MSU ACM2015-01-29

By: Mark Lachniet, Promethean Security

About Me► Mark Lachniet, Promethean Security► Current educational director of the Michigan HTCIA► Licensed Private Investigator in the State of Michigan► Numerous security and technology certifications:

» Certified Information Systems Security Professional (CISSP)» Certified Information Systems Auditor (CISA)» GIAC Certified Forensic Analysts Gold (GCFA)» Microsoft MCSE, Novell MCNE, Linux LPIC, CheckPoint, etc.

► Previously worked at Analysts International as a Solutions Architect, as an instructor Walsh College’s MSIA program, a technician and technology director at Holt Public Schools and penetration tester for CDW

Agenda► Discuss a few cases I have seen in the last few years► Discuss current threat landscape► Discuss interesting penetration testing methods► Discuss compensating controls to emerging threats

Recent Case – Financial Fraud► One recent case I’ve worked on deals with a fairly large financial

fraud at a Michigan-based company► One of their computer workstations had been hacked, and the

user of that workstation used it to log into a web banking system to process their regular payroll

► The user was somehow directed away from the official banking web site to a phishing web site

► The web site looked “different” to the user so they contacted the web banking company’s technical support. Their tech support was unable to determine the problem (which in this case was the wrong URL) and told them “it must be an I.T. problem on your end”)

► The user then entered their user ID, password, and code from a two-factor authentication token into the site and did payroll

► The next day they were contacted regarding what appeared to be fraud – their payroll (approximately $700,000) had been hijacked

Recent Case – Financial Fraud► This is especially troubling given the fact that two-factor

authentication was used – these devices use a code that changes every few minutes, giving a very small window of opportunity to exploit

► This implies to me that the criminals either had some very sophisticated software that could “automagically” log into the web banking system, or they had a fully staffed 24/7 NOC with people waiting for events

► The criminals then changed the account numbers that the payroll was going to, and routed sums of approximately $9,000 to a number of different bank accounts ($10,000 is the cut off for OFAC reporting)

► This also implies that the criminals were very well versed in the banking system, because they were smart enough to change all of the ACH numbers very quickly

Recent Case – Financial Fraud► According to at least one report, individuals who were

looking for a job online were offered jobs as “ACH processors” by some shady Internet company

► Their job was to open a bank account, wait for money to be deposited, and then withdraw the money as cash

► They would then use a wire transfer service such as Western Union to wire transfer $4,000 each to a couple different people or accounts overseas, and keep $1,000 for their trouble.

► Thus, the people who were doing the conversion of virtual to physical cash and were assisting in the crime were most likely unknowing dupes

► They, themselves might find their info (SSN, bank number) sold at a later date

Recent Case – Financial Fraud► I was then called in to help with incident response► We began by taking a forensic image of the user’s workstation

using a firewire “write blocker” to preserve the integrity of the data

► While that was happening, we worked on analyzing available log sources (there weren’t any, so we had to configure firewall logging)

► We put a stop to all non-essential Internet access while we were investigating

► We also began installing WebRoot Anti-Spyware software on a number of workstation – this turned up more infected machines

► Using a firewall log analysis tool known as Sawmill, we were able to find other network activity that seemed suspicious (traffic to eastern Europe and Asia) and analyze those workstations for additional malware

► FBI later came in and took an image of the workstation as well

Recent Case – Financial Fraud► We started drafting a list of recommendations to help them

improve their overall security posture, and presented them to senior management, including:» Install WebRoot everywhere» Purchase an intrusion prevention module for the firewall» Implement Websense Internet content filtering» Etc.

► Around this time I began performing a forensic investigation of the image copy of the computer workstation I had taken

► These investigations can be very time consuming, even if all the time is not billable due to the amount of time required to do keyword searches, etc. This one took weeks.

► Knowing the approximate date that machine was last “known good” (e.g. was last rebuilt) I was able to start looking at the computer workstations filesystem history

Recent Case – Financial Fraud► On the workstation I found six different pieces of malware that

WebRoot had identified and removed► These were put into a quarantine directory, and then “wrapped”

with some header information about the identification WebRoot had made

► Aside from these pieces of malware, I manually found another 6 or so pieces of malicious software that their anti-virus or anti-spyware program was unable to find

► I submitted these samples to an online service known as virustotal.com, which ran them through about 30 different AV programs

► While only a portion of the AV programs identified each piece, it helped me identify what they were, and possibly what they did

Recent Case – Financial Fraud► I was able to see at least one source of infection – there was a

malicious Adobe Acrobat PDF file► This file contained exploited the PDF reader program and

executed javascript to download a number of different pieces of malware from a server in Russia (you could see the files being created in rapid succession)

► One of those appeared to be a keylogger, as I found a number of data files that looked like partially encrypted keylog entries

► The PDF file may have come in through e-mail, as there was a remnant of an outlook express file at that time, or may have come through browsing

► Unfortunately, by the time I was making real progress with the case, the client wanted to control costs and asked me to stop investigating

Recent Case – Financial Fraud► At that time, I stopped doing analysis (well, sorta) and documented

what I had found► Wish I could have analyzed the malware to see what it did…..► Presented the document to the customer, and suggested that we give

it to law enforcement (in this case the out of state FBI who were handling the case) but was then taken out of the loop

► This project had some interesting “lessons learned”:» Two-factor authentication not as secure as we thought» Criminals are extremely organized and motivated» Organizations not keen on sharing info for fear that it would

become a public record and make them look bad» Organizations only invest in security when they are “burned”» Organizations not really interested in paying to figure out what

happened» Antivirus / Anti-Malware / Anti-Spyware can NOT keep up with

threats!

Recent Case – Computer Theft► In another case that I recently worked on, a local company that

deals with medical insurance was broken into, and 8 laptops were stolen

► The customer had camera footage of the criminal – they had exploited a slowly-closing handicap perimeter door to enter the building in the 30 minutes AFTER the end of the business day but BEFORE the security system was enabled

► They then went to an open office area and carried the laptops out► These laptops contained sensitive regulated data (financial and

medical, potentially regulated by GLBA, HIPAA and PCI) and were unencrypted

► Due to this, it might be necessary for them to give notification to their customers or regulators that the data was potentially stolen

► The I.T. manager was immediately fired (as a scapegoat?), presumably for not having had encryption on every machine in the place

Recent Case – Computer Theft► Customer initiated a project to encrypt ALL workstations with

Whole Disk Encryption (which gives you a “safe harbor” type exception so you usually don’t have to report if encrypted machines are stolen”)

► I was brought in to help look at their security and workstation practices

► Created a scaled-back assessment survey that focused specifically on workstations, and the practices, procedures and physical security surrounding them

► Did this survey and a physical walkthrough fo the organization and began documenting recommendations with a “cost” and “gain” metric

Recent Case – Computer Theft► Physical Security:» Slow-closing front doors» Employees not locking offices and workgroup areas» Badge system didn’t require PIN number entry on exterior» Weak physical key management (e.g. master keys)» Power cut-offs could be engaged by anyone» Exterior lights not on 24/7» No motion sensors or window break sensors in building» Hinges on the outside of the door could be broken off to

gain entry

Recent Case – Computer Theft► Practices and Procedures:» Users still saving sensitive data to local workstations, even

though told not to» No data classification and handling system (e.g. to

categorize data and detail how each category is created, handled and destroyed for both physical and electronic media)

» No formal system of assigning access rights with badge system and keys (thus no easy way to audit)

» Weak acceptable use policy detailing user responsibilities, practices and requirements

Recent Case – Computer Theft► Technical:» Inadequate patching for non-Microsoft apps such as

Acrobat, Flash, Quicktime, WinZip, etc. making it easy for malware to be introduced

» Shared local admin password on all workstations – if you steal one, you can crack the local admin PW with a rainbow table attack

» No encryption or restriction of media and I/O ports» No regular vulnerability assessments of internal hosts and

web applications» Weak passwords – no complexity required» And many many more….

Recent Case – Computer Theft► Customer response:» Encrypt ALL hard drives» Hire consultants to do an analysis of their new workstation

image (verify that encryption works, they are not easily “hackable”, verify build procedures, etc.)

» Consider a fuller analysis of other security controls, possibly a “security needs” analysis

► Lessons learned:» People get fired! Often for bad reasons» Security is only a priority when people get burned» Lack of planning (e.g. data classification and handling) and

lack of training are a huge problem

Recent Case – Insecure Web App► Web applications are another major vector of attack for criminals► Web applications are easy targets because:

» Developers tend to be woefully uneducated about security» Development projects are usually under massive time

constraints» Requirements definition rarely includes “real” security controls» Quality assurance processes usually do not test security» Many of the most common security tools (Intrusion Prevention

Systems, firewalls, anti-virus, etc.) do not protect against SSL web application attacks such as SQL injection

» Bad web applications are relatively easy to exploit» Successful exploitation leads to full access of all database

contents and possibly even the hosting servers

► As part of a recent external assessment, I came across some vulnerabilities in a web application

► The application was used to host web-based training content► The application was written by a vendor, and purchased by the

customer► The application ran on Windows, and used a back-end SQL

database for storage of data (including SSN#’s which were presumably tracked so users could get CPE credits)

► During the assessment, the scanning tool noted that a number of cookies were being set, one of which was something like “IS_Admin=0”

► The tool found no other vulnerabilities on that host► Based on this crumb of information, I started looking at the

app

Recent Case – Insecure Web App

► Immediately noticed that encryption (HTTPS) was not used► I started by setting up a security proxy server called Paros, so

that I could see what all of the browser requests and responses were

► I then created an account using the self-registration feature, and logged into the application

► When I logged in, I noticed a couple of cookies being set that looked interesting:» Set-Cookie: SystemRights=STUDENT_ID=mlachniet; path=/» Set-Cookie: STUDENT_ID=mlachniet; path=/

► This is an example of using client-side variables (e.g. cookie values) in an application, and is not necessarily dangerous

► For example, CNN.COM does something similar to determine which version of CNN to show you (US or International)

Recent Case – Insecure Web App

► Using client-side scripting such as this has a valid role in web applications – for example validating input before it is submitted to enhance the end user experience

► In a well secure application, however, all security features will be validated on the server side as well as the client side

► For an experiment, I decided to uses my Paros proxy to intercept and change these cookies to the username ‘admin’» Set-Cookie: SystemRights=STUDENT_ID=admin; path=/» Set-Cookie: STUDENT_ID=admin; path=/

► The server did not complain about this at all (or even notice)► I then went into the “my account” area of the web site, and

could see that indeed I was now logged in as the user admin

Recent Case – Insecure Web App

► At this point I was logged into the user side of the application as ‘admin’ but I did not have access to the administrative side

► I then noticed on the “my account” page that there was a place to set a new password without knowing the old password

► This was especially convenient because I had no idea what the old password was

► So, I changed the password to something I knew, and then tried to log into the administrative side of the application

► Sure enough it worked, and I had administrator access to the application (which wasn’t particularly interesting anyway)

► The next step was to try to leverage this administrator access to compromise the back-end SQL database and if possible the server running it

Recent Case – Insecure Web App

► Upon browsing through the options I had as administrator, I found a few interesting pages – one was user information, and the other was system reporting

► I tried to pull up user pages to see if it would reveal the users passwords (it didn’t, it masked them) but it did show me their SSN.

► Looking at the reporting page, I found that it was possible to create custom queries of the database – for example to see all of the users from a specific area code, or that had completed a certain training module

► Using the Paros proxy, I was able to see that the HTML interface was in fact generating SQL query language request to the back-end database

Recent Case – Insecure Web App

► For example, a query of first name and last name in the HTML interface created a web request of:» GET http://target/Reporting/ReportGenerator/run_report.aspx?

SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME+FROM+tblxxx_xxx''&Title=cdwtest HTTP/1.1

► Being that this was apparently raw SQL, I decided to tryto bypass the HTML interface entirely and submit hand-crafted SQL queries:» GET http://target/Reporting/ReportGenerator/run_report.aspx?

SQL=SELECT+STUDENT_LNAME,STUDENT_FNAME,EMPLOYEE_ID+FROM+tblxxx_xxx+WHERE+EMPLOYEE_ID+<>+''&Title=cdwtest HTTP/1.1

► This then gave me a report of all users in the system with first name, last name and employee ID (which was in this case SSN!)

Recent Case – Insecure Web App

► Hence with no prior knowledge of the system and a little bit of security logic, I was able to harvest over 1,500 users’ demographic information including name, address, phone number, SSN, etc. in a couple hours - likely enough to steal their identity

► At this point I could get any data out of the database that I wanted (including data in other tables not related to this app)

► The next step was to try to compromise the host operating system using a SQL stored procedure called xp_cmdshell

► xp_cmdshell allows you to run operating system commands as the user account that SQL is logged in as (some kind of admin)

► Given more time and tools to analyze each piece of code, it seems likely that more vulnerabilities would be found

Recent Case – Insecure Web App

► I informed the customer about what I had found and wrote up a brief report for their technical and compliance people to present to the vendor

► Lessons Learned:» Regular vulnerability assessments are essential to long-term security» Just because a piece of software is a commercial product does not

mean that it is secure! » Strong technical app development and DBA functions are critical – in

this case the restricted database configuration stopped me from completely compromising the system

» Requiring vendors to prove that they’ve done a third-party audit of their software is a must

» Scanning tools don’t know everything! The host came back as clean from Nessus and might have been totally missed

Recent Case – Insecure Web App

► One of the tricks that my team consistently uses is the NetBIOS “email attack”

► This involves sending a HTML message with a small graphical image embedded in it with a file://server/img.gif

► Since it is using the file protocol, windows will automatically attempt to log into the server using the username and password of the currently logged in server (thanks!)

► On the back end, we have a customized SAMBA server that has a pre-configured challenge/response setting, and a set of rainbow tables that encompasses > 99% all possible passwords

► If you have an older machine, or one with NTLM running and no firewall filtering of NetBIOS, this almost always gives us your password within a few hours

Pentest Tricks – NetBIOS E-Mail

► Given any sufficiently sized community of users, some of them will have terrible passwords

► Any flaw within the application (especially third party applications, as they usually don’t require complexity) that will allow us to list user accounts is of interest

► Other methods involve scripted searching of search engines► Allows us to create a user list and attempt to run a password brute

forcing tool like Medusa► Works on multiple systems and protocols (SSH, HTTP, SMB, etc.)► Attempt a number of stupid passwords – blank, password,

username, name of target, etc.► If we get a hit, we’ll try for Remote Desktop or Citrix systems► One team member working on census data for “blind” name lists

Pentest Tricks – Account Harvesting

► WEP and WPA-PSK are trivial to crack with the suite of aircrack security tools and a Linux laptop with appropriate cards and

► Typically requires monitoring an active network for approximately an hour or less – from wherever the signal can be had

► Need to have good enough snooping ability to be able to see the client side of the conversation to do it well

► If things aren’t happening fast enough, can disassociate the client and force them to reconnect to the wireless system to create more “crackable” packets

► Once on wireless, look for ways to the corporate network, insecure systems, dual-homed systems, weak access lists,etc.

► Advanced wireless security devices can improve security drastically and send alerts on activity.

Pentesting Tricks – Wireless

► Flash drives are a problem – not just for data getting lost but for hacks► A U3 style flash drive has two partitions – a read-only partition that

looks like a CD-ROM to the operating system and a writable partition that looks like removable media

► Many computers configured to auto-run CD partitions automatically► It is possible to use some U3 hacking software to change the CD-ROM

partition to have anything you want► Install remote control programs such as Meterpreter that phone home

through the firewall, create VNC sessions, dump password hashes, etc.► Even if autorun is turned off, it may be possible to infect a machine

with a modified desktop.ini file (for example one that links to our samba server)

► Configure a few flash drives with labels like “finances” or “pr0n” and leave them laying around

Pentesting Tricks – Flash Drives

► Humans have a tendency to be inherently helpful (and undertrained)► A person with enough “guts” to walk into a building or make a cold

telephone call will have a decent chance of success w/ big numbers► Just walk in via piggybacking, or just carrying something heavy after

lunch when people are returning in droves► Often are able to get helpdesk people and call centers to disclose

information that would normally require a breach disclosure► Another way to leverage this is through forged e-mails that link to a

piece of malware► One way is to send emails “download this program to bypass your I.T.

departments firewall” (this finds people you really want to know about)► Another way is to register look-alike domains and then send e-mails

that are forged to appear to be coming from legitimate I.T. department employees

Pentesting Tricks – Social Engineering

► By default, windows stores a lot of password hashes on local machines such as the local admin password, and cached user credentials

► This is why, for example, you can log into your laptop even when not connected to your corporate LAN

► It also means that if we can find even ONE decent way into your Windows network, we can probably exploit “chains of trust” to get into a number of other machines

► Using software like fgdump can dump the hashes and then either crack them to reveal the password, or use the hash in encrypted form via pass-the-hash

► Then leapfrog from one system to another using credentials that work on multiple hosts (especially local admin users)

► Can almost always get domain admin rights this way

Pentest Tricks – Windows Hashes

The Lucrative World of Malware and “Bot Herding”

► People are making money! Millions of dollars!► There are entire economies based on computer crime:» Hackers: Produce new exploits in common software

and sell the “0 day” exploits to Bot Herders» Bot Herders: Use the new exploits to distribute

malware to end users. These are used for Denial of Service extortion, spamming, stealing network or PII information, click advertisement abuse, etc. They sell their harvested information to criminals.

» Criminals: Use their obtained credit card and bank account information to perpetuate financial crimes and pay for further development (and banner ads!)

datalossdb.org► Site is fairly self explanatory…

datalossdb.org► Site is fairly self explanatory…

► The most important step to take is to DO ASSESSMENTS! You may not know your actual level of risk!

► End user training is critical – especially for information classification and privacy, browsing, e-mail usage and social engineering topics,

► Secure networks – good wireless, egress filters, Intrusion Prevention Systems, Log Review and Security Incident Management (SIM) software among others

► Secure applications and operating systems – especially windows, databases and third party applications! Get rid of NTLM (see Win7)

► Minimize chains of trust – eliminate caching of credentials, wipe currently cached credentials, and use different passwords.

► Minimize the use of admin rights – log in as an end user whenever possible!

► And much, much more….

Mitigating End User Infections

Resources► NIST 800-53 – a great set of security guidelines and controls

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

► SANS – excellent technical security training at http://www.sans.org

► HTCIA – a good place to learn about computer crime - The High Tech Crimes Investigators Society at http://www/htcia.org

► OWASP- an excellent resource for best practices on secure (web) application development http://www.owasp.org

► ISACA – good internal controls training and information security auditing certification programs at http://www.isaca.org

► ISC(2) – good information security professional certification programs at http://www.isc2.org

► CDW – a competant company that does penetration testing and security audits – at http://www.cdw.com

Questions and Comments?This presentation available upon request

Mark LachnietPromethean Security

mark.lachniet@prometheansecurity.com