Monday, April 29, 2013

VPN troubleshooting: Isolating VPN session timeout issues

Depending on the vendor your company uses, the location from which you’re trying to establish a VPN connection, and other factors, a user could come up with a hundred different possible issues with authenticating to a VPN. Here are some areas to look at first regarding the stability of a VPN connection.

One of the first things to do when troubleshooting a VPN session timeout or lockout issues is to determine the user’s location. It’s important because if a user can always connect while he or she is at home, but can never connect on an open Wi-Fi connection at the local coffee house, that should enable isolation of the issue quickly. This is one of the simplest forms of VPN troubleshooting, but can save a lot of time during the process.

Another way to start determining the root cause of the VPN issue is to ask the user to connect to the VPN both on the WLAN and the wired LAN. The majority of VPN connections these days are connected wirelessly. In the past, I’ve noticed certain vendor agents are less tolerant of network loss due to the poor strength of a Wi-Fi connection, which could result in VPN stability issues. If a user is able to connect via the wired LAN without any issues, but has an issue periodically with the WLAN, start troubleshooting the agent logs and the origin of the logon attempts with an eye toward wireless-related issues.

There’s also the issue of timeout periods for users. I’ve seen many default values around timeouts, such as idle connections after 10 minutes, and a max session at 60 minutes with a reminder of five minutes before timeout. This might not suit all users, so these values could be reworked to fit the needs of the company and user population. This could be an issue where the defaults are too low for what the user needs the session for; this is especially true in SSL VPNs.

When using IPSec, verify the connection settings of your phase 1 and phase 2 rekey policies. The phase 1 policy will be able to go down without an issue and rekey, but if your phase 1 and phase 2 timers go down at the same time, there’s the potential for a timeout or longer connection time.

Read the rest of my article for here.

Saturday, April 27, 2013

Response to Huffington Post - Fines for Hacked Social Media Accounts

The Huffington Post recently released an article calling for companies to face fines for having their social media accounts compromised. The Associate Press recently had their Twitter account compromised and caused a small dip in the market after tweeting, "Two Explosions in the White House and Barack Obama is injured".
In the wake of a brief stock market crash caused by hackers sending out a false tweet from the Associated Press' Twitter account, companies who fail to secure their social media accounts from hackers should face fines, one federal regulator told The Huffington Post.
What makes them and Bart Chilton, a commissioner with the Commodity Futures Trading Commission, think  adding more regulation is going to fix anything. Haven't they learned that regulations and compliance don't equate security? All this does is allow them vengeance to look for lost money because Wall Street and stock brokers are all trying to be the first to make a trade in a cut-throat community.
Chilton said he asked the agency's lawyers to review whether a company whose Twitter account gets hacked is violating a law that bars it from "providing misleading information or recklessly allowing information to come out." 
Before Mr. Chilton starts making blanket statements about how to fix the cyber community he should getter a better understanding of how these compromises actually work. With Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks, as well as a plethora of other attacks,  makes the stealing of social media credentials something easily obtained by a persistent attacker. 

Before we start trying to fix a broken system with more fines and regulations, let's look at the cause of the issue to begin with. Wall Street and Stock brokers shouldn't take everything they read on the internet as gospel. In this digital age with all the advances of trading in the stock market, if a simple tweet can bring down our economy we have more to worry about than hackers.

Wednesday, April 24, 2013

Modern security management strategy requires security separation of duties

Over the past few years, information security has become a top-level concern to enterprise senior management. Many organizations by now have created information security departments to secure themselves from the threats they’re facing, but in today’s environment, it’s no longer enough. Hence the reasons why a paradigm shift is needed regarding the ways security departments are being structured. No longer should one department manage security from cradle to grave.

Having two departments share the information security burden is an ideology that’s starting to gain traction; especially in the financial sector due to regulatory mandates like the Sarbanes-Oxley Act (SOX) and Gramm-Leach Bliley Act (GLBA). The idea of having separate roles for those monitoring security incidents and those implementing and acting on security incidents is a shift in thinking. Most security departments are configured as a one-stop security shop, handling everything from strategy, policy, configuration and remediation, but this is broad swath of duties and responsibilities can be lost or purposely overlooked.

As an example, in most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security.  Creating an information security team in this structure allows for dedicated resources performing security from an operation and monitoring standpoint. This paradigm encourages a focused approach to each group and allows for the resources to have dedicated responsibilities. This means the security operations staff is busy with engineering and incidents and the monitoring group is looking for breaches.

To that end, a better model is one in which engineers in an IT operations group would make configuration changes, and then information security analysts in the information security monitoring and management group would monitor the environment, analyze key data and make recommendations on changes and updates. Let’s review each group’s duties in detail.

The operation group would be responsible for the implementation of new security technology and its day-to-day use. Its main focus would be responding to security incidents and hardening systems on an operational level, as well as the remediation of security events and managing technology that helps secure the company proactively. This team should also have rights to investigate issues on equipment, verify configurations are setup properly, and assist with the overall security lifecycle of the infrastructure. This team would manage the configuration and implementation of the network and systems, while managing devices that help protect the perimeter and internal proactively. Some technologies that would fall under the auspices of this group are firewalls, IPS, NAC, WAF, etc.

The monitoring group, on the other hand, should be the security watchers. This group’s main function would be to look for security incidents and vulnerabilities. This group should actively monitor the infrastructure for potential issues and escalate them to the IT operations group as incidents. This team should have read-only permissions to many systems, but shouldn't have the rights to make changes. Its job should be to review the infrastructure, identify potential incidents and alert those with the permissions to take action on them. This team’s main concerns would be the review of the network for breaches, either externally or internally. Technologies that may be housed in this department would include those that support the mission of monitoring and security oversight, such as SIEM, DLP, identity management, vulnerability management, and the like.

With the implementation of a security separation of duties involving two distinct groups managing an enterprise’s information security posture, there may be a feeling of overlap. Both teams will have some access to the majority of the systems housed in each other’s department, but one department will be responsible for certain actions of the tool.

An example of such technology sharing would involve the use of the SIEM. The monitoring group would want to use it to proactively search for and identify potential security incidents, while the operations team might use its logs to research an incident. Both would have access to the tool, but use it for different purposes. Having one team searching for and alerting on events would allow the other to focus on hardening and implementing better security. When the security incident management lifecycle is left solely to one group, issues can easily be overlooked and hence gaps in a security program can result. Having the two teams work in tandem and reporting to different branches of the organization allows for the strongest security posture in an organization. Both groups keep the other honest, and work together to secure the network.

Read the rest of my article at here

Tuesday, April 23, 2013

Falling for a Phishing Attack (This is fun)

Okay, so I recently received a phishing e-mail to my home address and wanted to see what happen if I followed it down the rabbit hole. This is always a fun exercise, because you never know what you're going to find or where you'll end up. Many times it leads to a Blackhole exploit kit or malicious iFrame, but this particular phishing e-mail was purely looking for personal information. A classic phishing example.

So here's the body of the phishing e-mail in all of it's glory. Not bad if you think about it, but it still has the tell tale signs of a phishing attack (the generic salutation, grammar, formatting errors, etc.). One area that I thought was amusing in this phishing e-mail is the reference to William Sheley. Mr. Sheley actually exists and does work for Chase as an SVP (thank you Linkedin). All-in-all this is a decently produced and researched phishing attempt, except for one thing. They attached an HTML document they want you to download and fill out (because all banks send you attachments like this). Ummm......No.

So okay, let's play the game. I have a virtual machine (VM) setup running Deep Freeze to purposely infect and play with these type of threats. Once you reboot the VM everything's installed back to original configuration using some sort of black magic. The software works freaking great and I highly recommended it.

The first thing I do is forward the phishing e-mail to a Gmail account I created to store phishing e-mails. Some people collect baseball cards, I collect phishing e-mails. Right off the bat Google notices there's some foul play going on and throws me this alert. Despite having a lack of privacy with Gmail, they're pretty darn good at catching spam/phishing. 

Now for the fun part. After I open the HTML document I can see what they're trying to do. This is a simple way of collecting information from unsuspecting victims. Before opening the HTML file on my VM running Deep Freeze, I uploaded the HTML file to to verify that it didn't have a malicious reputation and started an instance of Wireshark to collect all the network traffic. Once the fake HTML form was up and all the inputs filled out, with fake data of course, I was able to review the packet capture to see where they were sending my faithfully entered credentials. Another interesting note about this form was that it was coded for user input validation on the fields. When I tried to enter "Shut Up" on the ATM/Debit or Credit Card Number it gave me an error that only numbers were allowed. Well, that was helpful. 

As soon as I entered all the data in the appropriate fashion I submitted it like an unsuspecting user and was promptly directed to the real Chase home page below. This is done to make you think you actually completed something for their site and give you a false sense of security.

Now for the funner (is this a word) part!! Let's see exactly where all my "sensitive" information was being sent. I stopped my Wireshark capture and took a look at where  this HTML form was forwarding to. Looking at the capture it becomes clear quite quickly what was going on. As soon as you submit the HTML form there's a DNS request looking for the "A" record of and a POST to /web/dmUserPlugin/js/complete.php. It turns out that all my very sensitive information was being sent in the clear to this compromised site.

Now wasn't that fun?! In my next post I'm going to infect my VM with a Blackhole Exploit Kit and show you some of the nasty things it does.

2013 Verizon Data Breach Investigation Report Released

This year's DBIR combines the expertise of 19 organizations from around the globe. Discover stats that might surprise you—from the percentage of espionage-related attacks to the astonishing length of time it often takes to spot a security breach.

Download the report here.

Monday, April 22, 2013

Review of the Reddit DDoS Attack

As many of you already know the popular social media site,, was under a massive DDoS attack starting Friday night. There's a great review of the attack and how Reddit is mitigating it by which can be found here.

A few interesting things I found about this attack are that the system admins created a board in Reddit to help explain the attack and outages. In their communications they gave their users an alert that a DDoS was underway against their site and that they were receiving traffic that was "orders of magnitude larger" then normal. I found this honesty via their Reddit boards and twitter feed an excellent way to communicate to their users during an attack.

One of the other area's I found very interesting (since I' recently blogged about DDoS mitigation techniques) was that even though they were using Akamai as a CDN they were still vulnerable. I can't emphasis this enough, just because you have a CDN in place doesn't give you a bullet proof vest. The CDN has to be routing/caching the traffic back to the origin IP address that it's hosting. If they're not hosting or caching for a domain name they'll have to go back to the origin to find the data. Also, if they want to hit you via an IP address, say at your front-end-router, CDN's have very little if any protection here. Having the ability to route over to a DDoS mitigation vendor via BGP on a slash /24 network is the best bet during an attack. CDN's are an excellent layer, but aren't enough for a skilled or persistent attacker.

Here's part of thread occurring with the system admin "Alienth" and a user about the attack and Akamai. 

Top 10 Security Breaches

Check out the below image from Firmex on a review of their "Top 10 Security Breaches". Pretty cool.

Top 10 Security Breaches - Infographic

[Via: Firmex: Virtual Data Rooms]
Embed it on your own site using the following code:
Presented by Firmex Virtual Data Rooms
Download PDF version here

Sunday, April 21, 2013

Bruce Schneier on the Boston Bombings

Truer words have never been spoke.

"We don't have to be scared, and we're not powerless. We actually have all the power here, and there's one thing we can do to render terrorism ineffective: Refuse to be terrorized. "

Read the rest of his article here.

Saturday, April 20, 2013

Spear phishing examples: How to stop phishing from compromising users

In the recent upsurge of high-profile attacks, spear phishing has been the tool of choice for hackers to compromise an organization.
Spear phishing is the targeting of specific companies or individuals, using hand-crafted messages meant to trick them into divulging personal or confidential data for unauthorized use. Malicious hackers know people are the weakest link, and that, even if a company has a $10 million security budget, it only takes one user’s mistake to compromise its defenses.
Spear phishing is a far more focused approach than normal phishing. Instead of a mass email sent to a wide swath of people, spear phishing focuses on one particular user or organization. Emails or messages sent under this guise generally employ specific, carefully researched details about the person or company in order to seem authentic. These are targeted attempts that have been maliciously crafted for a purpose: Usually, to gain specific corporate IP or personal information. This tip will offer advice on how to stop phishing and spear phishing attacks from tricking corporate users.
Phishing attacks have risen 12% (.pdf) year after year for the past few years, according to Internet Identity, with spear phishing leading the charge. And, as with the recent Epsilon email breach, it's not just that such an attack can yield customer emails and names, or organizational information for attackers, it's that spear phishers probably already have plans for what they are going to do with the data they compromise. Having a list of names, companies and email addresses can allow attackers to harvest a bounty of stolen data from victims whose information has already been breached, because attackers are able to use this info to craft more sophisticated attacks. The data that was breached in the Epslion attack was significant, but the additional data that could be stolen using this data may be even more noteworthy.
Let's review a few spear phishing examples:
Example 1 - John Smith is a senior chemical engineer working on a high-profile project for a cutting-edge pharmaceutical company. John receives an email purportedly from his college asking him if he’d like to participate in an alumni panel as a guest speaker. The email references an attachment with more details on the event and an attachment to fax back to the alumni office. John clicks the attachment and nothing happens; John Smith has been speared.
An attacker using a spear phishing campaign to compromise an organization is going to do his homework. In this case, all he might have used the Internet to find out where John Smith went to college and crafted a fake letter head with the department head's name on it (information also freely available on the Web). The payload here is the malicious software installed in the attachment. Once John Smith clicked the attachment, his workstation was compromised with malicious software.
A security awareness program should include training to safeguard against these types of attacks. Users should be taught that they should use company email for corporate use only, thus limiting some of the potential ways users’ email addresses would get out onto the Internet. Users should also be taught not to open attachments from sources that they’re not familiar with. In this case, John Smith trusted the sender because he had a previous experience with the school, leading him to believe it was safe. A social networking policy should be considered to hide or limit the information that employees can show on their LinkedIn page. Social networking sites are an excellent tool for spear phishers to use against victims. Limiting what your employees show on social networking sites about the organization will assist in your security posture. Lastly, spam gateways should be configured to block any executable coming into the network via mail by default.
Example 2 – Jane Doe receives an email from her bank, which we’ll call, telling her that she’s been selected to receive double frequent flyer miles on her credit card for the next three months. The email includes a link to fill out a form at to complete the newly offered frequent flyer program. Jane makes sure the link is SSL protected and proceeds to fill out the form with all her personal information. After she’s done, a window pops up saying her profile been updated successfully. Jane Doe has been speared. 
Spear phishing emails are frequently used to drive traffic to malicious websites, but it’s getting increasingly difficult for the average user to decipher what’s authentic. In this example, the legitimate website of Jane Doe’s bank is, but the phishing email had a link to Just adding an “s” to the domain creates a similar domain name that the user might not notice is different from the actual domain of his or her bank. Many users now look to see if sites are SSL encrypted and, in this case, it is, directly to the malicious site.  Jane Doe added all her personal information into a site that had the look and feel of her normal banking experience, including a false sense of security in the SSL protection. Many users operate under the false impression that an SSL link is inherently secure.
Once again, security awareness training needs to evolve as the attacks evolve. A few years ago users were being taught that if a website URL used HTTPS, then they were safe. The bad guys know this and use this misconception to their advantage. Educating your employees or customers takes more than a one-time course; it needs to be done constantly via training, company newsletters and face-to-face so as attacks change, training and avoidance tactics evolve as well. There has to be expectations from the company on what being secure is as well. In this example, the “Big Bank” should let its customers know it would never ask for personal information from them via email, and to report it if found.
As illustrated by the examples above, spear phishing is a more focused attack method than generic phishing. Generic phishing is purely a numbers game: The more people who receive an email, the more likely it is one of them will click on the infected link. With generic phishing, many of today's filtering technologies will block suspicious-looking inbound email and phishing sites, mainly because they’ve been seen so frequently.
Read the rest of article here.

Thursday, April 18, 2013

Microsoft Security Intelligence Report (SIRv 14)

Yesterday, Microsoft released volume 14 of its Security Intelligence Report (SIRv14) which includes new threat intelligence from over a billion systems worldwide. One of the most interesting threat trends to surface in the enterprise environment was the decline in network worms and rise of web-based attacks.  The report found:
·         The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12.
·         In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites.

·         Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12.

·         One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide.   

·         IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012.

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” New research showed that, on average, computers without AV protection were five and a half times more likely to be infected. The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software. With the report’s release they are reminding customers of the importance antivirus software can provide in protecting systems. For more information, check out this blog post.

Of course these are just some of the more interesting threat trends I thought might be of interest. The full Security Intelligence Report, volume 14, is available for free and can be downloaded here.

Sunday, April 14, 2013

Looking for experts in "Cyber Law"!!

Over the next couple months I'm going to tackle a project I've been thinking about for a few years. This is most likely going to formulate itself into a small book, but I wanted to hear the opinions from a few of you that read my humble little blog.

One of the questions I've been mulling over is about "Cyber Law". The laws governing today's technology are antiquated and I feel these laws need to be updated so that people aren't unfairly prosecuted by yesterdays laws. When the changes to technology move at the speed of light, but the laws governing them are from 20 years ago we have a massive problem.

If you have any experience in law, cyber law to be exact, I would love to hear your opinions.

Monday, April 8, 2013

Why CyberBunker Was Blacklisted By Spamhaus

Why CyberBunker Was Blacklisted By Spamhaus

Last Wednesday we witnessed the real power of cyber-attacks when the anti-spam organization Spamhaus was hit by a number of large-scale distributed denial of service (DDoS) attacks, which not only brought down their own website temporarily, but also caused a widespread disruption across the Internet. The DDoS attacks flooded targeted websites with extraordinary amounts of dummy traffic, making them unreachable by Internet users genuinely trying to access them, and slowing down Internet speeds worldwide.

Spamhaus was allegedly targeted by the Dutch web hosting company CyberBunker, who are rumoured to host spam, phishing sites, and malware. Spamhaus blacklisted CyberBunker from sending out these emails, bringing on the attack.

But what is phishing, and how does it facilitate data breaches?

“Phishing” is an email fraud attempt that targets both individuals and organizations, seeking unauthorized access to confidential data. Phishing emails appear to come from a trusted source and contain links or attachments which, when opened, give the hacker instant access to the recipient’s computer and/or internal network. The email usually contains key information, like sender contact information, or bank details, to make them appear legitimate.

There are also phishing websites, which CyberBunker was rumoured to have hosted. The hacker provides a fake URL to the victim, which redirects them to a phishing website that solicits private data. This website is often engineered with a look-alike URL (e.g., replace "I" with "l"). Alternatively, the phishers can use browsers to display the real URL but phish content (e.g., xss iframe phishing), making the phishing scams virtually undetectable by the average user. This is the type of activity that Cyberbunker allegedly hosted on their servers, which led to their blacklisting by Spamhaus.

The Global Impact of Phishing

Roughly 156 million phishing emails are sent globally every day. Most are stopped with spam filters, but around 8 million emails still make it into peoples’ inboxes. Phishing emails on their own are not harmful - the real problem comes from clicking on suspicious links, or opening suspect attachments. Roughly 80,000 people end up falling for phishing scams every day. Phishers will try to gather things like banking information, credit card numbers and passwords, which can result in identity theft, credit card fraud, financial loss, and further Internet scams.
What does a phishing email look like?

Example 1:

Example 2:

Reduce Your Risk

Businesses and individuals can reduce the risk of falling victim to phishing and malware attacks by doing the following:

  • Be alert. Holiday distractions and office closures make certain times of year more convenient for hackers.
  • Educate employees, particularly bookkeeping staff who have access to key banking information, on fraud prevention.
  • Even if you recognize the email sender, don’t click on a link or attachment unless you can verify it or were expecting it.
  • Monitor activities in all bank accounts closely and regularly.
  • Contact your bank immediately through a verified number or in person if you have any problems accessing bank accounts online.
  • Implement restricted privileges to computer users that will limit their ability to download software without an administrator’s permission.
  • Ensure your anti-virus, spyware and firewall protection is updated regularly.
  • Identify the digital assets that are at most risk to intrusion and segregate them to provide additional security.
  • If you do experience a security breach, report it immediately to the FBI Cyber Crime Division and Internet Crime Complaint Center (US) or the Canadian Anti-Fraud Centre (Canada). Then call a reputable computer technician for assistance.
  • Always have more than one computer backup, which is physically removed from the network, in case this is also compromised. Virtual data rooms are a great option.

Sunday, April 7, 2013

An In-Depth Look at DDoS – Part 3: DDoS Do's and Don'ts

In part 2 of our DDoS series, we shared some ways to go about protecting yourself against a potential attack. So what should you do in the meantime? Prepare of course!!
Here's a List of DDoS Preparations You SHOULDConsider:
  1. If you went through the time and money to protect your network from a DDoS attack you better be setting up process and procedure on how to act once it happens. If you’re lucky you’ll never need to put these into action, but if you’re not (and you should assume that you will get hit at some point) you’ll be happy they are in place.
  2. Each department should know exactly what they’re doing if a DDoS attack happens and how to respond to an attack once one occurs. There should be written instructions per team that’s involved on what to do during an attack (this isn’t cookie cutter and will change) and how they should sound alarm if they see something that smells like DDoS.
  3. The teams should meet on a scheduled basis to review any incidents, either at the company or in the news, and discuss what they can do in order to make the procedure better.
  4. There should also be “Red Team” drills that incorporate getting your DDoS incident management team in a room to discuss potential scenarios of attack and how they would react. 
The keys here are to be consistent with the meetings and clear with the documentation.
Here are a few things you SHOULDN’T do regarding a DDoS that can make things much worse:
  1. Don’t take this opportunity to be the first time you speak with law enforcement.Make sure you have a working relationship with local and federal law enforcement before an incident occurs. When the time comes, and hopefully it won’t, you’ll already have the contact and procedure of reporting incidents. Many of these attackers are testing sites and selling the information to the highest bidder. You might not see tangible effects of the alerting them right away, but speaking with law enforcement when appropriate can potentially help them piece together something a lot larger and take down an attacker before they wreak havoc.
  2. Never, ever trust one solution. If you hear a vendor say they’re the end-all-be-all solution for DDoS attacks walk the other way. You need layers of protection that start at your policy and procedures and move into hardening your environment. Additionally, seek help from the ISPs and potentially a third party mitigation solution. One-stop-shops don’t work for DDoS… just say no!
  3. Do Not Communicate with the Attacker. If the attacker tries to contact you don’t communicate with them if possible. Anything written should be sent to your law enforcement contacts, and anything verbal, if called, should let them know that anything you say will be recorded and that law enforcement is involved. That’s all - keep it cool.

Read the rest of my three part series on DDoS here on Algosec's blog:

Wednesday, April 3, 2013

My Radio Interview about Hacktivism

Last week I was asked to speak on the topic of "Hacktivism" on Boston's WERS 88.9 "You Are Here" radio show.

You can listen to the interview here: The Rise of Hacktivism