security is as strong as the weakest link..

“Security is only as strong as your weakest link “

Am I a big fan of Penetration Tests?
Yup, I am, but not the way most companies do it or get it done.
Companies look at these assessments as a tick mark in a compliance checklist. No one wants issues to be there in the assessment reports. Every one fights to get the risk ratings from critical to medium and medium to low. I have often realized how hated I am in the organization and somehow concluded that more the IT guy is pissed with me the better work I have done!

So why do Penetration Tests fail & why I think these tests are useless.

Companies fail to understand what is critical for them and what needs to be checked. There are no targeted pen tests being done.
While getting their external router assessed for critical vulnerabilities they often fail to realize that they have a porous wireless network which would be piece of cake for a determined attacker.

One of my clients was after me to ensure that we reviewed his routers and firewalls multiple time while he had his wireless network secured by using MAC filtering only. It took me days to convince the client and his MNC wireless vendor to drive home the point that wireless network directly hooked in your server environment is a bigger risk, and somehow MAC filtering is not a security mechanism. I could show him that it was easier to walk into his premises and put a rogue AP in a conference room rather than working my way through layers of firewalls he had at the internet perimeter. In no way I am demeaning the value of having a secure perimeter, but not at the cost of having a network port open in a guest lounge.

Organizations would put cameras, security guards and turnsters at the main gate while keeping backdoors to lobbies and cafeterias open and unmanned. One other clients was not ready to accept that password guessing, even if I am able to guess his domain admin password was a successful hack and a serious issue, as he wanted something technically fancy, something that looked like those hacker movies we see, something which is magical and gives a shell. If someone can kill you with a hammer he doesn’t need to use his snipers. And death is death whether by cold or by cancer.

Clients come and tell me to perform external pen tests and shy away from including social engineering, client side testing, physical security and stolen equipment tests, without realizing the test would show them only one side of the coin, and not the actual picture. It would take someone minutes to launch such attacks and get the jewels of the organization.Getting internal Penetration tests for servers done without including clients, network devices, password brute forcing and social engineering test?
Come on stop kidding me.
Don’t create a security theater for yourself, a tester with his hands tied behind his back and eyes blinded could not hack your systems and you feel happy about it and feel like a winner! AAH!
Lets have a no hold bar test. Let’s level the playing field. Let’s have actual tests done. Let’s see where we are broken. Let’s check our small offices in sleepy towns.
Lets get ourselves hacked so as to be secure. Hackers do not follow rule books , they do not have an assigned budgets or time frames. They do not have time lines for compliance and do not have time slots to stick to. A determined hacker/tester would get in.
The world has now changed from people trying to catch the low hanging fruit to hackers who are professionals and know who and how to target. Lets stop preparing ourselves s against indiscriminate machine gun fire to more directed sniper shots.
Remember your
“security is as strong as the weakest link which is around the corner waiting to be exploited.”

Notepad Reverse engineering …

The bug of curiosity struck me again … and this time it was for reverse engineering, so got in depth of it. Started out with reverse engineering of a simple application like notepad.exe.

The tools used by me to reverse out notepad.exe are Ollydbg 1.10 and simple notepad.exe of windows XP (x86 architecture) as the notepad of 64 bit is not supported by Olly 1.10

The thing that I got into was injecting code to Notepad which would result to simple popping up of a message box stating that ‘Your System is Owned’.

The first feel when I opened notepad in Olly was WOW, I’m to learn Greek now, as I got some thing like this:

Then I started with all the commands and operation of assembly. I was fascinated and started getting my hands dirty with it. So first point of attack was the code caves. It’s a block of assembly code filled with DB OO value where in not much value adding task is done so we can inject code on to it.

Take any part of the Code cave and select multiple lines of code and right click it and go to binary edit and write down any message that you wanna type down. Then do Ctrl+A to reassemble code.

Second point of attack was to insert the code which calls the Text and displays it using message box. This part can be used to inject malicious code or plant a backdoor on to the exe. The code that is being appended is displayed in the picture below.

Third  point of attack was to add the JMP pointer to the injected code at the starting of the application or to a specific function.  In this case used it at the starting of the exe.

Now copy all the modifications and a new set of ASM code would be generated. Save the new exe and when it runs it would pop up the message box before running…

Adios

Firing the Anti Virus …

Below is a recount of a small, simple and a sweet hack done on a network. Even when they had a firewall installed and used to monitor the network regularly, the hack could take place!

Scene : Target compromised through a User Account having default password. Thanks to Social Engineering 😀

Cast: Batman and the Joker (The compromised User Account). But the Joker is just an normal employee, not a top manager! Would be difficult to get escalated! (Attacker = Batman, Attacked = Joker)

Motive : Batman wants to plant a Key logger in to the target, but the bloody anti virus detects it as a virus and is deletes it!

Flashback:
Joker: Hey dude, what doing man? Are you free for a few minutes? This f*****g internet doesnt work on my system!! Batman: yeah, let me see. (after a few minutes) You seem to have entered the wrong credentials for the cyberoam! Whats your username …?
Joker: abcdefgh
Batman: … and your password?
Joker: sorry sir, cant give it! (he enters the password)
(Batman then clicks “login” and firefox pops up a message to save the password. Batman saves the password using the keyboard shortcuts w/o Joker knowing!)

To make the long story short, Batman is able to find out the password of Anil for the Cyberoam through the firefox saved password list! It seemed to be a default password set for all the users!!

Present: Batman is still trying to access the drives of the target system to deploy the key logger! No drives are shared and no simple passwords work; tried out all possible combination.

He then remembers the password Anil entered for Cyberoam and it works!! He is able to get into the system and access all the drives and files! Then another idea struck him. He tried the same password for the Admin account; and guess what, it worked too!! Awesome!

Now, the only thing to be done is to install a key logger. No other hacks to be done, strictly; we are good people :P. But, to his dismay, he finds out that a Symantec Anti Virus is installed which is deleting the key logger (bloody, all free key loggers are detected by the anti virus!!) Idea! Go to the Symantec drive and delete all the Symantec anti virus files (other than the ones in use) and your work is done!!! This was really surprising at that time that a high fundu security tool like Symantec could be shut down just by deleting its files!!

Restarted the system using the command “shutdown -r -t 01” (look up the man page). As was expected, Symantec did not run since there were no supporting files/dlls! Using the psexec command from the “pstools“, the key logger was installed remotely, after which a restart was required, which was easily done! Through this we got hold of a lot of sensitive information.

Through this, I was convinced that a successful hack does not require the use of any vulnerability assessment tool or any high fundu tools/scanners; that Social Engineering/Shoulder Surfing/etc is pretty simple and can mar the effect of the best of the networks and learnt one more way of bypassing firewalls.

The biggest learning from this project was about the Anti Virus. A tool which was supposed to safeguard us is vulnerable in such a simple way! The Anti Virus guys could any day afford to add a File Integrity Monitor!! As a friend said “So much so for companies that supposedly pour millions of dollars into R & D!!!

Using Visualization in security…

Visualization as mentioned is the art of ploting any complex series of events on to simple graph for ease of understanding.

Taking the concept of Visualization on to Information security where complex structures of exploits,  malaware,  traffic of bot-nets etc. can be mapped to simple and comprehendable graphs. Looking it from the other perspective Security visualization could be used for to make business sense like for making threat maps for an organization as a part of VA and executing them in the Pen-test or making a tree map for various compliance. On the lighter and practical side these methods could be used to ease down the burden of reporting.

Recently when I was working on a project of nepenthesfe I stumbled upon afterglow a perl based tool afterglow to make graphs from CSV files (using some tweek up ) and to my daze i found it can take in any sort of data let it be pcap files (in CSV form) to binaries or even logs and convert the output to the mapped link-graph.It firstly creates a .dot file which can be used to convert to jpg or png file using graphviz. And using graphviz u can create various types of layout namely twopi, circo, dot and neato. Ya all sound greek/ geek.

Firstly i started out making simple bash based script to test making some simple graphs but later while goin in depth of the rabbit hole, I found that a simple tcpdump can be used to generate graph based on variour parameters like source, dest, port, count, traffic, usage etc etc (using the simple play of regex). But as the rabbit hole of afterglow grew more  deeper i found that it would be easier to find unique attack vectors for a log analysis and detailed mapping of logs is possible based on count.  Lastly the most amazing one was use of pefile to convert a detials of binary to csv file and then make a map of the binary. Moreover afterglow structure can be modified just by changing the colors.properties file based on the type of input required.

And all this using just one single command.

cat csvfile.csv | perl /pathtoafterglow/afterglow.pl | neato -Tjpg -o outputfile.jpg

( Provided the csv file has valid data )

(have been tested on Ubuntu with graphiz package as a preqreuisite)

Adios for now as getting my head on Treemap (JAVA my nightmare )

Bug in Trend Micro’s DLP

Hemiptera! Hemiptera! We found a BUG!!!

Trend Micro’s Data Loss Prevention solution has a bug which would allow clients to attach files through its Gmail Drag-n-Drop functionality.

While deploying the solution, We tested all the possible ways in which files can be attached and sent over the network. Trend Micro’s DLP blocked everything except for the files attached via Drag-n-Drop functionality.

We even had a talk with the Development team of the Trend Micro’s DLP and they heard about this problem for the first time!!! So here’s one feather in Kavatch’s cap 😉

SCREENSHOTS:

Uploading File through Gmail's Drag-n-Drop Functionality

Uploading File through Gmail's Drag-n-Drop Functionality

File Uploaded bypassing the Trend Micro's DLP

File Uploaded bypassing the Trend Micro's DLP

Posted in kavatch. 1 Comment »

Kavatch … a new perspective to security

Kavatch is a sanskrit word which means Defense. In literal sense, it is the protective covering worn when one goes to war. Building a good kavatch was one of the domains during the kingly rule a few hundred years ago. Innovativeness in the defense provided to oneself was also seen during those days, as can be seen by the Myrmidons of the ancient Green mythology, who created a shield for themselves combining the individual shield which each person carried.

Things aren’t any different now, just a new perspective. With the invention/discoveries of new gadgets and the shift from power of lands to the power of knowledge, the protective covering has also changed. Previously, it was the land which the kings controlled and secured using Pawns and Scouts, huge and powerful buildings and walls to protect the city from external attacks and the Priests to educate the citizens of the city to be loyal to their rulers. They practiced what we call Network Security nowadays, securing their assets from the outside, through (fire?) walls/buildings/scouts/pawns/archers/etc, and internally keeping the employees (citizens) happy. What more, they even had anti-spyware who were always ready to catch spies from a different kingdom! In the current age, it is the information which is being secured from other businesses which would gain millions (yeah?!) once they get their hands on it. Nothing different!

Mapping all this to the current era, we see that the trio of Confidentiality, Integrity and Availability is also maintained. The CEO of the kingdoms were always thinking of new ways for Cryptography, Business Continuity Planning/Disaster Recovery, Access Control, Physical Security, Trainings and Awareness Camps and who knows, even Risk Management! All we have done is picked up the age old concepts, digitized it, patented it and marketed it as if it is the best product Man (or any other animal) could ever have thought of, continuing the legacy of the age old concept of “Copy-Paste“.

Through this blog we intend to, apart from continuing the legacy, identify innovative approaches to securing the business, share our experiences with the defensive as well as the offensive domains of security, create a platform for serious discussion to improve the security architecture of a business and clear the myths surrounding the security world.

For all this, we look forward to your, as Achilles, contribution, without which even the Myrmidons were helpless.