Boston Security Meetup - 5/24/2014
Notes from Boston Security Meetup #2
Boston Security Meetup #2 was held on May 24, 2014, at Microsoft's New England Research and Development center in Cambridge, MA.
Questions Every Pentest Customer Should Ask
Ed Moyle, ISACA
Many customers don't have penetration testing experience, and they generally outsource that work. As a result, there tends to be an over-reliance on commercial tools. The quality of pen testers varies greatly.
Every pen testing customer should ask about the tester's methodology. Specific questions include (1) what the tester's methodology is, (2) how thorough is their test plan, and (3) is the tester knowledgeable about PCI 3.0.
There are industry-standard approaches for penetration testing. NIST SP800-115 is one common standard. PTES (the Penetration Testing Execution Manual) is another common example.
Ask to see the pen testers "Rules of Engagement" document.
What are the well-known problem areas on your industry (e.g., clinical networks in hospitals)? Some critical systems are easy to take down; be sure to have a conversation with your customer if you plan to attack one of these systems.
Ask your pen tester what kind of tools they're using. Are they completely reliant on commercial tools, or are they using a mix of commercial tools and custom code? Good pen testers use a mix of both.
Ask about the ratio of automated vs manual testing. Simple vulnerability scans are not the same thing as penetration testing. A penetration test should be a simulation of an actual attack, by a knowledgeable adversary. A vulnerability scan is an automated process of identifying vulnerabilities that might be exploitable. Vulnerability scans are the low-hanging fruit. Around 80% of real problems are found through manual testing, but manual testing is more expensive and resource intensive.
Ask your pen tester what other projects they've worked on. Ask what resources they're going to allocate to your testing project.
Question: Could you talk more about the difference between penetration
testing and vulnerability scanning?
Automated vulnerability scans look for open ports and running services. They often include brute force password attacks.
Question: What do you think about crowdsourcing vulnerability assessments?
I'm skeptical about this; I'd expect significant variation in the quality of crowdsourced tests. That said, I think crowdsourcing vulnerability research is a great thing.
Question: Some systems are designated "off limits". Is that good or bad?
You don't want your penetration tests to bring down a production system. However, a real attacker won't care about that. Everyone has a plan until they get punched in the face. Perhaps you could attack "off limit" systems during a restricted (off peak) time period, to minimize potential negative impact.
Question: Have you heard of Red Tiger?
Their whole business is testing industrial control and Scada systems.
Digital Certificates: Design Scalability and Organizational Impact
Jake McAleer, O'Connor & Drew, PC
Public Keys are used in asymmetric cryptography. With asymmetric cryptography, data is computationally easy to encrypt, and computationally difficult to decrypt (without the private key).
RFC 3447 spells out the the digital certificate world. It's derived from the ITU's X590 standard.
Certificates have to have specific fields, and a distinguished name. They're issued by a certificate authority (CA), with a serial number that's unique to that specific CA.
A CA signs certificates for zero or more intermediate CAs. This creates a signature chain, up to the CA's authoritative root certificate.
The CA Browser forum is a consortium that develops guidelines for issuing and managing certificates. There's also an annual auditing process for certificate authorities.
There are pre-defined and custom X509 certificate extensions.
If your certificate or private key are compromised, you'll undergo the process of certificate revocation. Different CAs have different processes for doing this. Certificates are revoked by adding their serial numbers to a certificate revocation list (CRL). CRLs grow over time, but entries can be removed once the certificates expire.
OSCP is the Online Certificate Status Protocol. OSCP allows you to do instant checks for certificate revocation. Unfortunately, OSCP checks aren't encrypted, and they're subject to man in the middle attacks. Also, a client's revocation check tells the OSCP server what web sites the client is visiting.
All web browsers notify users of expired certificates. Some browsers let you click through the expiration notice; others don't.
Heartbleed was a major headache for CAs. One CA reported 40 megabits of traffic, just from people downloading their certificate revocation list.
Best practice is to use a separate private key for each certificate. Keep your private keys locked down. Try to avoid putting them in source code repositories. Private keys should only be readable by processes that need to read them; use restrictive file permissions. Try to keep your private keys in non-default locations.
Periodically review who in your organization has the ability to log in to your CA and issue (or revoke) certificates. Review how your CA authenticates you.
In 2017, SHA-256 will become the standard X509 hash algorithm.
Avoid wildcard certificates. If your wildcard certificate is compromised, then all of your web sites are at risk. Avoid UC certs (certificates for multiple wildcard domains). Don't be lazy with your certificate management.
Extended Validation (EV) certificates aren't worth the extra money. End users don't know what they are, and don't pay attention to them. We've trained users to look for the little padlock.
Question: Could you DOS a CA with revocation requests?
Sure. You could DOS a CA to prevent people from downloading their CRL. Or, you can use social engineering to convince the CA that you're from Company X, and need to revoke one of Company X's certificates. As a safety measure, you can keep a backup certificate (from a different CA) on hand. If something happens to your "main" certificate, just deploy the backup.
Question: Are their any good reasons for using a UC certificate?
There are advantages and disadvantages to UC certificates. For example, if you need to remove a domain name, you'll need to have your UC certificate reissued.
Meta Cognition and Critical Thinking in Open Source Intelligence
Benjamin Brown, Akamai
Cognitive Bias (i.e., faulty heuristics) can lead to bad intelligence and inaccurate conclusions. Critical thinking allows you to identify cognitive biases.
OSINT, or Open Source Intelligence, is produced from publicly available information. The quality of publicly available information varies widely.
Examples of Cognitive Bias include patterns of subjective judgment, heuristics, and simplified strategies for processing information. With cognitive bias, you have an idea about what the outcome might be. You look for information that supports your hypothesis, and avoid information that doesn't support your hypothesis.
Selection bias is the "echo effect". A story is retold by different outlets, it changes over time, and you forget what the original source was.
Availability bias comes from anecdotal information that you hear from first-hand sources. When dealing with availability bias, always ask if there's censorship involved.
Disinformation is the spreading of false information. When disinformation is sprinkled with accurate information, it can be hard to distinguish the fake information from the accurate information.
Example: Reddit vs the Boston Bomber. After the Boston Marathon bombings, many people were looking at low-quality photos posted online. They were looking for people that "seemed agitated" or who "weren't looking at the race". This was bad information, but the media used it anyway.
There are Advanced Persistent threats ("APTs"). For example "OMG . . . China!". APTs often have some self-serving bias. For example, vendors who want to sell products, claiming that those products will protect you from APTs.
Metacognition is thinking about thinking. What do you think you know? Why do you think you know it? What would have to happen to make you change your mind?
Structured analytic techniques are diagnostic techniques. Diagnosticians check and analyze competing hypotheses.
Contrarian techniques include devil's advocate, and "what if" analysis.
Mobile Security for Everyone
Nabil Hannan, Cigital
Attack layers in the mobile threat model include services, physical devices, and apps.
Services. Many websites use your mobile phone number as authentication for a password reset. How many people know your mobile phone number?
XSS attacks work on mobile browsers, as well as desktop browsers.
Some services require a PIN to reset your password. A four-digit PIN is easily subject to a brute force attack.
Physical Devices. If an attacker gets possession of your device, game over. Most mobile management software can be bypassed on a jail-broken phone. iOS's keychain can be bypassed. Phones can be cloned. Cached data can contain sensitive information. iOS and Android are the worst offenders in this regard.
Applications. Lots of applications log data. Many mobile applications ignore problems with SSL certificates.
For example, there was a paid android application called Task Killer; it killed tasks on an Android phone. Someone took Task Killer, hacked it up, created a free version called Task Killer Pro. Task Killer pro wants access to many of your phones subsystems (contacts, GPS, etc). If an application's main purpose is to kill processes, why would it need access to these subsystems?
There are steps you can take to protect yourself. Don't trust unknown USB connectors (e.g., airport charging stations). Disable bluetooth. Review application permissions.
Mobile operating systems are very similar to desktop operating systems. All of the traditional desktop attack vectors can be used against mobile devices.
As a case study, let's look at an app called Clumsy Ninja. Clumsy Ninja wants access to your facebook and twitter accounts (to report your progress in the game). It also wants access to photos stored on your phone. The game isn't intended to be malicious, but it forces you to make security decisions.
Question: What's the most popular Android Malware?
There's a lot of mobile malware out there. I'm not sure what's most popular right now.
Enterprise Email Security Challenges
Gagan Praksah, Astra Identity
SMTP allows anyone to send email as anyone. How do you protect the reputation of your domain for outbound mail? How do you protect your employees from inbound mail?
In January 2014, several Boston University employees were phished. They had electronic payroll deposits stolen as a result of the phishing attack.
SPF (Sender Policy Framework) lists servers that are allowed to send mail on behalf of a given domain. In 2013, approximately 89% of domains used SPF records.
DKIM (Domain Keys Identified Email) is message signing at the server level.
SPF and DKIM permit the receiving server to check incoming mail. Receivers can discard messages from unauthorized sources, or messages with bad cryptographic signatures.
DMARC is Domain-Based Message Authentication, Reporting and Conformance. DMARC specifies handling for SPF and DKIM failures. DMARC allows senders to know who's trying to spoof them. It's a new standard, and it hasn't been widely adopted yet.
In Q1 2014, 66.3% of all email was spam. There's been a trend for groups to adopt hosted mail services. Last year, 50% of companies with 5,000 or more employees were spear phished.
Email filtering has always been a battle between false positives and false negatives.
Comment: A fun exercise is to conduct a phishing attack against your
own organization. This can help you to train employees.
Question: What channels are most common for spear phishing?
Email and water-holing are common channels. Water-holing is the tactic of adding malware to web sites that are popular within a given industry.
Question: Are are solutions that allow IT departments to pull out phishing messages?
This is a hard problem. Some software can take a piece of email and rewrite links, so that the links become redirects. This allows IT to block specific links.
Human Side of Data Protection
Dana Tannatt, Veronis Systems
Companies have lots of unstructured data. Some of this is generated by humans (e.g., emails, documents, presentations), and some of it is generated by software (e.g., logfiles).
Enterprises are responsible for protecting 80% of all data out there. There's a lot of opportunity to extract value from this data. We want to find intelligence around human-generated big data.
In addition to knowing what kind of data you have, you should know who has access, and what data people are accessing.
With lots of data, you can have lots of access control lists. In general, when you've got a lot of access control lists, there's a lot of overlap among lists.
Presenter goes on to pitch Veronis's metadata framework technology.
Leveraging Compliance to Raise the Bar on Security
Mike Lemire, Pearson Higher Education
Security practitioners are often seen as cost centers. How do we allow them to become profit centers?
In many industries, standards compliance is a requirement. Thus, compliance is an important business objective.
When companies look to outsource, they do third-party risk assessments. Compliance helps you in the area. Compliance can open business opportunities in new vertical markets. Good compliance and security depends on mature, repeatable processes within your organization.
Here's a small sampling of compliance regimes:
- SSAE-16 (formerly SAS-70). See http://aicpa.org/soc.
- SOC1 focuses on corporate controls and accounting.
- SOC2 focuses on security and privacy controls.
- Type 1 audits are a point-in-time audit of controls
- Type 2 audits are much more thorough. They typically cover 6-12 months and involve more comprehensive process testing.
The Cloud Security Alliance is an industry consortium. They've developed 140 key controls for cloud service providers. See https://cloudsecurityalliance.org/star/.
Bits are shared assessments developed by a banking industry consortium. It's a long list of controls, similar to ISO-27002, and an attempt to standardize how financial institutions do vendor risk assessments. See https://sharedassessments.org/.
HIPPA is a set of compliance laws developed by the US department of health and human services.
FISMA, the Federal Information Security Management Act, was developed by congress and NIST. It's a very tough set of controls.
FedRAMP, the Federal Risk and Authorization Management Program, is a FISMAlike process for cloud providers.
PCI is the payment card industry standard.
The CSA Cloud Matrix aligns controls for different compliance regimes.
Many compliance regimes require data retention policies.
When approaching a project, establish compliance objectives in alignment with business objectives. What markets are most important to you? What are customers in those markets looking for? Be sure your processes are auditable.
FISMA and DIACAP (Department of Defense Information Assurance Certification and Accreditation Process) apply to federal government.
NIST 800-53 is "Security and Privacy Controls for Federal Information Systems and Organizations".
How Dare You Molest the Sea
James O'Keefe, Massachusetts Pirate Party
- "How dare I molest the sea? How dare you molest the whole world! I molest the sea and you call me a pirate. You molest the world and they call you an emperor."
1650-1720 was the golden age of pirates. During this time, there really wasn't any democracy in the world. Instead, we had conflicts of empires.
According to the Pirate Code, every man has a vote in their own affairs. Pirates were paid according to shares, in a very egalitarian way. A crew member might have gotten one share, while a captain got two shares.
Threats to modern-day pirates:
- Extended copyright terms
- The small number of corporations controlling media, banking, and agriculture.
- Income growth in the top 1% and 0.1%.
- In 2012, the top 0.01% generated around 40% of all political contributions.
- Programs like Trap Wire, who's goal is to link up surveillance cameras all across the country.
- Lots of NSA programs, like PRISM, MARINA, and Quantum Theory.
What's our future? Younger folks are very concerned about privacy. P2P users tend to spend more money on music than non-P2P users. File sharing has hurt sales of recorded music, but it hasn't decreased overall music industry income.
Pirates are freedom fighters, who think culture is incremental, and who believe it should be shared.
Extending the network from the perspective of a rouge user and or device
Enyel Perez, Gray Cyber Security
Corporations spend a lot of money to defend themselves against external attacks. They spend very little defending themselves against internal attacks. Rogue users have a good understanding of technology, and they know what they're doing. They can cause plenty of damage.
When tracking down rogue users, your first task is to figure out what they're doing.
Avoid having unauthorized network equipment plugged in (e.g., a back door running on a Raspberry Pi, open wireless access points).
Network Access Controls such as Packet Fence, http://www.packetfence.org/, are valuable tools in controlling access to your network. Packet Fence keeps track of the MAC addresses that appear on your network, and it can notify you when new MAC addresses appear.
Examine your firewall logs.
Strategies for protecting yourself against rogue users: provide company-controlled wireless access points. Be sure these WAPs reside in your DMZ. By having companyprovided WAPs, you create less incentive for users to set up their own WAPs. Control the use of external storage devices. Run vulnerability scans. Where possible, use multi-factor authentication.
A "Rogue Device" is an unauthorized device that's connected to your network. Examples are unauthorized Wireless Access Points, and Raspberry Pis that route traffic between the internal network and the internet (Kali Linux is a popular distribution for doing this).
Common network configurations protect you from the outside, but not from the inside. In order to catch a thief, you must think like a thief.
Question: How long can a typical rogue device stay connected to a
corporate network?
It depends on how long it takes you to find the rogue device. Some devices are easy to physically conceal. Think Raspberry Pi taped to the bottom of a desk.
Comment: Network access control tools can be extremely effective, but they take a bit of work to implement.
Question: What about MAC addresses in virtual environments?
There's nothing inherently special about virtual environments. It's just another layer of administration, to assign MAC addresses to virtual machines.