predominant on TV.

Minute 22: When we see something beautiful, our pupils dilate. When we see something ugly, ours pupils contract. Our limbic system controls this.

Minute 31: A good observer focuses not only on the face but on the entire body. It is more difficult to lie when there is space among our fingers and we show our thumb.

Minute 36 and 37: People talking while looking at the same direction are more relaxed than people talking facing each other. Facing people create tension when talking.

Minute 41: You can calm someone down just by exhaling in front of them (they will mirror you).

Minute 47: A biographer of Kennedy mentioned that you can get anyone anywhere anywhen talk to you, you just have to tell them that you treasure their opinion.

Minute 55: The meaning of words: People in their fifties like to talk about problems, people in their thirties talk about issues. People like to talk with people like them.

Minute 66: When performing social engineering, assess whether the person does look comfortable to you.

Minute 66: In the US, the amount of time one should look someone else at their eyes is 1.8 seconds.

Minute 68: Arch your eyebrows when you greet someone. When arching the eyebrows, we burn sugar. We only burn sugar when we care. Babies respond to this action already when they are a week's old.

Minute 70: If you show space between your fingers, you are confident of what you are saying.

Minute 72: Some tips on using body language with your children.

Happy interview listening!

Pauldotcom crew interview Brian Krebs - They talk about digital fraud

The pauldotcom crew interviews Brian Krebs in episode 219 (part 1) of their podcast. This is a post with learning points extracted from the interview.

Disclaimer: These lines do not substitute the listening of the interview. The statements mentioned are close to literal or slightly summarised or just a subjective interpretation. Kudos to the pauldotcom crew!

Minute 8: Brian's IT network was taken over by the lion worm.

Minute 10: People start in security because either they were hacked or they were hacking and decided to change sides and go to the more difficult defence.

Minute 14: He writes about topics that are news to him. This way, they will also be news to everybody else.

Minute 18: A lot of the bad guys have multiple identities in different fora. Most of them specialise on a specific topic and they outsource the rest. [...] They are somehow open since they need to be reachable by their clientele.

Minute 21: Outsourcing in cybercrime is a constant. Even testing services to assess outsourced tasks are outsourced.

Minute 24-26: Ukraine is one of the main sources of attacks, even more than Russia: very technically savvy individuals with very low payslips in legal jobs.

Minute 32: A lot of people buy spam-announced pharmaceutical products.

Minute 34: Their prescription runs out, suddenly they see those announcements and they buy them. The medicine seems to work and it is a third of the real price. However, there is no guarantee that the medicine has the same quality every time [also from minute 44].

Minute 36: Some of those cheap medicines are made in China or India.

Minute 37: Usually those sites ship a pack of "Viasgra" for free with any other order medicine requested. 

Minute 39-40: Rogue pharmacy is the driver of fraud on Internet nowadays. Although it is probably not the most lucrative business.

Minute 41: The most lucrative business in cybercrime is stealing from a corporate bank account through a piece of malware sent to someone in the organisation.

Minute 41: Changing your online banking credentials regularly is hardly done nowadays. This is why stolen credentials are still valid months after.

Minute 48: The gas station card skimmers is currently over the top as a real business. 

Minute 50: ATM skimming figures - average skimmer scam takes around USD 60000 (not confirmed figure).

Minute 52: Gift card fraud is huge. However, given the high margins gift cards have, sellers tolerate it.

Minute 66: We need to clearly explain to people the consequences of not caring about security.

Minute 67: (Unfortunately) Only life-threatening factors will make people security conscientious.

Minute 73: Brian Krebs is reachable for any anonymous security news anyone would like to share with the public.

Happy reading/listening!
Happy new year 2011!