Search This Blog

Monday, May 23, 2016

Air Gap Systems Infected via USB Flash Drive (Week 11)

An air-gapped device or system is one that is neither connected to the Internet nor connected to other systems that are connected to the Internet. Air gaps generally are implemented where the system or network is a classified, payment networks that process credit and debit card transactions, or industrial control systems that operate critical infrastructure. Traditionally, air gap means the device or network is physically isolated from the Internet and data can only pass to it via a USB flash drive, CD/DVD, other removable media, or a firewire connecting two computers directly.

If had a nickel for every time I heard, “We are secure because the system is not connected to the Internet thus there is no need to implement information system control because physical controls are sufficient,” I would be rich. In the past and still today, people and organizations believe air gap is more secure, since it would required an attacker to have physical access to breach them. However, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief.

One of the most famous compromises of an air-gapped system is Stuxnet, which was designed to sabotage centrifuges used at a uranium enrichment plant in Iran. More recently, evidence has shown that air-gapped systems can also be attacked through radio waves (Zetter, 2014).

I came across two different attacks over the last two months for air gapped system involving USB flash drive malware. First is the "USB Thief" that is also described as Win32/PSW.Stealer.NAI which was found by ESET. The malware consists of six files: four are executables and the other are configuration data. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system and protects itself from being reproduced or copied. The malware is designed to exfiltrate data from the target system, however If there is no control server then it indicates a hands on campaign, where the communication of the device takes place at a personal or insider level. Furthermore, there are indications that the USB Thief developers conducting testing to make sure the trojan worked properly under a variety of different scenarios. The malware won't install itself in the event the target machine is running antivirus software from Kaspersky Lab or G Data (Owano, 2016). For more information, see http://arstechnica.com/security/2016/03/stealthy-malware-targeting-air-gapped-pcs-leaves-no-trace-of-infection/?utm_medium=email&utm_source=flipboard.

Second, a nuclear power plant in Germany has been found to be infected with computer viruses. The viruses found included W32.Ramnit and Conficker at the Gundremmingen's B unit and on 18 removable data drives. W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software and is intended to give an attacker remote control over a system when it is connected to the Internet. Conficker has infected millions of Windows computers worldwide since 2008. It is able to spread through networks and by copying itself onto removable data drives (Steitz & Auchard, 2016).

Air gap devices and networks can give a false sense of security through obscurity. Obscurity is not a control method and security professionals have to methodically determine assets and determine the threats to include the vulnerabilities that can be exploited in every device and system.  

References: 

Zetter, K. (2014, December 08). Hacker Lexicon: What is an Air Gap? Retrieved May 23, 2016, from https://www.wireed.com/2014/12/hacker-lexicon-air-gap/ WIRED

Owano, N. (2016, March 26). USB malware goes after air-gapped computers. Retrieved May 23, 2016, from http://techxplore.com/news/2016-03-usb-malware-air-gapped.html?utm_medium=email

Steitz, C., & Auchard, E. (2016, April 27). German nuclear plant infected with computer viruses, operator says. Retrieved May 23, 2016, from http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS?utm_medium=email

Saturday, May 21, 2016

Physical Controls are Susceptible to Cyber Attacks (Week 10)

Information security is not complete without securing physical access to information resources. Physical break-ins into locations that contain information system components have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. Physical security includes more than stopping human intruders and these controls are more than ever reliant on computing devices and connect to information systems. This posting is to bring attention that protecting the asset is more than logical but a defense-in-depth strategy to minimize the impact of a threat by protecting the physical controls. 

On April 4, 2016, it was reported that there was a devastating vulnerability in doors at airports and hospitals through hacking or jamming methods from remote computers over the Internet. The vulnerabilities affect HID's flagship VertX and Edge controllers. The attack only requires a command injection to send a few UDP packets to vulnerable LED blinking lights service. This attack does not require any authentication. The command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system. Instead of a number of times to blink the LED, a Linux command wrapped in backticks, like `id` will get executed by the Linux shell on the device. Furthermore, the discovery service runs as root, so every command sent will be run as root, thus giving the attacker complete control over the device (Pauli, 2016).

In a separate article, hackers demonstrated how to gain access to offices through clone access cards from components purchasing from Amazon and eBay worth $700. The test was conducted on a power company. The researcher pretended to visit the company by posing as a student who requested a tour. The researcher was carrying a laptop which was capable of intercepting unencrypted communication (RFID badge reader) between an employee access card and the access control systems used to open/close doors. The attacker then can write the data captured on a fake employee badge (Paganini, 2016).

For more information on RFID hacking tools with videos then go to 
http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/ and http://hackaday.com/2013/11/03/rfid-reader-snoops-cards-from-3-feet-away/.

References:

Pauli, D. (2016, April 4). 'Devastating' bug pops secure doors at airports, hospitals. Retrieved May 21, 2016, from http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/?utm_medium=email

Paganini, P. (2016). Hackers can break into a facility by spending $700 on Amazon or eBay. Retrieved May 21, 2016, from http://securityaffairs.co/wordpress/47125/hacking/rfid-access-card-hack.html?utm_medium=email

Friday, May 13, 2016

Bangladesh Heist - Programmatic Issues (Week 9)

The Bangladesh Bank Heist is one of the largest amounts of money stolen from a bank at once in history, $81 million. In February 2016, the attacker(s) obtained credentials and then initiated dozens of requests from the Federal Reserve Bank of New York to move money from Bangladesh to accounts in the Philippines and Sri Lanka. The transactions were stopped because the attacker(s) made a spelling typo, “foundation” as “fandation,” which caused a routing bank to question the Bangladesh Bank transactions. This error was the saving grace between $81 million to $1 billion. Initial investigation into this incident determined that gaining access to the Bangladesh Banking System required little effort based on vulnerabilities in programmatic policies. The Bangladesh Bank didn’t implemented basic fundamental network architecture such as implementing a firewall and the router that connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) global payment network appeared to be inadequate from a security and functional standpoint because the device itself or configuration of it didn’t allow logging of traffic based on cost (Beck, 2016).

Early in the investigation SWIFT indicated that the attack was related to an internal operational issue at Bangladesh Bank and that SWIFT's core messaging services were not compromised. It appears that the Bangladesh Bank focused more on physical security than the security of logical access. The SWIFT room is roughly 12 feet by 8 feet that is window-less located on the eight floor of the bank's annex building in Dhaka. There are four servers and four monitors in the room. All transactions from the previous day are automatically printed from a printer in the room. It wasn’t till after the initial incident that SWIFT officials advised the bank to upgrade the switches because it was old. Furthermore, it appears that the SWIFT system at the Bangladesh Bank is part of the bank network instead of it segregated to reduce lateral movement by the attacker(s) (Quadir, 2016).

SWIFT is a cooperative owned by 3,000 financial institutions and the messaging platform is used by 11,000 banks and other institutions around the world. In further investigation of the incident up to April, 2016, SWIFT has indicated that the global financial system could be more vulnerable than previously understood due to the vulnerabilities that enabled the attacker(s) to modify SWIFT’s client software. The client software was attacked by malware dubbed “evtdiag.exe”. This malware was designed to hide the attacker(s) tracks by changing information about transfer requests on a SWIFT database at Bangladesh Bank and the malware was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. Once the malware established a foothold; it delete records of outgoing transfer requests from the database, intercept incoming messages confirming transfers, manipulate account balances on logs, and manipulated the printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts (Finkle, 2016).



For a more detail on the intricacies of the malware see http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email&utm_source=flipboard.

In continued investigation through May 13, 2016, there is further evidence backing my initial assessment that the root cause were programmatic failures. The country’s law enforcement agency indicated that technicians with the network introduced weaknesses when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year. The technicians missteps include: going against security protocols such as  “simple password”; established a wireless connection with remote access to computers in the locked SWIFT room; linked the RTGS 5,000 publicly accessible central bank computers to SWIFT; failed to disconnect a USB port on the SWIFT system; use of a rudimentary old switch they had found unused in the bank; and failure to implement a firewall between RTGS and the SWIFT room. Furthermore, it was the responsibility of SWIFT to check for weaknesses once they had set up the system, yet artifacts haven’t been produced to show that this action has been conducted (Brook, 2016). 

On May 12, 2016, SWIFT stated that it had been hit by another malware attack on its systems. SWIFT is urging customers to review controls in their payments environments, messaging, and e-banking channels. This includes everything from employee checks to password protection to cyber defense. The new malware involves the PDF reader that banks use to open SWIFT messages, which are sent to financial institutions telling them what money to send where. The experts believe this new discovery his not a single occurrence, but part of a wider and highly adaptive campaign where the attacker(s) clearly exhibit a deep and sophisticated knowledge of specific operational controls (Smith, 2016).

BAE Systems has been conducting the investigation on this incident since the beginning. As of today, May 13, 2016, BAE Systems has linked this attack to the November 2014 Sony hack. There are similarities in the attacks that include: names of the programming elements and encryption keys which is consistent with a single consistent coder. This is likely to come with scrutiny because the White House has implicated the Sony attack on North Korea.

It is very easy to point to the technical errors, however these missteps can be reduces and caught if the programmatic programs administering cyber security and operation management were in-place. Programmatic functions include basic fundamentals, baseline standards, management support, technical expertise, oversight, continuous monitoring in a for of formal and informal reviews. The security posture in most cases are indicative to the programmatic elements.

References:

Beck, K. (2016, April 22). Hackers steal $81 million from a bank that had no firewall. Retrieved May 13, 2016, from http://mashable.com/2016/04/22/bank-hackers-firewall/?utm_medium=email

Quadir, S. (2016). Bangladesh Bank exposed to hackers by cheap switches, no firewall: Police. Retrieved May 13, 2016, from http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO

Finkle, J. (2016). Exclusive: Bangladesh Bank hackers compromised SWIFT software, warning to be issued. Retrieved May 13, 2016, from http://www.businessinsider.com/r-exclusive-bangladesh-bank-hackers-compromised-swift-software-warning-to-be-issued-2016-4?utm_medium=email

Shevchenko, S. (2016, April 25). BAE Systems Threat Research Blog. Retrieved May 13, 2016, from http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html?utm_medium=email

Brook, C. (2016). Police Allege SWIFT Technicians Left Bangladesh Bank Vulnerable. Retrieved May 13, 2016, from https://threatpost.com/police-allege-swift-technicians-left-bangladesh-bank-vulnerable/117937/?utm_medium=email

Smith, M. N. (2016). One of the world's biggest money transfer systems discovered a 'wide and highly adaptive' hacking campaign. Retrieved May 13, 2016, from http://www.businessinsider.com/swift-cyber-attack-hack-malware-wide-highly-adaptive-2016-5?utm_medium=email

Fox News. (2016). Cyber security firm reportedly ties Bangladesh bank heist to Sony attack | Fox News. Retrieved May 13, 2016, from http://www.foxnews.com/tech/2016/05/13/cyber-security-firm-reportedly-ties-bangladesh-bank-heist-to-sony-attack.html?utm_medium=email

Friday, May 6, 2016

Free ins't Free (Week 8 - We Cause Our Own Privacy Breach)

The weakest link to any system is the human factor. Most people live their lives and read about breaches of governments, corporations, financial institutions, and small businesses including other peoples privacy. Yet, we don’t think twice that we are the ones making our privacy vulnerable and breach it ourselves. 

Why do we put our privacy at risk? We risk our privacy for free applications and services because of legalized social engineering attack close to “Baiting”. Baiting is the promise of an item or good to entice for the exchange of our privacy. 

Who hasn’t heard of tech companies such as Microsoft and Google, yet their business models violate our privacy. For some time now, Windows 10 has been free for those that are upgrading from Windows 7 and 8. Windows didn’t used to be free and nothing in life is ever really free, right? This month Microsoft announced its Q3 results and stated the free operating system created a $1.5 billion hole in its revenues. If Windows 10 is “free” why the hard lining Windows 10 upgrades for Windows 7 and Windows 8 users (see video below)?

Using default settings gives Windows 10 an incredible amount of user data, although anonymized, and absolute control over updates and the installation of new features and services. Microsoft clearly feels more entitled to use Windows 10 to push users towards its own products. Several Windows 10 updates switched user preferences back to Microsoft solutions, then automatically deleted some third party apps and tools. Since then the company has declared all attempts to use rival search engines in the Windows 10 search bar would be blocked and all results must load in Edge, no matter the user’s default browser (Kelly, 2016). You can help protect your privacy by reviewing your settings, http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229.

When you use Google, you are making a deal. You get to use services like Gmail, Drive, search, YouTube, and Google Maps for free. In exchange, you agree to share information about yourself that Google can share with advertisers so their ads are more effective. No longer content to vacuum up, scan, index and sell analytics based on the content of our texts, emails, searches, locations and more, Google now has a new target: tapping, mapping and colonizing the networks wiring our lives. An example, being sued by 38 states, Google admitted that its cars outfitted with roof cameras facing four directions were not just taking pictures; they were collecting data from computers inside homes and structures, including “passwords, e-mails and other personal information from unsuspecting computer users,” the New York Times reported. Another example is, a federal judge refused to dismiss a potential class-action lawsuit brought by Gmail users who objected to its practice of analyzing the content of all the messages on its network and selling byproducts to advertisers (Rosenfeld, 2014). You can see what Google is watching, what Google thinks it knows about you, and what it's telling advertisers.

Here is some of the things companies/brokers collect about people (some are more common than others):
  • Name, age, birthday, and gender
  • Physical address, phone numbers, email address
  • Social Security Numbers and drivers license 
  • Height and weight
  • Language you speak
  • Marital status
  • Who lives with you
  • Education level and occupation
  • Political party
  • What you buy
  • Friends on social media
  • How much social media you use: Facebook, Twitter, and LinkedIn
Note: To see a more complete list of data that is collected visit, http://time.com/money/2819049/data-brokers-online-privacy-tools/.

This in not an exhaustive list. The mass population doesn’t know that it only takes two data points of personnel identifiable information to uniquely identify someone. How do companies know that? Whenever you post information online, register on a website, shop, or submit a public record like a mortgage or voter registration. Data brokers collect information and then turn around and sell what they have on you.

The only way to fully protect yourself is to live in a box and never crawl out of, however there are some actions that a person can take to reduce the data leak that they created themselves:
  • Delete Cookies: cookies let websites collect information about what else you do online.
  • Log Out of Social Media Sites While You Browse the Web
  • Change Your Smartphone’s Privacy Settings
  • Employ Advanced Online Tools: disconnect.me, DuckDuckGo, Tor
  • Opt-out of Data Collection
  • Digital Checkup: check privacy setting on popular sites like Facebook, Amazon, and Twitter
  • Online Profile: never give out any real information about yourself unless absolutely necessary and create a disposable email account
  • Delete your unused online accounts
  • Block "third-party" cookies
  • Go private with your browsing
  • Use anti-tracking software (Ghostery)
  • Use HTTPS whenever possible
  • Sign up for a VPN service
  • Do not reply to spammers
Remember that YOU decide what information about yourself to reveal: when, why, and to whom. Note, this topic mentioned two services that may garner attention from government authorities. Newly approved rule change (Rule No. 41) by the U.S. Supreme Court will allow FBI to search and seize any computer around the world, found to be using privacy tools like VPN or Tor (TechWorm, 2016).

References:

Kelly, G. (2016, April 29). 'Free' Windows 10 Reveals Its Expensive Secret. Retrieved May 06, 2016, from http://www.forbes.com/sites/gordonkelly/2016/04/29/free-windows-10-cost-expensive-secret/?utm_medium=email

Rosenfeld, S. (2014, February 5). 4 ways Google is destroying privacy and collecting your data. Retrieved May 06, 2016, from http://www.salon.com/2014/02/05/4_ways_google_is_destroying_privacy_and_collecting_your_data_partner/

Google. (n.d.). One account. All of Google. Retrieved May 06, 2016, from https://history.google.com/history/

Google. (n.d.). Control Your Google Ads. Retrieved May 06, 2016, from https://www.google.com/settings/ads/anonymous?hl=en

Brandeisky, K. (2014, June 5). 7 Ways to Protect Your Privacy Online. Retrieved May 06, 2016, from http://time.com/money/2819049/data-brokers-online-privacy-tools/

Mitchell, R. L. (2014). The paranoid's survival guide, part 1: How to protect your personal data. Retrieved May 06, 2016, from http://www.computerworld.com/article/2488068/data-privacy/the-paranoid-s-survival-guide-part-1-how-to-protect-your-personal-data.html?page=4

McCandlish, S. (2002). EFF's Top 12 Ways to Protect Your Online Privacy. Retrieved May 06, 2016, from https://www.eff.org/wp/effs-top-12-ways-protect-your-online-privacy

TRUSTe. (n.d.). Personal Privacy Tips - TRUSTe. Retrieved May 06, 2016, from https://www.truste.com/consumer-resources/personal-privacy-tips/

Prabhu, V. (2016). Tor & VPN users labeled as criminals will be hacked & spied by FBI under new law. Retrieved May 06, 2016, from http://www.techworm.net/2016/05/tor-vpn-users-labeled-criminals-hacked-spied-fbi-new-law.html