Senet Services

BLOG

January 31, 2011- ShmooCon 2012 Review

The past weekend (January 28-29, 2012), several people from SeNet attended the 2012 ShmooCon security conference (www.shmoocon.org).  This is always an excellent conference and a great value at only $150 (if you can get a ticket).  Here is a list of some talks we attended, along with our comments.

  • A Blackhat’s Tool Chest: How We Tear Into That Little Green Man – Mobile security was a hot topic and there were several talks on this subject.  This talk focused on Android security.  It explained how to reverse-engineer mobile applications on Android and the speaker released a tool to make this process easier.  This is definitely something to check in the near future.
  • Java Backdoors and Cross-Framework Abuse – This was a somewhat technical talk on how to take advantage of Java archive files (JAR, WAR, EAR) in order to place backdoors and elevate privileges.  Although the subject matter was not ground-breaking, it did provide a clear picture on this attack.  The speaker was very knowledgeable; however, his presentation style was not very dynamic.
  • Introduction to Near Field Communication (NFC) Mobile Security – NFC is on the horizon and with it comes a lot of features to help the end-user.  The first portion of the presentation was an overview of NFC, the standards, and the specifications.  This part was a little dry but the second part, which included a demonstration of some of the attacks, was quite interesting.  As this technology becomes more widely deployed in the United States, we should keep this topic in mind when it comes to security.
  • OPFOR Works Both Ways: How Offense and Defense Must Train Each Other – This presentation explained how an organization’s incident response team and penetration testing  team should work together to train each other.  It also noted that penetration testing has moved away from its original purpose: testing a system like an attacker.  Currently, so much scoping and so many rules go into a penetration test that it is not a true simulation of an actual attack.  I agree that there can be significant costs associated with penetration testing.  Often, companies do not want to pay for the level of effort that truly simulates what attackers are doing.  To increase the value of penetration testing, there must be a balance between the two focus levels.
  • Credit Card Fraud: The Contactless Generation – This was a very interesting talk that focused on credit cards with built-in Near Field Communication. Rather than swiping the card, these credit cards now have built-in chips that allow the user just to put them close to the card reader and the card is charged accordingly. Although the communication between the card and the reader is encrypted, the communication between the reader and the attached computer via serial port is not and can be captured easily since it is in clear-text format. The presenters then demonstrated that process. They were able to capture the card information and clone the credit card information to another blank card using a magnetic card reader/writer that they got from eBay. Then, they were successful conducting online shopping with the cloned card.
  • Inside Apple's MDM Black Box – This talk focused on how Apple’s Mobile Device Management (MDM) system works.  As more and more people want to bring their mobile devices (iPads, iPhones, etc.) into the network infrastructure, mechanisms must be in place to manage these devices.  The speaker talked about how and what MDM can do.  He also released his own tool that can manage these devices using the same technology, with some limitations.  He also discussed security weaknesses (primarily Man-in-the-Middle [MITM] attacks in the MDM architecture) that he uncovered as part of his research.
  • What is a Name – This talk replaced the talk that was supposed to be given on smart meters.  (Apparently, the utility company upon which the original speakers based their research did not want the presentation given at the time.)  In any event, this talk was very interesting and entertaining.  The speaker did some cool research and, using some DNS tools, was able to create a database of the entire Internet located here (https://www.deepmagic.com/ptrs/).  This information should be very useful for reconnaissance and some other purposes.
  • Whack-a-Mobile: Getting a Handle on Mobile Testing with MobiSec Live Environment – This talk was given by the always-entertaining Kevin Johnson.  I find the best talks to be those that not only have useful information but also engage the audience.  He released a testing framework (MobiSec) for mobile platforms.  The tool was based on research that was funded by DARPA Cyber Fast Track Program; now, the plan is to make it an OWASP project.   This research should make the examination and testing of these devices and applications easier as this project develops.

Overall, it was a great conference and SeNet is looking forward to returning next year.

Gus Fritschie, Rehan Bashir, and Roey Katz

________________________________________

 

January 27, 2012 - Know your Audience

In the IT security world, it is extremely important to know your audience.  The audience can be customers, security professionals, management, peers, and/or trainees.  As the presenter, it is your responsibility to introduce yourself, anticipate fears and objections, exhibit knowledge to your supporters, and keep your thoughts and actions simple and positive to steer the objectives and project to the ultimate goal—success.

  • Acknowledge your fears. One of the biggest fears many people have is public speaking.  Suggestion: The primary difference between being in the audience and at the front of the room is that presenters and leaders have learned how to master their fear rather than letting it master them. The leader always sets the expectations and the tone for the task. Make sure that the audience is in a positive frame of mind to receive the information.

  • Familiarize yourself with the environment. Always arrive early when making a presentation.  This tells the audience that you are prepared, comfortable in your surroundings, and ready to focus on the topic. Always be prepared to present to an audience level that is different than the one expected so you can connect with everyone.

  • Trust your knowledge. Be proud of the fact that you were asked to speak or lead a project. You are in a position of leadership because of your knowledge and the person who asked you to speak has confidence in you. Accept that confidence and build on it! Remember that your message is unique to your audience. View the presentation as an opportunity to share your knowledge and enthusiasm with others.

  • Anticipate questions and objections. Even though you are the presenter, think like an audience member.  What questions would you have?  Did you cover your all of your bases?  Be prepared to discuss gray areas and issues for debate.  If you identify weak points, provide additional data. It is also important to look for opportunities where your audience might question your facts or interpretations. Be ready with additional facts to support your arguments and conclusions, such as references to documentation and publications.  If someone asks a question that you cannot answer, offer to research the issue and follow up with the person later with the answer.

  • Project to your supporters. Locate “allies” as you introduce yourself to your audience. Assess your audience during the session. Notice how some people smile, nod their heads, or take notes. Project to those people and let them help you build confidence. Acceptance creates confidence.

  • Practice simplicity. Confidence will grow to the extent that you keep your presentation simple. Talk in a conversational tone and never read to the audience. Allow your supporting documents to provide the framework, not the essence, of your presentation. Be ready to dissect your argument and support it.  Try to develop different scenarios to explain the key points in layman’s terms. Always remember K.I.S.S. = Keep It Simple Sam!

Effective presenters and leaders at all levels need to support people, customers, processes, and priorities. Don’t be afraid to face your fears. Embrace what you know, teach what you have learned, and cater to your audience. If the subject matter can be communicated, then it can be applied and you may just receive some applause!

Marilyn Smith

_________________________________________

January 20, 2012 - Cyber Security: The Next Gold Rush?

The Washington Post recently had an article (http://www.washingtonpost.com/business/economy/pentagon-interest-in-cybersecurity-may-ease-contractors-pain-from-cuts/2012/01/12/gIQAFbPe1P_story.html) that outlined how defense contractors are shifting from military and weapons development to cyber security.  This comes as the Department of Defense plans to cut defense spending dramatically in the next decade.  This is not a surprise to me or others in the computer security arena.  We have seen the shift over the past decade as larger businesses expand their service offerings to include information security. In my opinion, this is not necessarily a positive thing for organizations requiring these services.  When you take companies that already provide numerous services from general information technology (IT), aerospace, missile defense, etc. to whatever the “hot” service is and add information security on top of everything else, something is missing.  Quality, technical expertise, and overall understanding are critical to success and you can only gain the necessary knowledge if information security is your primary focus.  This is the advantage enjoyed by SeNet International and the reason why we can provide the best information security services at a reasonable cost.  With over a decade of experience specifically in information security and countless satisfied customers, we can offer you the best value for information security services.

This same trend toward information security is reflected in the job market.  As the need for information security services has expanded, so has the job market in that field.  Typically, information security jobs have paid higher salaries than general IT jobs.  This is why we have seen an increase in and transition from system administrators to security administrators.  Colleges now have information security-specific programs and students are flocking to them with the hope of landing a high-paying job.  However, this can be a double-edged sword. You will see some bright prospects that went into another field but later migrated to computer security.  You will also see people who are just looking to “get rich quick.” Many of us remember the Microsoft Certified System Engineer (MCSE) craze of the early 1990s.  We have a similar scenario today with people thinking that just because they have a CISSP credential, they deserve to make $100,000.  Part of my job involves interviewing job applicants and I can attest that SeNet already has some of the best and brightest employees in the information security field.  Our interview process is very thorough and we look beyond the certifications and the resume to what the individual actually knows and what the individual can actually do.  So, if you are looking for a new and challenging career and not just chasing the next hot field, please send me your resume (gus.fritschie@senet-int.com) and we just may have the opportunity to work together in the future.

Gus Fritschie

______________________________________

December 16, 2011 - Get Your Verve Back

When I was asked to write a blog and this topic came to mind, I immediately pushed it aside and went in search of another topic.  My thought was that this topic is better suited for a personal or self-help blog, and not for a security blog. However, I came to the conclusion that this topic applies to life in general—the security world included.

When we were younger, we wanted to be teachers, firemen, policemen, veterinarians, etc.  We talked about our dream constantly, read about it, and talked with those who were already where we wanted to be.  We worked at it, looking forward to that day when it would become our reality.

Those dreams and goals changed as we matured and somehow morphed into something more reasonable, more achievable, more “who I have to be because… ”   I completely understand the how’s and why’s of who, what, and where we are today; I also know how discouraging it can be to look back and compare where you are to what might have been.  Not to disparage the security profession, because it is lucrative and steady, but it is none too exciting.  It would be easy to get lost in the details and sameness.

However, I want to challenge you to go back and take that old dream off the shelf, dust it off, and take another look.  That excitement, that fervor, the daydreaming and can’t-sleep-for-planning that you put into your old dream—is it possible to put at least some of that verve into what you’re doing today?  “How?” you ask. “This job has become routine, there’s no life, and it’s the same ol’ same ol’ day after day.” 

I submit to you that if you change the way you think about your job, you will change how you perform it.  It reminds me of that old saying, “If you keep doing what you’ve been doing, you’ll keep getting what you’ve been getting.”  Change what you think about your job and you’ll change your performance.  ‘As a man thinks in his heart, so is he’ {Proverbs 23:7} also applies here.

The bottom line: infuse some new fire into what you do. Try a different approach or try seeing what you do from your client’s perspective.  Get a neutral party involved by asking how they see or how they would handle a particular situation.  Above all else, find ways to rekindle your fire.  Your dream is ultimately about you, how you view success, and how you view yourself.  Change your view and I guarantee you’ll improve your life.

Karen H. Rodgers

________________________________________

November 30, 2011 - Analyzing Malicious Intent – Malware

You are sitting at your computer, casually browsing the Internet, and you accidentally click something. The next thing you know, your computer is infected by a malware program. Most people tend to continue working since there may be no visual indication of a problem other than a few popups, or the computer may start to run more slowly. However, in the background there is a lot more happening. An uninvited program is now sitting on the hard drive and its sole purpose is to steal your sensitive or personal information like stored passwords, credit card information, social security number, etc. This is what is generally known as malware and it is evil.

The first line of defense against cyber invasions of malware is common sense. Don’t click on anything that is unfamiliar. Don’t install anything from an untrusted source and don’t install any software they comes in a bundle, which will likely install other “crapware” on your machine. In this instance, the damage has already been done and the computer is infected. Now what? No single antivirus software package can detect all the malware that exists. One defense concept called “defense in depth” advocates installing multiple antivirus programs on your system in order to increase the detection spectrum for malware. Most of the time, this approach does not work. Also, malware is very good at hiding from detection by compressing itself or by being encrypted.  Most of the time, malware decompresses or decrypts directly in memory rather than on the hard disk, which makes it more difficult to be detected by conventional malware detection solutions.

I have also observed that most organizations with infected computers are not exactly sure how the computers got infected. If the incident response team does not have a plan of action in place, it tends to resort to trial and error and may even develop the incident response plan (IRP) while the incident is happening. In my opinion, this not a good practice.

So, how do we detect malware and how do we identify what the malware is stealing and what is happening that we cannot see? We must come up with new ways to analyze these destructive programs and their intent. The two main approaches that are currently being used are static analysis and dynamic analysis.

In static analysis, the examination of malware is performed not by executing the malware program, but by dissecting it using various tools like decompilers, analyzing the source code, etc. In dynamic analysis, the malware program is actually executed and the behavior is studied using various tools like PE Explorer, Wireshark, Sysinternals tools, etc. Because the malware code is executed in dynamic analysis, there is a lot at risk. To minimize the risk, it is highly recommended that a lab and virtual environment be created and be completely isolated from the production environment.

Now that we have established two basic approaches for analyzing malware, here are some common steps for purging infected computers:

  1. Configure the environment for analysis (physical or virtual).

  2. Obtain and put the malware in the analysis environment.

  3. Execute the monitoring tools (static or dynamic).

  4. Log the results.

  5. Clean or disinfect the environment.

In order to configure the environment for analysis, I highly recommend using a virtual machine (VM). Any of the VM technologies listed below can be used. The advantage of using virtual environment is that you can always revert back to the original state of the machine after you complete the analysis.

  • VMWare
  • Oracle virtual box
  • Microsoft Virtual PC.

Obtaining malware can be easy but tricky. You can actually get the malware during the incident response or you can set up “honey pots” to obtain it. Once the malware is obtained, the next step is to analyze it.

First, you must identify the changes that are being caused by the malware. To make this determination, install the behavior analysis tools. These tools determine any change in the state of different process as well as changes made to the file system, registry, and memory of the infected system. To determine the changes, it is important to have observed and recorded the state of the system as it existed before the infection. Here are some important behavior analysis tools that can be helpful:

  • Microsoft Sysinternal Process Explorer
  • Process Hacker
  • Regshot (for a registry snapshot)
  • CaptureBAT
  • Wireshark (to determine the network traffic generated by the malware).

Once a general understanding of the malware’s behavior has been established, the next step is dig a little deeper. At this stage, the decompilers and disassemblers come in very handy. They will allow you to look into the source code and provide an understanding of why and how the malware was coded. Some of the most common disassemblers and decompilers that can be used include:

  • IDA Pro

  • OllyDBG.

Malware analysis can be tedious when done manually. However, there are Web sites that help automate this process and provide detailed reports after you submit a Windows binary report. Malware is usually coded in binary format. One you upload the binary code to such a Web site, a complete report is then made available for you to download. Some of the major sites that provide automated assistance are:

There are a few offline automation tools available, the most notable being Minibus, which was inspired by online automation tool Anubis.

In this article, we have seen the most common ways to analyze malware. All organizations should have a good IRP in place that lists the step-by-step procedures for responding to a malware incident and how to analyze malware to determine what it is trying to do. The analysis will help the organization understand what the malware is trying to steal and where it may be sending your information. Following this process will help you understand the damage and identify the proper steps to take to avoid any future malware incidents.

Rehan Bashir (CISSP, CAP)

_______________________________________

October 31, 2011 -Explaining Information Security Risk to a Non-technical IS Owner? Oh Boy!

We all know the important role that information security plays in today’s world and how it can affect an individual, a small company, or even a multinational enterprise in a negative way. How important, you ask? Well, very important! This answer may not cut it when you tell it to someone who has a concept of you (as an information system [IS] security officer) standing alert outside an information booth in a recreational park with a shiny badge pinned to your chest and pepper spray in your hand, trying to protect park maps from being stolen. In my humble opinion, this person has every right in the world to think that the “ground zero” of information is present inside the park; after all, the park uses public tax money and needs to be protected, right?

Now, I am not saying that is the case every time, everywhere, and with everyone. However, it is a fact that most IS owners are typically less technical then you are. So, if you tell them that you are here to secure the organization’s IS assets, then the next question from the owner will probably be, “When do you think our IS assets will be 100% secure and risk-free?” You are in trouble if you say that we will never be 100% secure and good information security does not just happen or often does not happen at all, or that resources are always in short supply and there are always other needs that seem more pressing. This, my friend, is next to kissing your next paycheck goodbye! For example, if I hire a babysitter and she tells me one day that my 1-year old child will not be “totally” happy and “completely” protected, then it’s a ding in my paycheck at the cost of my lack of satisfaction.

On the other hand, if you try informing the person that “we will be 100% secure by the end of the next fiscal year,” then not only you are negating the ISC2 Code of Ethics rules by hiding the truth from stakeholders, but also if (God forbid) the IS system is hacked and personally identifiable information (PII) becomes just a “Google” away, then it is not only you who gets the pink slip. The company, a partner, or even an owner could end up being released by the affected organization and possibly their contract agencies, as well.

Next, try telling this to a non-technical peer or, in a worst-case scenario, the boss that the database server’s frame-relay link to the secure area network (SAN) is broken and, due to non-availability of a hot backup link, the only disaster recovery (DR) recovery point objective (RPO) is up to the local host Redundant Array of Independent Disks (RAID) system capacity. You get the idea, don’t you?

So, here is the challenge! What, when, and how to explain to your IS owner and any related non-technical staff that you have come across an IS vulnerability. The good news is that for “what,” the answer is simple: tell them honestly about your discovery and speak in simple, plain language without impressive “techie” lingo and acronyms. For “when,” the answer is even simpler: ASAP! Unfortunately, the “how” factor is where most IS officers/engineers/consultants prefer jumping off a 1,000-ft. cliff with a 1,001-ft. bungee cord, hoping that with God’s almighty help, the cliff will grow taller with divine destiny from top to bottom of the “Rock of Fate.”

I will try to outline my limited experience on how to tame the “HOW”ling beast. Maybe this will help you in similar situations where everyone sees you as the “9-1-1 help line.”

1.  Start by giving a real-life example close to the technical situation at hand. For example, a virus threat is creeping into your protected network and you are trying (or at least planning) to isolate or unhook the infected e-mail server from the network. (By the way, virus threats can easily make you the number one victim of unlimited and unsolicited verbally, morally, and politically incorrect SPAMs from any source who is expecting a million-dollar, jackpot-winning confirmation e-mail any second now.) Start by asking a simple question, “If your elder child becomes infected with a contagious viral infection, what would you do to protect the rest of the family from the virus?” One answer might be to isolate the patient by asking him or her to rest in a separate room away from siblings, and then start treatment until the child is healthy again, right? Right! You get the picture.

2.  Second, nothing (and I mean absolutely nothing) will elicit a positive reaction from an IS owner in favor of your risk management plan or strategy until you present him or her with the final “horror” consequence if the threat is not dealt with promptly. For example, using the scenario in bullet 1, suggest that the IS owner take the infected e-mail server offline immediately and investigate, fix, and report the incident (sacrificing a few hours of non-production in the process). Otherwise, be prepared to possibly deal with an entirely infected network, which can take days to recover from the IS assets standpoint alone and even longer to regain stakeholder trust and confidence. In a worst-case scenario when a system is not repaired promptly, a permanent blemish could remain on the business and its reputation that could lead to other problems down the road.

 

3.  Finally, patience and persistence is the key to success! Don’t lose heart if you think you have been singled out, left alone, or if people treat you as the messenger of bad news all the time. Keep doing what you know is right and ethical to help protect the information from all possible threats.

Just my two cents. Well, three bullet points to be exact! Thanks. - Syed Khalil

_______________________________________

 

September 27, 2011 - Continuous Monitoring-The Next Evolution of C&A?

The information technology (IT) security industry is “abuzz” with the introduction of the Risk Management Framework (RMF) and the Continuous Monitoring process. Many believe that because they have “implemented” continuous monitoring that they are compliant with the Federal Information Security Management Act (FISMA) and better positioned from a security perspective than others who are still following the conventional security authorization (certification and accreditation [C&A]) tri-annual assessment process. Proponents of this new position point to various comments by government officials, agency CIOs, and Federal CIOs that security should be more focused on technology. Continuing calls for additional investments in intrusion detection, log consolidation and monitoring tools, and patch and vulnerability management tools reverberate from organizational IT departments. The logic is that through the use of these tools, “continuous monitoring” can be achieved and the paper work-intensive security authorization process can be eliminated to “save money through the use of technology.”

Ah, but the pendulum swings again. During the emergence of the information security domain, technology ruled. Firewalls, content inspection engines, intrusion detection systems (IDSs), vulnerability and patch management tools, VPN gateways, and security appliances ruled the domain. They propagated and flourished and there was peace and tranquility throughout the land.

Well, almost.

We quickly found out that while technology was an enabler of information security, policies and procedures were required to allocate the proper resources and responses to the multitude of incidents that these tools detected and prevented. For example, we learned that an enterprise log management and consolidation tool that was not regularly monitored and reviewed for indications of suspicious activity amounted to only a huge data file that sat on a server waiting for attention. Information security is more than technology; it is also people and procedures. Trained and experienced personnel can interpret the “signals” that these tools are sending and proactively adapt defense mechanisms to address new threats. The original National Information Assurance Certification and Accreditation Process (NIACAP), Defense Information Technology Security Certification and Accreditation Process (DITSCAP), and National Institute of Standards and Technology (NIST) C&A processes implemented a “balanced” approach measuring both technology as well as policies and procedures using control points.

Continuous Monitoring is a maturity level; it is not a set of technology tools conducting scans and reporting results. To establish this maturity level, security must be integrated into the culture of the organization. Mature and consistent policies enforced by technology, security personnel, and enterprise IT resource users are the cornerstone of this maturity level. Can someone please tell me how a scanner can “monitor” whether a user is susceptible to social engineering attacks (phishing) because the non-existent or severely downsized security staff has not implemented continuous security training and advisory alerts to prevent the same? Furthermore, which “tool” monitors whether contingency plan tests are successful and backup tapes are routinely “restored” to check for viability?

Just a thought. – Nelson Ros

______________________________________

August 11, 2011

Last week, I accomplished one of the goals I had set for myself—present at a major security conference.  The conference I did this at was Defcon, one of the oldest and largest conferences.  Now, I have attended numerous conferences such as ShmooCon, CanSecWest, and Black Hat.  None of these could have prepared me for what I felt as I stood up on the stage and looked out at about 500 people and waited for the signal to start.  Once I got started, I think the talk went well. There was no mass exodus of people as I have seen in other presentations that were less than stellar.  In fact, I think the audience was engaged for most of it and asked several questions afterwards.  The presentation did not introduce any new zero-day vulnerabilities, but what it did do was show several weaknesses in the online poker gaming architecture that could be exploited and illustrated the need for compliance.  If you were not able to attend the talk, I have made it available for download here.  However, be warned that my presentation style is not just to read off the slides; much of the content and discussion points will not be found in the PowerPoint.

In addition to my presentation, there were a number of good talks that I found very informative.  In addition to the talks, one of the most important things about conferences like Defcon is meeting people and the networking that takes place in the halls and over a drink.  I encourage everybody to make time to attend a conference like this and if possible, speak at one.

Gus Fritschie

_________________________________

July 22, 2011

There was an interesting article in the Wall Street Journal on July 21st.  It was titled “Hackers Shift Attacks to Small Firms.”

It seems that you cannot read a newspaper without seeing an article about a “hacking” attack.  With all the press on the hacker groups like Anonymous and LulzSec, and attacks on large organizations such as Sony, Booz Allen, and the CIA, it is easy to forget that anybody can be a target.  I think it is a common misperception among small business that they are not large enough to draw the attention of cyber criminals.  However, as the article details, this is not the case.  Attacks against businesses with fewer than 100 employees have doubled since 2009.

The primary example in the article focuses on a small business and PCI that had credit card information stolen.  Simple security mistakes were made, such as having a weak password and remote access to the point of sale (POS) system.  This is something that SeNet sees on a regular basis when performing vulnerability assessments and PCI compliance work.  Even large organizations with dedicated security staffs have these problems, so it is no surprise that small businesses with limited resources have similar problems.

Often, cost is given as the reason for small businesses not implementing good security.  But, as seen in the article, the cost to mitigate an intrusion after the fact can be higher than doing the right thing in the first place.

Gus Fritschie