Boston Security Meetup - 5/24/2014 - Revision history

SteveR at 13:13, 3 August 2014

2014-08-03T13:13:10Z

← Older revision		Revision as of 09:13, 3 August 2014
Line 479:		Line 479:
	just another layer of administration, to assign MAC addresses to		just another layer of administration, to assign MAC addresses to
	virtual machines.		virtual machines.

			[[Category: Notes]]

SteveR: /* Extending the network from the perspective of a rouge user and or device */

2014-07-08T01:45:39Z

Extending the network from the perspective of a rouge user and or device

← Older revision		Revision as of 21:45, 7 July 2014
Line 462:		Line 462:
	from the inside. In order to catch a thief, you must think like a		from the inside. In order to catch a thief, you must think like a
	thief.		thief.


	Question: How long can a typical rogue device stay connected to a		Question: How long can a typical rogue device stay connected to a

SteveR: /* Enterprise Email Security Challenges */

2014-07-08T01:45:23Z

Enterprise Email Security Challenges

← Older revision		Revision as of 21:45, 7 July 2014
Line 290:		Line 290:
	Email filtering has always been a battle between false positives and		Email filtering has always been a battle between false positives and
	false negatives.		false negatives.


	Comment: A fun exercise is to conduct a phishing attack against your		Comment: A fun exercise is to conduct a phishing attack against your
Line 306:		Line 307:
	rewrite links, so that the links become redirects. This allows IT to		rewrite links, so that the links become redirects. This allows IT to
	block specific links.		block specific links.


	== Human Side of Data Protection ==		== Human Side of Data Protection ==

SteveR: /* Mobile Security for Everyone */

2014-07-08T01:45:13Z

Mobile Security for Everyone

← Older revision		Revision as of 21:45, 7 July 2014
Line 249:		Line 249:
	your phone. The game isn't intended to be malicious, but it forces you		your phone. The game isn't intended to be malicious, but it forces you
	to make security decisions.		to make security decisions.


	Question: What's the most popular Android Malware?		Question: What's the most popular Android Malware?
Line 254:		Line 255:
	There's a lot of mobile malware out there. I'm not sure what's most		There's a lot of mobile malware out there. I'm not sure what's most
	popular right now.		popular right now.


	== Enterprise Email Security Challenges ==		== Enterprise Email Security Challenges ==

SteveR: /* Digital Certificates: Design Scalability and Organizational Impact */

2014-07-08T01:44:51Z

Digital Certificates: Design Scalability and Organizational Impact

← Older revision		Revision as of 21:44, 7 July 2014
Line 135:		Line 135:
	money. End users don't know what they are, and don't pay attention to		money. End users don't know what they are, and don't pay attention to
	them. We've trained users to look for the little padlock.		them. We've trained users to look for the little padlock.


	Question: Could you DOS a CA with revocation requests?		Question: Could you DOS a CA with revocation requests?
Line 150:		Line 151:
	example, if you need to remove a domain name, you'll need to have your		example, if you need to remove a domain name, you'll need to have your
	UC certificate reissued.		UC certificate reissued.


	== Meta Cognition and Critical Thinking in Open Source Intelligence ==		== Meta Cognition and Critical Thinking in Open Source Intelligence ==

SteveR: /* Questions Every Pentest Customer Should Ask */

2014-07-08T01:44:36Z

Questions Every Pentest Customer Should Ask

← Older revision		Revision as of 21:44, 7 July 2014
Line 31:		Line 31:
	completely reliant on commercial tools, or are they using a mix of		completely reliant on commercial tools, or are they using a mix of
	commercial tools and custom code? Good pen testers use a mix of both.		commercial tools and custom code? Good pen testers use a mix of both.


	Ask about the ratio of automated vs manual testing. Simple		Ask about the ratio of automated vs manual testing. Simple
Line 44:		Line 43:
	Ask your pen tester what other projects they've worked on. Ask what		Ask your pen tester what other projects they've worked on. Ask what
	resources they're going to allocate to your testing project.		resources they're going to allocate to your testing project.


	Question: Could you talk more about the difference between penetration		Question: Could you talk more about the difference between penetration
Line 70:		Line 70:

	Their whole business is testing industrial control and Scada systems.		Their whole business is testing industrial control and Scada systems.


	== Digital Certificates: Design Scalability and Organizational Impact ==		== Digital Certificates: Design Scalability and Organizational Impact ==

SteveR: initial revision

2014-07-08T01:43:54Z

initial revision

New page

= Notes from Boston Security Meetup #2 =

Boston Security Meetup #2 was held on May 24, 2014, at Microsoft's New England Research and Development center in Cambridge, MA.

== Questions Every Pentest Customer Should Ask ==

''Ed Moyle, ISACA''

Many customers don't have penetration testing experience, and they
generally outsource that work. As a result, there tends to be an
over-reliance on commercial tools. The quality of pen testers varies
greatly.

Every pen testing customer should ask about the tester's
methodology. Specific questions include (1) what the tester's
methodology is, (2) how thorough is their test plan, and (3) is the
tester knowledgeable about PCI 3.0.

There are industry-standard approaches for penetration testing. NIST
SP800-115 is one common standard. PTES (the Penetration Testing
Execution Manual) is another common example.

Ask to see the pen testers "Rules of Engagement" document.

What are the well-known problem areas on your industry (e.g., clinical
networks in hospitals)? Some critical systems are easy to take down;
be sure to have a conversation with your customer if you plan to
attack one of these systems.

Ask your pen tester what kind of tools they're using. Are they
completely reliant on commercial tools, or are they using a mix of
commercial tools and custom code? Good pen testers use a mix of both.

Ask about the ratio of automated vs manual testing. Simple
vulnerability scans are not the same thing as penetration testing. A
penetration test should be a simulation of an actual attack, by a
knowledgeable adversary. A vulnerability scan is an automated process
of identifying vulnerabilities that might be
exploitable. Vulnerability scans are the low-hanging fruit. Around 80%
of real problems are found through manual testing, but manual testing
is more expensive and resource intensive.

Ask your pen tester what other projects they've worked on. Ask what
resources they're going to allocate to your testing project.

Question: Could you talk more about the difference between penetration
testing and vulnerability scanning?

Automated vulnerability scans look for open ports and running
services. They often include brute force password attacks.

Question: What do you think about crowdsourcing vulnerability
assessments?

I'm skeptical about this; I'd expect significant variation in the
quality of crowdsourced tests. That said, I think crowdsourcing
vulnerability research is a great thing.

Question: Some systems are designated "off limits". Is that good or
bad?

You don't want your penetration tests to bring down a production
system. However, a real attacker won't care about that. Everyone has a
plan until they get punched in the face. Perhaps you could attack "off
limit" systems during a restricted (off peak) time period, to minimize
potential negative impact.

Question: Have you heard of Red Tiger?

Their whole business is testing industrial control and Scada systems.

== Digital Certificates: Design Scalability and Organizational Impact ==

''Jake McAleer, O'Connor & Drew, PC''

Public Keys are used in asymmetric cryptography. With asymmetric
cryptography, data is computationally easy to encrypt, and
computationally difficult to decrypt (without the private key).

RFC 3447 spells out the the digital certificate world. It's derived
from the ITU's X590 standard.

Certificates have to have specific fields, and a distinguished
name. They're issued by a certificate authority (CA), with a serial
number that's unique to that specific CA.

A CA signs certificates for zero or more intermediate CAs. This
creates a signature chain, up to the CA's authoritative root
certificate.

The CA Browser forum is a consortium that develops guidelines for
issuing and managing certificates. There's also an annual auditing
process for certificate authorities.

There are pre-defined and custom X509 certificate extensions.

If your certificate or private key are compromised, you'll undergo the
process of certificate revocation. Different CAs have different
processes for doing this. Certificates are revoked by adding their
serial numbers to a certificate revocation list (CRL). CRLs grow over
time, but entries can be removed once the certificates expire.

OSCP is the Online Certificate Status Protocol. OSCP allows you to do
instant checks for certificate revocation. Unfortunately, OSCP checks
aren't encrypted, and they're subject to man in the middle
attacks. Also, a client's revocation check tells the OSCP server what
web sites the client is visiting.

All web browsers notify users of expired certificates. Some browsers
let you click through the expiration notice; others don't.

Heartbleed was a major headache for CAs. One CA reported 40 megabits
of traffic, just from people downloading their certificate revocation
list.

Best practice is to use a separate private key for each
certificate. Keep your private keys locked down. Try to avoid putting
them in source code repositories. Private keys should only be readable
by processes that need to read them; use restrictive file
permissions. Try to keep your private keys in non-default locations.

Periodically review who in your organization has the ability to log in
to your CA and issue (or revoke) certificates. Review how your CA
authenticates you.

In 2017, SHA-256 will become the standard X509 hash algorithm.

Avoid wildcard certificates. If your wildcard certificate is
compromised, then all of your web sites are at risk. Avoid UC certs
(certificates for multiple wildcard domains). Don't be lazy with your
certificate management.

Extended Validation (EV) certificates aren't worth the extra
money. End users don't know what they are, and don't pay attention to
them. We've trained users to look for the little padlock.

Question: Could you DOS a CA with revocation requests?

Sure. You could DOS a CA to prevent people from downloading their
CRL. Or, you can use social engineering to convince the CA that you're
from Company X, and need to revoke one of Company X's certificates. As
a safety measure, you can keep a backup certificate (from a different
CA) on hand. If something happens to your "main" certificate, just
deploy the backup.

Question: Are their any good reasons for using a UC certificate?

There are advantages and disadvantages to UC certificates. For
example, if you need to remove a domain name, you'll need to have your
UC certificate reissued.

== Meta Cognition and Critical Thinking in Open Source Intelligence ==

''Benjamin Brown, Akamai''

Cognitive Bias (i.e., faulty heuristics) can lead to bad intelligence
and inaccurate conclusions. Critical thinking allows you to identify
cognitive biases.

OSINT, or Open Source Intelligence, is produced from publicly
available information. The quality of publicly available information
varies widely.

Examples of Cognitive Bias include patterns of subjective judgment,
heuristics, and simplified strategies for processing information. With
cognitive bias, you have an idea about what the outcome might be. You
look for information that supports your hypothesis, and avoid
information that doesn't support your hypothesis.

Selection bias is the "echo effect". A story is retold by different
outlets, it changes over time, and you forget what the original source
was.

Availability bias comes from anecdotal information that you hear from
first-hand sources. When dealing with availability bias, always ask if
there's censorship involved.

Disinformation is the spreading of false information. When
disinformation is sprinkled with accurate information, it can be hard
to distinguish the fake information from the accurate information.

Example: Reddit vs the Boston Bomber. After the Boston Marathon
bombings, many people were looking at low-quality photos posted
online. They were looking for people that "seemed agitated" or who
"weren't looking at the race". This was bad information, but the media
used it anyway.

There are Advanced Persistent threats ("APTs"). For example "OMG
. . . China!". APTs often have some self-serving bias. For example,
vendors who want to sell products, claiming that those products will
protect you from APTs.

Metacognition is thinking about thinking. What do you think you know?
Why do you think you know it? What would have to happen to make you
change your mind?

Structured analytic techniques are diagnostic
techniques. Diagnosticians check and analyze competing hypotheses.

Contrarian techniques include devil's advocate, and "what if"
analysis.

== Mobile Security for Everyone ==

''Nabil Hannan, Cigital''

Attack layers in the mobile threat model include services, physical
devices, and apps.

'''Services'''. Many websites use your mobile phone number as
authentication for a password reset. How many people know your mobile
phone number?

XSS attacks work on mobile browsers, as well as desktop browsers.

Some services require a PIN to reset your password. A four-digit PIN
is easily subject to a brute force attack.

'''Physical Devices'''. If an attacker gets possession of your device,
game over. Most mobile management software can be bypassed on a
jail-broken phone. iOS's keychain can be bypassed. Phones can be
cloned. Cached data can contain sensitive information. iOS and Android
are the worst offenders in this regard.

'''Applications'''. Lots of applications log data. Many mobile
applications ignore problems with SSL certificates.

For example, there was a paid android application called Task Killer;
it killed tasks on an Android phone. Someone took Task Killer, hacked
it up, created a free version called Task Killer Pro. Task Killer pro
wants access to many of your phones subsystems (contacts, GPS,
etc). If an application's main purpose is to kill processes, why would
it need access to these subsystems?

There are steps you can take to protect yourself. Don't trust unknown
USB connectors (e.g., airport charging stations). Disable
bluetooth. Review application permissions.

Mobile operating systems are very similar to desktop operating
systems. All of the traditional desktop attack vectors can be used
against mobile devices.

As a case study, let's look at an app called Clumsy Ninja. Clumsy
Ninja wants access to your facebook and twitter accounts (to report
your progress in the game). It also wants access to photos stored on
your phone. The game isn't intended to be malicious, but it forces you
to make security decisions.

Question: What's the most popular Android Malware?

There's a lot of mobile malware out there. I'm not sure what's most
popular right now.

== Enterprise Email Security Challenges ==

''Gagan Praksah, Astra Identity''

SMTP allows anyone to send email as anyone. How do you protect the
reputation of your domain for outbound mail? How do you protect your
employees from inbound mail?

In January 2014, several Boston University employees were
phished. They had electronic payroll deposits stolen as a result of
the phishing attack.

SPF (Sender Policy Framework) lists servers that are allowed to send
mail on behalf of a given domain. In 2013, approximately 89% of
domains used SPF records.

DKIM (Domain Keys Identified Email) is message signing at the server
level.

SPF and DKIM permit the receiving server to check incoming
mail. Receivers can discard messages from unauthorized sources, or
messages with bad cryptographic signatures.

DMARC is Domain-Based Message Authentication, Reporting and
Conformance. DMARC specifies handling for SPF and DKIM
failures. DMARC allows senders to know who's trying to spoof
them. It's a new standard, and it hasn't been widely adopted yet.

In Q1 2014, 66.3% of all email was spam. There's been a trend for
groups to adopt hosted mail services. Last year, 50% of companies with
5,000 or more employees were spear phished.

Email filtering has always been a battle between false positives and
false negatives.

Comment: A fun exercise is to conduct a phishing attack against your
own organization. This can help you to train employees.

Question: What channels are most common for spear phishing?

Email and water-holing are common channels. Water-holing is the tactic
of adding malware to web sites that are popular within a given
industry.

Question: Are are solutions that allow IT departments to pull out
phishing messages?

This is a hard problem. Some software can take a piece of email and
rewrite links, so that the links become redirects. This allows IT to
block specific links.

== Human Side of Data Protection ==

''Dana Tannatt, Veronis Systems''

Companies have lots of unstructured data. Some of this is generated by
humans (e.g., emails, documents, presentations), and some of it is
generated by software (e.g., logfiles).

Enterprises are responsible for protecting 80% of all data out
there. There's a lot of opportunity to extract value from this
data. We want to find intelligence around human-generated big data.

In addition to knowing what kind of data you have, you should know who
has access, and what data people are accessing.

With lots of data, you can have lots of access control lists. In
general, when you've got a lot of access control lists, there's a lot
of overlap among lists.

Presenter goes on to pitch Veronis's metadata framework technology.

== Leveraging Compliance to Raise the Bar on Security ==

''Mike Lemire, Pearson Higher Education''

Security practitioners are often seen as cost centers. How do we allow
them to become profit centers?

In many industries, standards compliance is a requirement. Thus,
compliance is an important business objective.

When companies look to outsource, they do third-party risk
assessments. Compliance helps you in the area. Compliance can open
business opportunities in new vertical markets. Good compliance and
security depends on mature, repeatable processes within your
organization.

Here's a small sampling of compliance regimes:

* SSAE-16 (formerly SAS-70). See http://aicpa.org/soc.
* SOC1 focuses on corporate controls and accounting.
* SOC2 focuses on security and privacy controls.
* Type 1 audits are a point-in-time audit of controls
* Type 2 audits are much more thorough. They typically cover 6-12 months and involve more comprehensive process testing.

The Cloud Security Alliance is an industry consortium. They've
developed 140 key controls for cloud service providers. See
https://cloudsecurityalliance.org/star/.

Bits are shared assessments developed by a banking industry
consortium. It's a long list of controls, similar to ISO-27002, and an
attempt to standardize how financial institutions do vendor risk
assessments. See https://sharedassessments.org/.

HIPPA is a set of compliance laws developed by the US department of
health and human services.

FISMA, the Federal Information Security Management Act, was developed
by congress and NIST. It's a very tough set of controls.

FedRAMP, the Federal Risk and Authorization Management Program, is a
FISMAlike process for cloud providers.

PCI is the payment card industry standard.

The CSA Cloud Matrix aligns controls for different compliance regimes.

Many compliance regimes require data retention policies.

When approaching a project, establish compliance objectives in
alignment with business objectives. What markets are most important to
you? What are customers in those markets looking for? Be sure your
processes are auditable.

FISMA and DIACAP (Department of Defense Information Assurance
Certification and Accreditation Process) apply to federal government.

NIST 800-53 is "Security and Privacy Controls for Federal Information
Systems and Organizations".

== How Dare You Molest the Sea ==

''James O'Keefe, Massachusetts Pirate Party''

: "How dare I molest the sea? How dare you molest the whole world! I molest the sea and you call me a pirate. You molest the world and they call you an emperor."

1650-1720 was the golden age of pirates. During this time, there
really wasn't any democracy in the world. Instead, we had conflicts of
empires.

According to the Pirate Code, every man has a vote in their own
affairs. Pirates were paid according to shares, in a very egalitarian
way. A crew member might have gotten one share, while a captain got
two shares.

Threats to modern-day pirates:

* Extended copyright terms
* The small number of corporations controlling media, banking, and agriculture.
* Income growth in the top 1% and 0.1%.
* In 2012, the top 0.01% generated around 40% of all political contributions.
* Programs like Trap Wire, who's goal is to link up surveillance cameras all across the country.
* Lots of NSA programs, like PRISM, MARINA, and Quantum Theory.

What's our future? Younger folks are very concerned about privacy. P2P
users tend to spend more money on music than non-P2P users. File
sharing has hurt sales of recorded music, but it hasn't decreased
overall music industry income.

Pirates are freedom fighters, who think culture is incremental, and
who believe it
should be shared.

== Extending the network from the perspective of a rouge user and or device ==

''Enyel Perez, Gray Cyber Security''

Corporations spend a lot of money to defend themselves against
external attacks. They spend very little defending themselves against
internal attacks. Rogue users have a good understanding of technology,
and they know what they're doing. They can cause plenty of damage.

When tracking down rogue users, your first task is to figure out what
they're doing.

Avoid having unauthorized network equipment plugged in (e.g., a back
door running on a Raspberry Pi, open wireless access points).

Network Access Controls such as Packet Fence,
http://www.packetfence.org/, are valuable tools in controlling access
to your network. Packet Fence keeps track of the MAC addresses that
appear on your network, and it can notify you when new MAC addresses
appear.

Examine your firewall logs.

Strategies for protecting yourself against rogue users: provide
company-controlled wireless access points. Be sure these WAPs reside
in your DMZ. By having companyprovided WAPs, you create less incentive
for users to set up their own WAPs. Control the use of external
storage devices. Run vulnerability scans. Where possible, use
multi-factor authentication.

A "Rogue Device" is an unauthorized device that's connected to your
network. Examples are unauthorized Wireless Access Points, and
Raspberry Pis that route traffic between the internal network and the
internet (Kali Linux is a popular distribution for doing this).

Common network configurations protect you from the outside, but not
from the inside. In order to catch a thief, you must think like a
thief.

Question: How long can a typical rogue device stay connected to a
corporate network?

It depends on how long it takes you to find the rogue device. Some
devices are easy to physically conceal. Think Raspberry Pi taped to
the bottom of a desk.

Comment: Network access control tools can be extremely effective, but
they take a bit of work to implement.

Question: What about MAC addresses in virtual environments?

There's nothing inherently special about virtual environments. It's
just another layer of administration, to assign MAC addresses to
virtual machines.