Why do bank robbers wear masks? Obviously, they want to hide their identity. For the most part, this is true of most criminal or legitimate covert activity. If someone doesn’t want people to know who they are, they will hide their identity from scrutiny and doing so on the Internet is actually fairly easy for the net-savvy. However, there are other factors to consider as well. It’s not a simple thing, especially when dealing with very capable attackers in a cyberwarfare scenario. Since my blog is aimed toward beginners to infosec, I’ll start very small and work my way up as an example to explain how complex this can be.
A proxy is a machine that acts on someone’s behalf. I could connect to a proxy in the UK and then navigate to a US-based website. Generally speaking, that US website will register my visit as having originated in the UK, because the proxy is there and I am behind that proxy. If it’s a VPN proxy, my connection to that proxy is also encrypted. There is absolutely nothing illegal about this. Many people do this as a means of protecting their identity and their traffic but it also has other benefits as well. For example, some organizations seek to censor information on the web and block content from being viewed to other countries. Some TV shows in the UK will not stream their shows to the US and give the message that the content is not viewable in your location. Connecting to a UK proxy would then allow the streaming because the distributor only sees the UK IP address. So, it’s possible to bypass censorship like this.
Lots of Proxy
But just connecting to a proxy isn’t going to protect someone from scrutiny. If an attacker wants to attack a target but also protect their identity, then a single proxy isn’t enough. The attacker will want to connect to many proxies in what we call “chaining”. So they want to connect to multiple proxies, but which ones do they choose? Does it matter? Which proxies are chosen is absolutely paramount.
For example, if the attacker is in the US, then obviously, they won’t want to bother connecting to a UK proxy because the US and UK have very good relations and intelligence sharing. So, it would make sense to chain through proxies that are in countries that don’t have a good working relationship with the US. So, is that it? Not if they want to stack the cards in their favor as much as possible. There’s still plenty more that can be done and proxy selection is very important.
As an attacker, I would want to chose proxies that are spread out as much as possible on multiple continents, but just as it’s important to make sure that they are in countries not friendly to the US, it’s also important to try to use proxies in countries that aren’t friendly to each other. It’s also very important to make sure that as many of the proxies as possible are “logless”, meaning that the system does not keep a log of who connected from what IP address, when, and what they did while connected. A good rule of thumb spread throughout the hacker community is that one should use at least 7 “hops” before being comfortable. Many will also suggest using software to randomize their MAC address as well as an extra layer of precaution.
The attacker has managed to select lots of hops in areas such as Iran, China, Argentina, etc… but could there be even more to be done? If there is a target that would already be likely to suspect an attack from a particular entity or organization, would it not be of help to feed that suspicion as a means of deflecting blame? Of course, it would. If an attacker wanted to attack a US-based military contractor, would it not make sense to make it appear as if the attack originated in China? Anything an attacker can do, no matter how little or subtle, to throw investigators off track is just one more layer of protection. Sometimes, this takes the form of custom virus payloads which have “clues” as to who the attacker is inside the code, but placed there intentionally to throw investigators off the scent.
As you can see from the information provided above, it can be all but impossible to track down the source of an attack and it can sometimes be very difficult to discover the true purpose of the attack. Not all may be as it seems. The attack itself may have been a rouse to invoke a reaction that sets the target up for a different attack at a later date. If the attacker knows they can get a reaction out of the target to an attack, then they may just use that to their advantage.
For example, let’s say that a disgruntled employee who formerly worked in the IT department of a company (and is familiar with their IP addressing scheme) has a beef they want to take action on. This person is aware that the organization uses an IDPS that is setup to temporarily block IP addresses which exhibit certain behavior that could be classified as a threat. The attacker then does something that they know will trigger an IDPS ban, but in multiple attacks spoofs the IP addresses of critical business partners. The IDPS automatically bans the IP addresses and now the entire communications chain for the organization is shut down, potentially costing the company millions of dollars by making them block their own people.
As we see with the South Korean hacking incident, there is a need for caution and patience. I would bet that the forensics experts are under political pressure to provide answers so that politicians can point fingers, but rushing the results can lead to a disastrous consequence. Investigators must not operate under any impression or hunch of what the motive for an attack may be simply because that misconception might be feeding into what the attacker actually wants. They must conduct a full investigation of each detail discovered and even then there may not be enough evidence in the end to even come up with an answer. Unfortunately, that is a possibility, but acting too swiftly and with only superficial intelligence might just be playing right into the hands of the attacker.
Walk into any company that needs IT systems and ask random employees what their opinion is of their IT security. Probably, you’ll hear, more often than not, some very negative voices. Of course, we know that when we move the pointer closer to security, we detract from functionality and ease-of-use, so it’s not all that unexpected to hear some grumbling.
Users often don’t like the fact that they have mandated password changes every 60/90 days. They often don’t like being forced to adhere to password complexity requirements. They hate it when they step away from their system for just a minute to pick up something off the printer, only to come back and have to enter their password again because the screensaver automatically locked it. These are understandable, but acceptable losses of ease-of-use in the name of security and risk management. But a real problem exists when senior staff feel the same way.
I recently sent a tweet in which I stated that IT security and IT operations are two completely different processes and need to be treated as such before a proper reporting structure can be put into place. To elaborate on this idea, it might be best to simply explain it as the following: When senior leadership isn’t fully engaged in direction and oversight of IT security, infosec becomes an annoying afterthought relegated to the depths of the basement that nobody wants to have to deal with. Instead of being a boon to the organization, it is seen as a burden that should have as little effort and money spent on it as possible. IT operations are inherently different from that of IT security. Operations deals with provisioning hardware and configurations, while security deals with policy and governance. Far too many organizations think that security is a subset of IT Operations and this can lead to catastrophic failures.
It doesn’t have to be this way. Organizational security is so much more than people trying to justify their jobs and budget. Properly applied security should be built into the process system from the beginning – not injected later. It is certainly possible to change paths once it starts, but bear in mind that there will often be a lot of resistance from all levels. But not all is lost. It’s important to engage senior leadership in terms that they understand so that they can see why they should be highly interested and involved in providing strategic direction and oversight of infosec implementation.
One good bit of information to bring up is this fact, according to the National Archives & Records Administration in Washington:
93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately.
If an organization treats security as a burden, and not a boon, it is putting the survivability of the organization at risk. When I did consulting for a particular organization, one of the first things I wanted to do was to physically secure the server room and prevent it from being a common thoroughfare for everyone in the building. This was met with a lot of resistance. The reasoning was, “We haven’t had an issue with it before, so why should we start locking it up now?”. Many people have never had a fire in their homes, but they certainly install fire alarms. Many people have never had something stolen from their home, yet they don’t leave without locking the doors. Why are people willing to protect their own personal items, but don’t want to have to deal with the inconvenience of protecting company assets?
This brings me full circle on my discussion. That particular organization had the head of the IT department reporting to the Office Manager. Security wasn’t something they were generally interested in, because of the combination of inconvenience and cost. There was no CIO. There was no CISO. There was no CTO. This organization pulled down millions of dollars a year and the senior leadership was completely (and willfully) ignorant of exactly how fragile their existence was (and probably still is). When senior management becomes engaged and interested in security and a proper reporting structure is put into place, we can increase the organizational security to appropriate levels while keeping costs low and providing scalability for the future. When your “off-site backup” is a 10-year old dell desktop sitting in the next building, you’re doing it wrong. This is begging for Murphy to come and slap your organization into bankruptcy court. Information is the primary source of wealth. Until senior leadership recognizes the extreme importance and value of taking professional responsibility for the direction and oversight of infosec processes in their organization, we will continue to see failure after failure.
I have spent a large majority of my time as a watcher. I’ve always been curious to know what other people know. How hackers managed to pull off some of the things they did and not really risk getting caught amazed me.
When I was reading up on Google “dorks” – basically coding put into the Google search engine to pull out results that might not otherwise appear – I thought to myself that it could be very useful to get information on this. As it turns out, there are bots out there that automatically attack and harvest all kinds of information. The amount of information I found out there was absolutely mind blowing.
I was able to locate web pages with lists of compromised accounts and services. Referred to as a “dump”, the administrators of the bots often harvest what is of direct interest to them, and then put the rest of the information online for other hackers to find and use. These can be credentials to everything from rented virtual servers, to premium paid online services (premium accounts to online pornography sites appear to be especially desirable).
I found that there were lists of hundreds, if not thousands, of compromised virtual servers from all around the world – accompanied with username and password to gain access to them. It makes perfect sense that if one wants a place to stage an attack from (especially outside CONUS), then using port 3389 RDP bot attacks to check for default logins and other common logins would be highly profitable.
Hackers can then access these remote servers and have them do their bidding – often without the owner/renter of the system even knowing the machine has been compromised. One only needs to ensure anonymity before connecting, then upload any tools or scripts they want to run, and let that machine do the work. I’m sure this could be fairly easily automated as well, although I have personally not attempted to do such a thing and have not personally seen such an instance in the wild.
Most of what I have seen and dealt with online has come in the form of automated attacks specifically against defaults. That is one of the most fundamental parts of hardening that I constantly talk about. Always change or disable defaults. Failing to do this is leaving the door wide open. Often, people simply install applications with default settings and then never even realize that there is a vulnerability created. Whether this is due to complacency, laziness, or simple ignorance, it’s a big problem.
Some applications come with backdoors already installed. Although, never originally intended to be used for a malicious purpose, they were there for application designers to have as a convenience to them while developing the product and they are sometimes forgotten about and not pulled out of the code before release. Hackers can find these as well and exploit them to quickly and easily take control of that application and then possibly move laterally through the system to attempt to take control of the host itself.
This is why it’s so very important to read the documentation that comes with the product and to always keep products up to date. Usually, once the developer realizes that they have left the backdoor in place, they will release a patch to correct this. Promptly updating your applications will help to address security issues as quickly as possible. Unfortunately, developers can’t always be counted on to fix these issues and they create very serious problems for everyone else. Which is why defense in layers is so important.
One very important thing for beginners and students to understand is how emergency policies work together to respond in a time of crisis. Obviously, risk management is performed to identify the risks and policy then lays the groundwork for mitigation implementation. But as we all know, it’s simply not possible to completely avoid every possible calamity and catastrophe that might befall an organization.
To this end, we have three components that function together to help guide staff during these troubling times:
Planning and creating the DR policy takes a team effort that involves experts from each functional area who will work together with stakeholders to establish policy, standards, and guidelines in the event of disasters. For example: What to do if there is flooding? What are the procedures for recovering from a power outage? What happens if a disgruntled employee breaches security? What takes place if someone reports a social engineering attempt?
When disaster strikes, people often panic. The DR provides a structured approach to recovering from a disaster so that the organization can return to normal operations as quickly and efficiently as possible. It provides step-by-step instructions and guidance so that staff can react decisively and effectively with advance knowledge of procedures already approved by senior executives.
The IRT is the team that handles the disasters. They are often security experts, but a good team also can make use of liaisons from departments such as HR, who, for example, may need to perform certain HR tasks and coordinate with other members of the IRT for appropriate responses to dangerous situations. The IRT implements the DR policy and tackles the problem.
But what happens while the organization is in the midst of the disaster? A large enterprise might be losing millions of dollars and that’s going to make some people very grumpy! While full operating capacity isn’t often going to be possible during a disaster, it certainly is possible to operate at least in a limited capacity so that some of the loss is mitigated. The BCP describes how the organization should proceed to mitigate some of this loss. One example would be if a grocery store loses power and can’t operate the registers, but the employees are able to handle cash purchases and write out receipts or use other manual forms of processing orders. At least this will keep some of the cash flowing in the interim. Use your imagination and you can come up with all kinds of BCP procedures to help mitigate loss in all forms of business.
These three components work together in sync to help provide a safety net for organizations. Disasters are going to happen. You may have heard the saying, “There are two kinds of motorcycle riders – those who have been down, and those who are going to go down”. When it comes to organizations, there are those who have had disasters, and those who are going to have them. It’s not a matter of “if”; it’s a matter of “when”. Woe unto those who did not plan ahead.
This is something that I’ve been interested in lately. I would personally love the opportunity to work for the NSA, but they have come under very heavy fire recently. A lot of accusations are being thrown around that they are illegally wiretapping domestic US citizens and collecting data on everyone.
That is a bit alarming. Obviously, we don’t want a very secretive agency doing illegal things and basically “going rogue”. But, I don’t see that the NSA would be able to do that for long if that really were the case. The NSA insists that they are adhering to every letter of the law while also doing their job to protect us.
Obviously, there are two sides to every story, and usually, the truth lies somewhere in between. It’s being stated that the NSA is collecting every single bit of raw data that they possibly can and storing it away. People are obviously freaked out about this and they’re calling it illegal. But, what they don’t understand is that it probably isn’t illegal (in my uneducated opinion – consult legal counsel) and here’s why I think so.
18 USC § 2510 Definitions define “wire communication” as being “aural transfer” and that being defined as “…containing the human voice…”. Also, then wiretapping must involve someone actually overhearing the conversation. So what it appears we have, is a loophole. One in which the NSA is doing nothing wrong by “slurping” every byte that crosses the wire, as long as they don’t actually put on headphones and actually “listen” to any of it.
So what they are then able to do is “data mine” that repository of information using queries to get information. Again, the result of a database query does not constitute a human being putting on headphones and “listening”, so technically speaking, from what I can tell, there is nothing illegal about this because they do not require a warrant. Anything not encrypted that goes over the wire is public domain and can be captured by anyone for any reason. It would be like complaining that someone records video of you when you step out into a public street. You have no reasonable expectation of privacy.
So, my only concern is that of abuse. The NSA has stated that they are under incredible scrutiny by oversight, and I tend to believe that. But, I also can’t help recognize that a government that collects extremely detailed information about everyone has gone the way of Stalin, Hitler, and Mao. Perhaps it is a bit alarmist to compare to these old school governments. Times have changed and information is power. Dealing with threats like terrorism most certainly does call for a complete reorganization of our intelligence operations post-9/11. We simply can’t fight terrorists or a “lone wolf” threat with tank battalions, artillery brigades, and bomber wings. Afghanistan has proven that.
So, it seems that both sides are correct, but only have a different perspective. The alarmists claim that the NSA is a rogue shadow government attempting to illegally record every citizen as a part of a plan to subvert our people to pave the way for a new military dictatorship. The NSA claim they are doing everything in their power to prevent another 9/11. It does seem as if, perhaps, the truth lies in the middle, that the NSA is doing an incredible job at what they do, but that in the process of using this loophole, US citizens have every right to be concerned.
There will always be distrust focused upon ultra-secretive organizations simply because a lack of transparency is automatically suspicious in most people’s minds. Being former Army and having previously held a security clearance, I know things that the average civilian doesn’t. Yet that doesn’t mean that I abused my position in any way during or after my service. The patriot in me wants to believe that the NSA is full of the most intelligent minds in our nation who only desire to serve our nation and protect our people. The historian in me sees all too well the slippery slope that is domestic recording. I would like to imagine that there are incredibly powerful access controls in place to prevent abuse, but I, nor anyone else not NSA, are not privvy to that information, and around we go again with suspicion.
I am a hacker to my core and I believe that information should be free. I believe that knowledge is power and when governments attempt to limit access to information, it is time for a revolution (save – of course - legal classification restrictions – I mean general information). Yet, what I see is not the government limiting information, but wanting access to it no different than any hacker. Is it not hypocritical to stand for the cause of free information, yet want to deny information to others, even if that be a government entity? This smacks more of anarchism than of free information.
I simply cannot believe that 30,000 of the brightest and smartest mathematicians, linguists, and analysts in our nation, who are also patriots, could ALL be 100% complicit in some shadowy scheme for the intelligence community to supplant and replace the government with a Gestapo-like regime. I think it’s alarmist. I think it’s idiotic. Most of all, I think it distracts from the real issue.
If this is nothing more than a loophole that is being taken advantage of, then the people need to be aware of it and make a decision whether or not this is something they want to allow. We govern ourselves and we, through the democratic process, determine how our government operates. So, my call is to all my fellow patriots out there. Take off the tin foil hat and let’s engage this realistically. Is it worth it for me personally to avoid NSA “slurping”?
Personally, I believe that before 9/11, the only real issue that the intelligence agencies had is that they refused to cooperate with each other. It is obvious from reports that the 9/11 hijackers were being monitored by the NSA. However, the NSA did not pass that information on to the FBI, who would have had domestic authority to act on it. The system we had before worked just fine, except that we needed to ensure that the agencies would share information. That has certainly been fixed by now, but we have also seen the largest government restructuring in recent history, to include incredible expansion of intelligence services and operational scope and capability.
I believe that it would be an incredibly powerful tool to have, but I also recognize how dangerous it is simply because it exists, so I am very torn on the subject. I’m certain that smarter minds than mine will explore this and I believe everything will work out in the end.
Welcome back to my weekly blog. I hope you enjoyed your holidays and there are still more to come. Again, going to keep things short this week. I want to discuss the importance of firewalls.
Obviously, there could be an entire series devoted to firewalls. As a beginner, it’s likely that you’re aware of the importance of firewalls, but perhaps you’ve never written any rules. Maybe the extent of your knowledge is the local software firewall you use on your personal computer at home. In enterprise, the firewall is the one place that is going to take the brunt of any attack. Let’s assume that you have a corporate network that only has one access point to the internet and there you have a border router and with firewall.
The firewall is going to give the Administrator the ability to determine what is acceptable and what isn’t. Certain traffic can be blocked or “dropped” at the router if it violates certain set rules. For example, no router should forward an external source with an internal IP. So, if you are getting packets coming in from the WAN that have a LAN address, someone is spoofing the address and trying to slip past your perimeter defense. Checking logs will allow the Administrator to see what IP range this came from and then block all traffic to that address.
As you can imagine, my blog is the source of many attacks. I’m not claiming to be a “security expert”. Sure, I know quite a bit of the technical stuff, but I have much to learn and I enjoy sharing that with others. But, people often want to attempt to access my website and, being a security related website, I guess some people take it as a personal challenge. One person in particular has really taken it upon themselves to attempt to break my backend Admin account.
In standard hacker behavior, this person is hopping IP addresses all around the world to prevent blocking. So, what can be done about this? Virtually all of the attempts have come from fairly tight IP ranges, meaning that this person is using particular proxies and they’re not just random. So, I’m able to block the IP range coming from that proxy and now they cannot even access my site to try to break the password.
IP blocking is a very important aspect of controlling traffic and eliminating a huge source of malicious threats to the network. This can be a real pain for companies that do business all over the world, but for those who are local and have no plans to sell anything to anyone in Taiwan, Nigeria, South Korea, or Uzbekistan, (or other places where many hackers and scammers launch attacks from) it’s perfectly reasonable to block the entire IP range coming from that country. This is known as “country blocking”.
China is completely blocked too. As a matter of fact, I’ve blocked every single country except a very few. Since doing that, the number of attempts to compromise my website have dropped drastically. I use many different features combined to create a defense around my website that will prevent bots and the average skid from having their way with my site. The ability to block IP addresses, IP ranges, and entire countries by IP is a huge benefit that simply cannot be overlooked.
Today, I was browsing the internet using certain keywords and I happened to notice a specific search result that grabbed my attention. I clicked on the link and was absolutely amazed at the amount of fail I witnessed.
I’m not going to dignify the thread, or the posters, with a link to the site. I’m sure there will be enough information in this article that, if you choose to seek it out, you will find it. To put it simply, a group of video gamers are participating in an online tournament. However, one of them fancies himself a “veteran hacker” who has managed to get the IP address of several of the participants and he is DDoS’ing them to harass them.
In typical child form, the cyber-bully then makes demands to amuse himself and make himself look cool. The bully demands that people take pictures of themselves holding one of their shoes on top of their head and send them to him – which he then uploads online to humiliate them.
The rest of the thread continues on with many arguing back and forth, and one victim repeatedly crying that he can’t possibly stop the DDoS attacks from happening. (Gee, I dunno – clean your system of malware and get a new IP address maybe?) It was complete fail from start to finish, with many people trying to flex their e-peen and kids laughing at others while engaging in illegal activities.
Oh, yes. That’s right. I wrote it. “Illegal activities”.
I recently retweeted a link to an article, where a 15 year old pled guilty to a number of hacking charges to avoid spending 3 years behind bars. The plea deal was this – plead guilty, and you stay out of jail. BUT – you lose access to the internet for 6 years. So, this 15 year old will not have unsupervised access to the internet (and only for educational purposes) until he is also old enough to legally consume alcohol. Kids think this stuff is just fun and games. They fancy themselves big-time hackers. So, for any kids, parents, or other interested parties, let me just say this: You are playing with fire and if you step over the line and grab the wrong persons attention, you might find yourself at the business end of a judge’s gavel too.
If you have been the victim of cyber-attacks and cyber-bullying, I urge you to contact law enforcement so they can conduct an investigation. This kind of behavior puts us all at risk and as any “real” hacker will tell you – you’re not Mr. big-time hacker because you can click a button. You can, and just might, end up in jail.
This week, I will be very briefly covering access control. I’ll describe three main classifications for information, and then discuss some control methods that have been used (and are being used) to keep access to information appropriate and in accordance with access policy.
To begin, there are these three categories:
Public Use information is that information which is available to the public, but may not simply be outright advertised openly. For example, some organization’s may need to comply with certain regulations and, as a part of that, certain information is “public” and “reportable”. The organization may provide this information to the necessary agencies, but not openly post the information available to the public (even though it may be available publicly through the oversight agency).
Internal Use information is that which is not intended to be seen or used by anyone outside of the organization or its oversight agencies due to the sensitivity of the information. Such information may include employee files, client tables, and similar information. Note that some of this type of information may also be subject to certain laws ( and often is, for example in the case of medical patient records, which are protected by HIPPA).
Restricted Use information could be devastatingly damaging to the organization if it should get out. For example, proprietary information, product development plans, marketing strategies, etc… could all be catastrophic situations if the information is exposed.
The access controls themselves help to not only organize the access to information based on its category, but also provide protections. Primarily, we can say that there are three main branches to which these often belong.
Implicit Deny is an extremely granular way of going about assigning permission to access information. It essentially says that the person only has access to the information specifically given permission to access, on a file-by-file case basis.
Least Privilege is often associated with role-based permissions, where someone is given only the permissions required to perform their job. These permissions can already be pre-established in a role object (such as an Active Directory User Group Object) to which that user can be assigned and will then inherit the associated permissions for that role (for example, Auditor) automatically.
Job Rotation may not sound like access control at first, but think about this: You have had the same senior network admin for 15 years at your company. He’s always been very insistent that nobody else is allowed access to his administrator information (logins, etc) because he is very protective of the system. Last Sunday, on his way home from a cook out, his vehicle was struck by a bus and he is now in intensive care in a coma. While the gravity of the situation for the family and the administrator is most certainly a terrible tragedy, it does immediately follow – how are we going to get access to those administrator controls and the operational knowledge?
Job Rotation fixes that by not allowing one person to become embedded into a position so deeply that the organization simply can’t function without them. It also allows for the employees to gain valuable experience in multiple domains which actually increases their worth and value to the organization. There was a saying in IT for a long time, that if one wanted to have job security, the goal was to “Make it just hard enough so that when it breaks, you’re the only one who can fix it.” Because of that mentality, many organization’s suffered. However, the opposite is actually true. If the employee is very well rounded and can fill any role in the organization’s IT department, they are a huge asset. Having a person that is a “silo” in a modern agile organization is just terrible business practice.
To learn more about how these are applied in a model of access control, Google and research the following concepts:
Lastly, there are several regulations that you will need to be aware of because of how they affect your access control plan. Look up more information on these laws and regulations for a more in-depth understanding:
That concludes my brief introduction this week. Again, thanks for reading my weekly series and I hope you find the information valuable.