Small Business Attack – Metasploit

Though there is a saying in the Security profession, it’s not about the tools some tools are pretty cool. In general business, common tools are things like Microsoft Word and Excel (or their open source equivalents in OpenOffice). On the defense side, we use antimalware suites like Sophos. Generally speaking, attack tools aren’t as polished and are very narrowly focused. However, that’s starting to change.

To attack tool I want to discuss today is Metasploit. This tool has one primary purpose — to break through your defenses. It’s built using a framework methodology. You can think of it as having “plugins” like Firefox. In Firefox, plugins can extend the functionality of the browser by Blocking Ads or Blocking Scripts. In Metasploit, the plugins are a bit more dangerous and add functionality like exploiting a service and escalating users.

Basically, the tool works as follows:

1. Pick your target
2. Break in

That’s pretty much it. If there is a flaw in the system, an attacker can probably get in. And since this tool is so easy to use, an attacker doesn’t have to be particularly skilled to take over a system. They just point, click, and get your data.

Security Lessons from Nature – Smart Crabs

Crabs have claws. Some of them have ridiculously oversized claws, some are stronger than the jaws of a wolf and some can give you wicked papercuts.

However, there are a few crabs that just don’t think that’s good enough. Instead, they pick up anemones and carry them around. Since anemones have tentacles, the crabs look a bit like high school cheerleaders carrying pompoms, but they don’t mind. After all, it’s a great defense. An attacker girds itself to fight against pinching and instead it gets a face full of stinging pain… quite the surprise.

Businesswise, it would be pretty ineffective if you have your employee carrying around anemones. Not only would it make typing difficult, but they would also have to kept underwater, which might present issues with keyboards. Instead, the lessons are, I think, misdirection and non-localized advantage.

Your business has a brand, so an attacker would naturally expect that a defense would match what your company is best at. For example, if you make surveillance cameras, one might expect that your network is well watched, but perhaps not well protected in other ways. So, if an attacker can manage to encrypt traffic or otherwise hide what they are doing, they can likely expect a fairly easy time of it. However, if you manage to partner with a company that produces a more active defense, such as HIPS, an attacker may find themselves blocked, traced and served with a face full of stinging tentacles (or a lawsuit… the modern equivalent).

Mythic Monday – Nommo

Recently, I was reading about African mythology, I ran across the story of the sky god Amma and it’s creation of the half-human half-fish hermaphroditic creature Nommo, which split into four pairs of twins and, after normal mythical events, become the ancestors to the contemporary Dogon people. Due to mistranslations of early ethnographic studies, these creatures were identified as coming from Sirius, which if true, would indicate that the ancient Dogon people either had powerful telescopes (unlikely) or were visited by aliens (which some people seem to view as more likely).

Now, as I read this, I thought “hermaphroditic human/fish hybrid that some point to as proof as alien contact… I’ve got to blog about this!” Sadly, though, I just couldn’t come up with a good business or security angle (there’s something to the “one twin goes evil, so the other has to be sacrificed” story… but there are other such stories in myth that are far more accessible).

Then I started researching Binu shrines. The story goes that one of the Nommo twins was evil, and to make up for this, another twin had to sacrificed, dismembered and scattered all over the earth. Wherever a piece of Nommo landed, a Binu shrine was built. I was curious, and wondered what a Binu shrine looked like. Looking on Flickr, I ran across this photo by sunshinerythym. I looked at the terms of use and saw that it was marked “All rights reserved”, so I didn’t embed it. I sighed and moved on.

Shortly thereafter, I saw this page on the Sacred Sites of the Dogon, Mali. Well, that photo sure looks familiar, doesn’t it? It’s lightened up a bit, but it looks awfully close. And that link below it? Order Fine Print?

Very interesting.

Now, it is quite possible that sunshinerythym was contacted by the people that run SacredSites.com and gave permission for the photo to be used in this manner. I know that I’ve gotten requests to use my photos in such a way.

However, I also want to point out that there are some untrustworthy people out there who make money by selling other people’s work. If you post a photo in full resolution, anyone can download it and do whatever they want with it. If you license it appropriately, you can take legal action against them… but you have to catch them first. Of course, if you screw up your licensing, you probably don’t have a leg to stand on (unlike Nommo, who being half-human had legs (look, I tied it back in!)).

The security lesson here is that if you are generating content, be careful with it. Though I have chosen to make my full resolution photos available, I do so with the understanding that others may steal them. To help mitigate this, I have licensed them for non-commercial use only. For me, photos are fun, but not my main business. I am fine taking the risk if it means that zoos and similar educational organizations can use my photos to help other people learn. The point is that I know I am taking the risk to begin with.

The other security lesson is that if you are a business, keep track of rights of the things you use. If such use is not previously authorized, it could be construed as intellectual property theft and could be quite costly.

The mythological lesson less clear. :)

(Before writing this post, I sent an email to sunshinerythym, as we Flickr users have to help protect each other. It is quite possible that by the time you read this, the links may be broken.)

Review – A Smart Girl's Guide To The Internet

A year or so ago I ran across the American Girl Smart Girl’s Guide series. I had heard some good things about the company and the books looked well written, so I picked up a few at a booksale and gave them to a friend whose daughter was approaching the right age. Recently, he reported that his daughter was finding them useful.

So, when I ran across A Smart Girl’s Guide to the Internet at a used bookstore, I picked it up. The book is clearly written for younger readers. It’s segmented by what kids do online and written in a way so as not to be insulting but still be useful. What I particularly liked is how it directly addresses real issues while still referring the kids to parental authority if they have any questions.

Some items of interest:

There is a general stress on intelligence, or as they put it: smarts not software.
An ongoing discussion about privacy and why it’s important, including what counts as personal information and why it should be protected.
A running analogy of online threats to real-life threats.
What to do when the inevitable happens and a kid is put in an uncomfortable position due to either social interaction or accidental browsing.
Bullying and social snubbing.
How to only connect with people you know personally instead of strangers.
How to create content without putting yourself or your friends at risk.

To someone who has been working in the I.T. Security industry for a while, there is nothing new here. However, if you are a parent of or know parents of young girls, this is a great book for them to read. (Technically, it would be good for young boys too, but it’s unlikely that the majority of them would actually read it, as it is clearly branded for girls.) It’s nice to see a book like this being made available.

Small Business Attack – Rogue Wireless Detection

The best way to prevent rogue wireless access points from appearing on your network is to set up the network to make it more difficult. Though it is more work to lock down a network to only allow connections to specific MAC addresses and on specific ports, it does go a long way to prevent unauthorized devices from magically appearing on the network.

Of course, this sort of approach is not always feasible. In those situations, you have to go one step further and run periodic scans for unauthorized devices. Commonly used in wardriving, tools like NetStumbler and Kismet can also be used to find WAPs in your own building.

Using such a tool, it is important to first identify what “normal” is. Begin with a visual scan of every network port in your location. Make sure that you’re not starting with a rogue WAP on your network. Once you have done a visual sweep, run one of the tools and get a feel for what is normally present in your environment. Then, after a day or so (sometimes more), you should have a list of the wireless networks around. Each of these should be tracked down and identified as legitimate.

Then, on a periodic basis, you can check for new wireless access points and make sure that the list isn’t changing on you. If it is, you might have a problem.

It is important, however, to stress that this is not a perfect solution. You will likely need to occasionally visually inspect your network and verify that there are no new devices floating around. You should make sure that no laptops are set up to bridge a connection to the outside world. You should do your best to lock down the network. Then, when you’ve done all you can do, scan to fill in the holes.

Good luck.

Small Business Attack – Rogue Wireless

The best attacks are often also the simplest. It’s easier to just steal someone’s wallet or purse than it is to hack into a vendor and download their credit card number. It’s easier to offer someone a chocolate bar for their password than it is to send them a phishing email and hope that it works. Similarly, it is easier to break into a network from the inside than it is from the outside.

For example, an attacker could stroll in to your office, wait for a distraction, and plug in a wireless access point and then run any desired attacks from the outside. For example, the WL-330 is the size of a pack of cards. (As is the DWL-G730AP.) It’s easy to smuggle in and easy to set up. Then, all the attacker needs to do is to have an excuse to get into your building.

Of course, those can’t be hard to come by. After all, it’s not like your organization ever orders pizza, calls in for service to a printer or has a cleaning staff, right? I’m also sure that there is no secluded place that an attacker could sit with a laptop and run exploration tests. Most buildings don’t have parking lots, nearby coffee houses or bathrooms, right?

Oh, wait.

Maybe there is a problem.

Security Lessons from Nature – Fierasfer

All over the Internet, the fierasfer (aka pearlfish) is defined as: A genus of small, slender fishes, remarkable for their habit of living as commensals in other animals. One species inhabits the gill cavity of the pearl oyster near Panama; another lives within an East Indian holothurian. Not only does this go to show that almost no one does anything original on the Internet anymore, but also that fierasfers are some of the coolest fish ever.

What makes them unique is that they live inside other animals. Some may live inside other fish, clams, starfish or sea cucumbers. In most cases, they don’t harm the other creature, they just live together and share resources. This is much like a business that incubates other businesses. In this model, the larger business shelters and stabilizes the smaller startups, and the startups in turn, allow the larger business to be more nimble and responsive to market demands.

However, there is one small flaw in the plan. That flaw is known as Carapus acus. This pearlfish lives inside sea cucumbers and swims out at night looking for food. If food cannot be found, they eat the organs of the host. This would be like a startup having difficulty with cash flow and solving the problem by just taking money out of the accounts of the larger firm. Sadly, it can happen.

So, what lesson can be learned here? Well, one would be to not go swimming where fierasfers abound. A more practical one would be to be careful with whom you choose to partner. At the very least, be sure that any financial systems are separated. At most, you might want to find some way to keep the systems audited and make sure that the line between the companies are clear.

This way, you can keep your organs from being eaten while you sleep.

Mythic Monday – Elfshot

Before the germ theory of disease, Celtic farmers occasionally experienced cattle that would mysteriously sicken. At the same time, as they were clearing their land, they would find prehistoric arrowheads. Combining these two observations with the belief that elves were ever-present and often interfered with daily human life, the idea of elfshot arose.

It made perfect sense at the time. Based on the theories of the time and the available evidence, it was completely logical. Even Robert Kirk, an Episcopalian minister, analyzed the situation and explained it thusly in his The Secret Commonwealth of Elves, Fauns & Fairies:

These arms (cut by art and tools it seems beyond human) have somewhat of the nature of thunderbolt, subtly and mortally wounding the vital parts without breaking the skin, of which wounds, some I have observed in beasts and felt them with my hands.

So, since they couldn’t conceive of any way that such small arrowheads could be made (and since they lacked a John Whittaker), they came up with an idea and it effected the regional culture for centuries.

Sadly, the same behavior still exists today. Many times, when there is a security incident, there are a few clues here and there as to what is going on. It is very common to have a theory about what’s going on and then try to make all of the evidence fit it. For example, we hear a lot about foreign attackers, so when a system starts to behave a bit oddly, we often look first for an intrusion. In fact, odd behavior could be due to many factors. It’s not unusual for some systems to experience problems at times. It’s also not unusual for attacks to come from inside. Focusing too early on but one scenario can blind you to what’s really going on.

It’s better to consider all of the data independently and then start coming up with and testing ideas. This would allow you to spend less time running down the wrong path and be more efficient in uncovering the problem. That way, instead of spending centuries working under a theory that might not fit the best, you can maximize your use of time… and avoid needlessly blaming the elves for something that wasn’t really their fault.

Site Review – LinkedIn – Part 2

As a followup to my previous post on LinkedIn, I would like to recount a story that a friend told me the other day. I was visiting with Adam Steen of 25 Connections. Adam’s business is knowing people, and he knows pretty much everyone in the Des Moines business world. If you need a connection in this area, Adam is the guy to go to.

As with many of us in the small business world, he uses LinkedIn to help manage his contacts. However, his business is all about personal connections. This is great for his business, but does introduce a new type of attack that I had not previously considered.

Several months ago, Adam met someone who works in the financial industry. After a pleasant first meeting, he received a LinkedIn connection request. As we all do, he accepted the connection and thought no more of it. Then, last week, Adam got a call from a friend of his who informed him that this connection was using LinkedIn to call Adam’s friends and set up appointments. Of course, he accepted this appointments because the person knew Adam trusted him. After all, if Adam says someone’s good to work with, they usually are. However, Adam didn’t actually vet the connection. Instead, the attacker was using social engineering to make it appear as though he had. Once the appointment was made, Adam’s friend found himself sitting through one of the most uncomfortable high-pressure sales situation he had ever experienced.

So, how did this attack work?

First of all, it is entirely dependent on the nature of the social networking site. If the site is configured to allow your contacts to see one another, you have to consider whether the individuals to whom you are connecting are worth this level of trust.

Secondly, the attack is only useful if the connections are generally trustworthy. If Adam’s name hadn’t meant anything to the person being called, the appointment wouldn’t have been set up and the attack would have been foiled.

Third, if you have a number of close personal contacts who know you but not each other, and you use a social network that allows your friends to see one another, you may be vulnerable.

Now, in Adam’s case, he was able to identify the untrustworthy individual and remove him from his network. Since this particular variant was based on personal contact, the removal of the personal connection foils it. However, it would be trivial to make such an attack far more malicious. An attacker could forge an email from the trusted link that carries a malicious attachment or link. The target then, thinking that the message came from someone very trustworthy, would be fooled into running the code, allowing the attacker to get whatever information they wanted.

So, how do you protect yourself… and more importantly, your contacts?

Think about who you’re connecting to and if you get a request from a friend of a friend, make sure that it’s legitimate. This could be as simple as picking up the phone and calling the purported shared link. (Odds are that you don’t talk often enough anyway.) Also, if you are in the habit of connecting people to one another, try to connect them at the same time. I find that it’s easiest to send an email to yourself and copy them both on it. That way, they get one another’s address, see that you are vetting them both and you have a copy of the connecting email should you need it later. This also makes it more likely that someone who bypasses the process would be more likely to be caught, as it would seem more unusual from the start.

This may be a good time to review your contacts and make sure that they’re really what they should be.

Small Business Defense – Network Reconnaissance

Yesterday, we looked at the attacker’s view of Network Reconnaissance. Today we consider defenses. As before, your best defense is to segment your network, which limits what an attacker can see from any point on your network. However, there are some things that you can do to reduce the information that an attacker can see if they do get in.

The first is to limit what is actually running on each system. If you have workstations, ask yourself if anyone needs to connect to the systems remotely. If not, turn off all services and activate the local firewall. If so, consider which systems need to communicate and setup VLANs or local firewalls to only allow access from known-good systems.

Second, is to identify the key systems that could be targeted. On those systems, in addition to the basic hardening for workstations, look at scanning defense applications like SentryTools or PSAD. As well, you should be careful to keep all systems up to date. Even if attackers get a network map, it’s not too useful if there is no way to get in.

Lastly, at the network level, there are a few other techniques that can be used. Implementing an Intrusion Detection System will help alert you when someone runs a scan like this. Additionally, you could put a dedicated tarpit system on the network. This system would slow down an attacker and make them easier to detect. Of course, both of these solutions are sufficiently complex that they go beyond the scope of this blog post. However, this will hopefully help get you started.