Blog « IT Security Geeks

Personal Risk

The concept of risk has been an important one for me to consider in this industry. It is important to think of risk not just as “a thing that could happen” but as how likely said thing is to actually happen. We all do this subconsciously on a daily basis, if this weren’t the case then we would be perpetually paranoid and terrified about sudden tectonic shift or meteor strikes. In reality we are blasé about these dangers since we understand that the actual risk of such an event happening is tiny. The fact that we are largely powerless to do anything about such events may also play a part in this carefree attitude.

But what about the things we can control? Most of us are smart enough to look each way before crossing a road as we understand that not checking for cars will greatly increase the risk of being hit. Auto-mobiles are a technology that we have long grown accustomed to and few are blasé about the dangers and consequences of high speed collisions. Smart phones, on the other hand, have been around for a fair few years now and it seems that most people still don’t think to check whether or not their phone’s settings are causing any photos or videos they may take to be automatically uploaded onto a “cloud” storage server. Once that happens, once potentially deeply personal files exist on two systems as opposed to one, then the risk of them being stolen by malicious hackers effectively just doubled.

When discussing the matter of personal security with peers in a social setting I have found that a lax attitude is the norm. Common phrases are “What are the odds?”, “I’m not interesting enough to be targeted” or it’s immensely frustrating cousin “I’ve got nothing to hide”. How can someone know this if they don’t know what a hypothetical attacker is looking for? As we continue to embrace more and more technology into our daily lives and entwine it so tightly with social media then, as a whole, we really need to start thinking differently on these topics.

The odds really aren’t very good for us and it does sometimes seem to me that the reason many people think that they are, is because their heads are stuck ten years in the past as far as their awareness of attack methods go. Many a person has proudly announced to me that they don’t have any viruses because they have a firewall and they don’t click on suspicious emails and they don’t go on “dodgy” pornographic websites. This underlines a worrying lack of understanding when so many believe that their traffic management system is an infallible security measure. While the occasional and incredibly obvious scam email still does the rounds there are more advanced and complex phishing methods now, especially with the “rise of the app”. And the idea that only porn sites could be potential vectors for infection is very much an old fashioned one. Just the other day Malwarebytes announced via blog post that the Mail Online site was hit by an exploit that could infect vulnerable systems with ransomware. This is a website that boasts 156 million visits per month. There are so many attacks happening, all the time, and if you never think about your tech’s security, then the chances are you’re going to get hit or that you already have been.

-JG


Filed under: ITSG,News,Phishing,Social Media

An Obfuscating Furore

When something goes wrong, it is common for those affected and those responsible to play the blame game, often to place the responsibility on any doorstep but their own. Last week, as the result of Chinese app developers using a counterfeit version of Xcode now dubbed “Xcode Ghost”, a number of malware-infected apps (currently believed to be in the region of 300) made it past Apple’s vaunted review process and onto their App Store. As the dust settles and the situation is now believed to have been brought under control, many are now pointing fingers as to who or what allowed this to happen.

Some background; Xcode is Apple’s own suite of development tools for iOS and OS X, it is freely available to developers for download and use. A large number of Chinese app developers were duped into downloading and using a version of Xcode from an unverified source. This version, the afore-mentioned “Xcode Ghost”, was embedded with malicious code that could then perform a number of functions. Primarily it was found that the code could upload device and app information to a command and control server, however it was later discovered to also be capable of phishing user credentials; hijacking and opening specific URLs; reading and writing data to and from a user’s clipboard. Also, debated by some, it is believed to be capable of phishing for iCloud passwords. All quite scary stuff for the end user. But can any one party be blamed and made responsible for this?

Apple have long prided themselves on the security and quality control of their App Store. Certainly, this is the largest influx of malware infected apps ever to make it past their system of checks. It is also very difficult to protect against the unprecedented. How can you put measures in place to guard against an angle previously unconsidered? While many would say that this leaves Apple with egg on their face and a dent in their reputation, it would be hard to accuse them of neglect or carelessness.

The developers who were duped by the counterfeit Xcode Ghost must surely bear some of the brunt? Apple’s Gatekeeper software is shown to have thrown up warning flags regarding the use of the maliciously modified software, warnings that the developers would had to have deliberately ignored to proceed in using the tool for their work. This could be seen as very naive, but why was this fake version ever able to make it into their hands in the first place?

In answer to that, some point to the Chinese government’s stringent Internet restrictions, their “Great Firewall”. As a result of this, cross border downloads such as those from Apple’s official store, can take a very long time to complete. Apple software, particularly Xcode, is notorious for how long downloads can take even in Western countries. Because of this it appears that many Chinese developers chose to try and obtain Xcode from quicker, unofficial sources. This is how hackers were able to trick so many developers into downloading and utilising Xcode Ghost.

Amongst all of this there has been little discussion of who created Xcode Ghost. Who was it who set these wheels in motion, who was their target and what were they aiming to achieve? The consensus at present seems to simply be “Chinese hackers”. The basis for this assumption appears to be the fact that it was Chinese developers who were tricked into crafting the malware infected apps. The apps affected were those most popular in China, leaving them with the majority of affected users, though that is not to say that users globally were not also affected.

The truth is that there is simply not enough evidence to make any valid accusation of culprits at this point in time. What is concerning as is often the case when the blame game is played, is that too few seem to be asking the right questions. How can the stolen data be used, to what end and who benefits the most from it? With these angles considered it seems increasingly less clear that simple “criminal hackers” are behind this attack. Maybe such speculation at this stage is pointless and focus should instead be on prevention; never the less, it is our opinion that uncovering the true source and intent of Xcode Ghost would allow pre-emptive prevention, instead of just re-active measures. By keeping a close eye on further developments and seeing how any stolen data gets used, we may yet get some clues as to the purpose and origin of this attack on China.


Security Serious

We’re proud to be a sponsor of Security Serious and we’re looking forward to meeting people from various businesses across the UK who are choosing to take security more seriously.

If you’re going to be in London on the 26th October, get in touch and let’s meet up.


Filed under: ITSG,News

New LinkedIn Phishing e-mail

So today we received the following phish at one of our honeypot e-mail addresses.

Screen Shot 2014-09-16 at 18.41.02

As you can see, it looks legitimate, however the URL doesn’t resolve to linkedin.com, it resolves to http://hungryhorsechapel.com/removed/for/obvious/reasons.php

It appears Hungry Horse Chapel have been compromised, IT Security Geeks have reached out to the teams at Horse Chappel and LinkedIn, and are hoping to hear back soon. We will post updates here as and when we have them.


Filed under: Hacked,News,Phishing

The dangers of pre-installing Java on corporate laptops

For the last couple of weeks all the IT security news headlines have revolved around the OpenSSL Heartbleed vulnerability (CVE-2014-0160), so we’ve decided to write about something completely different to keep things interesting.

For years now, we have been advising clients that it is good practice to have secure laptop, desktop and server builds across their estates. This allows for a baseline of each Operating System that gets deployed and also means that your network and system administrators have a high level of control as to what software is installed across the estate. This does mean that more time will need to be spent upfront making sure that these Operating System builds are both functional and secure for the end users, but the rewards for doing this considerably decrease the overall risk to your organization. When using an Active Directory domain, it is also highly recommended to lock down the Operating System builds even further by using Group Policy Objects (GPO’s.)

Our team were recently asked to conduct a penetration test for one of our clients, with the scope being a web based problem ticketing system. We were issued a corporate laptop to allow us to familiarize ourselves with the application, to read internal documentation and the relevant processes and procedures around it. This was to allow the team to perform a complete end-to-end security review for the client. The laptop was also configured with VPN access, allowing the team to work remotely from our offices.

The laptop was running Windows 7 and had been locked down, preventing us from installing any standard programs onto it (such as various penetration testing tools.) The laptop also did not come with Local Administrative rights configured (thankfully,) and we were only given standard user privileges. To add to the layers of protection around the client’s internal infrastructure, all connections to the Internet had to go through the internal corporate proxy server.

One thing that our team discovered is that the corporate laptop included Java within the build. The internal corporate proxy server was configured to block downloads of Windows executable files and installers (.exe’s and .msi’s,) however, downloading of Java applications (.jar files) was allowed. Thanks to this, the team were able to run a web application proxy on this laptop. This in turn lead to our team being able to perform the full penetration test of the application, all from the client’s corporate laptop.

During the penetration test, the team discovered that the application was vulnerable to numerous high-risk web application vulnerabilities, however, this really is the least of our client’s worries at this point. We never increased the scope of the penetration test to perform this testing and never violated the client’s security policy either, as we didn’t install anything on the laptop, we just downloaded and ran software. Technically, Java ran the application, we just downloaded it.

There are no security controls in place to stop internal users from performing the same steps that we did to run BurpSuite, or any other Java applications on these corporate builds. This poses a huge risk to this client, their internal applications and ultimately, their overall reputation. Yes, there is monitoring software and anti-virus software installed on these PC’s and attacks could be traced back to IP addresses and user names, however, host monitoring logs would only be reviewed after the attack and would be a responsive counter measure, not an active protection measure.

Our team were tasked with performing a penetration test of just one of the internal corporate web applications, but just like other large corporate clients, there are a lot more internal web applications in use within this organization. This means that an internal attacker could easily target any one of the client’s numerous other web applications, all from their own corporate PC. When you have over 100 internal users, this exponentially increases the risk to all internal web applications, and to the organization as a whole.

This vulnerability would also allow internal users to download these tools and to attack other external applications not within the client’s infrastructure or realm of control. If an internal user were to compromise (or attempt to compromise) a web application hosted by the client’s competition, this attack would be seen as coming from the client’s network. This, in turn, could lead to all sorts of legalities and difficult conversations.

We highly recommend that all corporate Operating System builds be penetration tested before being deployed so that vulnerabilities such as this can be mitigated before the builds are issued to internal users. At ITSG we take the security of our clients’ networks very seriously and this is why we always aim to point out as many vulnerabilities as possible during all our penetration testing engagements.

If you currently have a corporate Operating System build that hasn’t been through a thorough penetration test, then please consider doing this as a matter of urgency. ITSG will gladly assist you with developing secure Operating System builds or performing penetration testing of these builds if you already have them in place. Please contact us for more information.

Follow us on Twitter and/or Facebook to see more updates.


Vendor Security Challenge

To keep things interesting, we’ve decided that we’re going to open up a challenge to all computer hardware/software vendors out there.

We’re looking for 10-20 vendors to come forward and put the security of their devices and/or applications to the ultimate test. So, do you trust your developers and the security of your devices, if so then get in touch.

What we’ll be doing is performing an in-depth penetration test again the device/application, and then publishing a overall security score out of 10 for the Vendor and the product tested. We will not be disclosing any vulnerabilities publicly for this, only the ratings, vendor’s name and device/application name. Each item tested will have a Blog post written about the device/application, and the overall winner will also get additional Blog post about your device/application and why it won overall in our security testing.

As we will be performing a full penetration test against these devices, we will also be writing reports and documenting any findings and how to mitigate against these vulnerabilities. These reports will remain ITSG company property, and your respective report will be available to purchase for a fixed cost, should you wish to have a copy.

*Please note that we will only sell the report to the vendor, you will not be able to buy competing vendors reports.*

Are there any vendors out there who are up for the challenge? If so, please use get in touch via the Contact Us page, and good luck!

We’ll keep you all updated of entries and any vendors that take us up on this challenge.


Twitter Two-Factor Authentication, and why you really should be using it…

For those of you reading this that have no idea what Two-Factor Authentication (2FA) is, let us try to explain. 2FA is a more secure authentication mechanism that provides a lot greater security than just passwords. Let’s face it people, passwords are no longer secure, they can be cracked (or worse yet,guessed!)

The strength of a password is based on a lot of different factors such as, the length of the password, if special characters ($£@&*, etc) were used, if a mixture of UPPER and lowercase characters were used, if the password is a mix of alphanumeric characters, and of course the encryption algorithm in use.

Unfortunately passwords aren’t going away anytime soon, so in the mean time we all need to use the most secure passwords we can. We would currently recommend using a password that is no shorter than 10 characters, contains a mix of alphanumeric and special characters, and contains both upper and lowercase characters.

Another problem with the use of passwords is that most people still use the same password for all their logins, Facebook, Twitter, Google, online banking, etc. You can probably see where all this is going, if you’re using the same password for all or most of your logins, when one of those web sites gets hacked, your password could be too. The hacker(s) would then have access to your most commonly used username and password to go and try on other popular websites.

There was a story in the news a little while ago about a Tech reporter who’s iCloud account was hacked. As if that in itself is not bad enough, the hacker then proceeded to wipe all this users’ Apple devices, his iPhone, iPad and Macbook Pro were all remotely wiped by the hacker. The way that this reporter was hacked was more complicated that just cracking his password, but this is mentioned here to show the damage that could be done if you are using the same password on multiple websites.

2FA is made of two separate parts of information, something you know (a password for example), and something that you have (a text token (SMS), a smart card, etc.) To authenticate to a system that is using 2FA, you need to present both pieces of information before being allowed access. With 2FA even if your password is compromised, and attacker would still not be able to gain access to your account without the second piece of information (something you have). Some banks have been giving out card readers that you put your bank card PIN into, and they generate a code to allow you to sign into your online banking accounts with, this is a form of 2FA. Without this card reader, you cannot gain access to your account with only a password, you need both pieces of the puzzle.

Twitter has upgraded their authentication mechanism to support 2FA, and based on the above you can probably see why it’s a good idea to enable it. Twitter has called it’s version of 2FA Login Verification, and what this means is that once you enable it, you will need to register a cell phone number. Once this number is registered to your account and verified, every time you sign in to Twitter.com a code will be sent to your phone that you will need to enter on Twitter.com. If you’re using a Smart phone with the Twitter app, the notifications will come through the app. This authentication process also takes place when you try to sign into Twitter using any of the numerous Twitter clients out there.

So, how do you go about enabling this added security to your Twitter account? Just follow the steps below and you’ll be good to go.

1. Login to Twitter.
2. Visit your Account Settings page.
3. Select “Require a verification code when I sign in.”
4. Click on the link to “add a phone” and follow the prompts.
5. After you’ve enrolled in login verification, you’ll be asked to enter a code that is sent to your phone each time you sign in to Twitter.com.

That’s it, you should now be using 2FA for your Twitter account. Just remember that if you’re using your Twitter account for business, or if you have it linked to other sites (Facebook), then it’s even more important that you enable this.

Stay safe out there people.


Filed under: ITSG,News,Social Media

Find us on Social Networks

We just wanted to let everyone know that we’ve recently updated our Contacts page with all our Social Network details.

So come and follow us on either Twitter, LinkedIn, or Facebook, or maybe even all 3!

We’re constantly striving to find better ways to communicate with our customers and have a kind of questionnaire running on LinkedIn at the moment.

It’s a simple question “If you could change one thing about your current penetration testing providers, what would it be?”

We’re just asking everyone to take a couple of minutes and leave a response in the comments field. If you’ve got the time to leave us an answer we’d really appreciate it.

We  won’t be posting the same content to all Social Networking sites, we will be sharing things such as ITSG blog posts, etc. We just want to try and keep things interesting, informative and enjoyable for everyone.

Stay safe people.


Filed under: ITSG,News

Ubisoft Hack: What this means to you…

It’s all over the news that Ubisoft got hacked, and I’m sure that a lot of people are sitting back wondering just what the effects of this hack are, and how it affects them.

To sum things up, below is the content of one of the “Password Reset” e-mails that Ubisoft sent out yesterday.

“Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <your name here>

To enter your new password, click the link below: <removed>

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

You can find more information here <removed>

For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com

We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.

The Ubisoft team”

So your credit/debit card information may be safe, as Ubisoft don’t store this information (thankfully!), but the important part of the e-mail is the line that states:

“Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

If like many millions of people out on the Internet, you’ve used the same password on other web sites, when the hackers eventually crack the encrypted passwords, they will then have your e-mail address and password. Imagine the damage they could cause to your life through websites like Facebook, Twitter, LinkedIn, PayPal, Amazon, eBay, the list goes on and on.

It’s never about attacking a single web site, until people learn that using the same password all over the Internet is not a good idea, this will never change unfortunately.

If you have a Ubisoft account and even if you only use it for gaming, go and change all your other passwords on any other web sites where you’ve used the same password immediately. Just because this data was stolen recently, it doesn’t mean that it will all be used any time soon. You may only notice someone else logging into one or more of your accounts a year down the line. While you’re changing those passwords, it may be a good time to make sure that you’re not using a different “same” password on multiple other web sites or applications.

Unfortunately a lot of the time attacks such as these can be prevented with proper security measures and regular “real world” penetration tests. We always advise our clients to conduct penetration testing on a regular basis, and always before launching any new Internet facing services or web sites. We also always advise our clients to maintain a strong Password Policy.


Filed under: Hacked,ITSG,News

Social Engineering Explained

Every now and then one of our readers will send in a link to an article that we just have to share.

A really special thank you to Brandi from all of us here at ITSG for sending this one through.

To Heather over at Backgroundchecks.org, really nice article!

So for everyone who wants to get a better understanding of what Social Engineering (S.E) is, go and have a read of the following article.

Working With People An Introduction To Social Engineering.