Small Business Attack – Malware (yes, again)

I’ve posted about the current run of banking malware before. For a quick review, this is malware that sits on your computer and waits for you to access your online banking site. Once you’re logged in, it watches what you do and then surreptitiously transfers money out of your account to the attacker. I’m posting about it again because of the new wrinkle:

It will now alter what your browser shows to you, so that you don’t see the unauthorized transfers.

Essentially, the malware knows what you expect to see and shows you that, while it is simultaneously lurking under the radar of banks and avoiding their anti-fraud systems. For those that want more details, read this, this, this and this.

For everyone else, try the following:

1) Check your banking statements very carefully. Most home users have at least 30 days to challenge a transfer, but business users only get 2.

2) Work with your bank to implement a call-back mechanism so that you can approve transfers.

3) See if you can use a dedicated system for only doing banking. Leave it unplugged and turned off unless you’re using it or patching it.

4) Keep all of your other systems patched and run a decent anti-malware system.

Review – Apache Security

I’ve had the book Apache Security for a while now, so I thought I’d give it a quick review.

Like most O’Reilly books, it’s well thought out and fairly complete. Unsurprisingly, it focuses on the standard LAMP stack, giving advice on building and deploying Apache and hooking in PHP and SSL. Ruby seem to be missing, and Perl is just discussed within a chroot environment. It discusses performance tuning a bit, in the guise of protection against DOS, and then moves onto issues in a shared hosting environment.

Much of what is in this book is more general than just Apache, so it’s best to consider this as a general security book for people running both Linux and Apache, and ideally using PHP and MySQL. It would be less useful to people running Apache on Windows and for people using less common languages. However, it is very good for the basics:

Installing Apache
Hardening Apache
Setting up chroot
Hardening PHP
Configuring logging and access
Understanding web attacks

Where it seems to lack a bit is:

It presumes that the reader will install Apache from source, whereas most these days will install from a package. More advice on hardening Apache in the SuSE, Red Hat and Ubuntu/Debian environments would be useful.
There is no mention of AppArmor or SELinux (which, to be fair, were pretty new when this book came out). A second edition will have to have these, as they are a key way to protect Apache against itself.
A few pages on how to use Suhosin to protect PHP applications would be good.
A section on protecting Ruby and one on Perl would be good. While it is certainly true that no book can cover everything, these three languages are the most common in the LAMP world and should probably be addressed, at least in passing.
While we’re at it, a section on hardening MySQL wouldn’t be out place, as the book is more of a LAMP book than an Apache book anyway.

I recommend this book for the beginner to moderate admin, be they a web admin or in the security space. However, experienced people may not find much new in here. I would, however, love to see a second edition released.

Small Business Attack – Metasploit Defenses

The easiest way to protect against tools like Metasploit is to make sure that there are no exploitable services running. Of course, this isn’t always as easy as it sounds. Services are constantly being explored and new exploits are often found. If you’re lucky, the vendor will release a patch. If you’re even luckier, the patch won’t break anything essential.

However, odds are that you’re not that lucky.

Some systems stop being updated after a period of time (Windows NT and 2000) and some cannot be updated without causing a problem for a linked system (manufacturing systems are often prevented from being updated). It’s also quite likely that a so-called “zero day” exploit will be used against you. Zero day exploits are ones that are used the day that they are announced. Of course, they tend to be announced after the exploit had been found and used… so the “zero” could well be a “negative thirty” (or 60 or 120).

So, if you can’t make sure that your running services aren’t inherently exploitable, you’re pretty much left to two choices. You can either turn the services off (a service that isn’t running can’t be exploited) or you can try to wrap the service in a system that makes it less exploitable.

I recommend that you do both. If you don’t need a service, disable it. If you do need it, consider wrapping technologies like AppArmor, Suhosin, OSSEC, Core Force and Mod Security or using a more generic proxy solution.

Small Business Attack – Metasploit

Though there is a saying in the Security profession, it’s not about the tools some tools are pretty cool. In general business, common tools are things like Microsoft Word and Excel (or their open source equivalents in OpenOffice). On the defense side, we use antimalware suites like Sophos. Generally speaking, attack tools aren’t as polished and are very narrowly focused. However, that’s starting to change.

To attack tool I want to discuss today is Metasploit. This tool has one primary purpose — to break through your defenses. It’s built using a framework methodology. You can think of it as having “plugins” like Firefox. In Firefox, plugins can extend the functionality of the browser by Blocking Ads or Blocking Scripts. In Metasploit, the plugins are a bit more dangerous and add functionality like exploiting a service and escalating users.

Basically, the tool works as follows:

1. Pick your target
2. Break in

That’s pretty much it. If there is a flaw in the system, an attacker can probably get in. And since this tool is so easy to use, an attacker doesn’t have to be particularly skilled to take over a system. They just point, click, and get your data.

Review – A Smart Girl's Guide To The Internet

A year or so ago I ran across the American Girl Smart Girl’s Guide series. I had heard some good things about the company and the books looked well written, so I picked up a few at a booksale and gave them to a friend whose daughter was approaching the right age. Recently, he reported that his daughter was finding them useful.

So, when I ran across A Smart Girl’s Guide to the Internet at a used bookstore, I picked it up. The book is clearly written for younger readers. It’s segmented by what kids do online and written in a way so as not to be insulting but still be useful. What I particularly liked is how it directly addresses real issues while still referring the kids to parental authority if they have any questions.

Some items of interest:

There is a general stress on intelligence, or as they put it: smarts not software.
An ongoing discussion about privacy and why it’s important, including what counts as personal information and why it should be protected.
A running analogy of online threats to real-life threats.
What to do when the inevitable happens and a kid is put in an uncomfortable position due to either social interaction or accidental browsing.
Bullying and social snubbing.
How to only connect with people you know personally instead of strangers.
How to create content without putting yourself or your friends at risk.

To someone who has been working in the I.T. Security industry for a while, there is nothing new here. However, if you are a parent of or know parents of young girls, this is a great book for them to read. (Technically, it would be good for young boys too, but it’s unlikely that the majority of them would actually read it, as it is clearly branded for girls.) It’s nice to see a book like this being made available.

Small Business Attack – Rogue Wireless Detection

The best way to prevent rogue wireless access points from appearing on your network is to set up the network to make it more difficult. Though it is more work to lock down a network to only allow connections to specific MAC addresses and on specific ports, it does go a long way to prevent unauthorized devices from magically appearing on the network.

Of course, this sort of approach is not always feasible. In those situations, you have to go one step further and run periodic scans for unauthorized devices. Commonly used in wardriving, tools like NetStumbler and Kismet can also be used to find WAPs in your own building.

Using such a tool, it is important to first identify what “normal” is. Begin with a visual scan of every network port in your location. Make sure that you’re not starting with a rogue WAP on your network. Once you have done a visual sweep, run one of the tools and get a feel for what is normally present in your environment. Then, after a day or so (sometimes more), you should have a list of the wireless networks around. Each of these should be tracked down and identified as legitimate.

Then, on a periodic basis, you can check for new wireless access points and make sure that the list isn’t changing on you. If it is, you might have a problem.

It is important, however, to stress that this is not a perfect solution. You will likely need to occasionally visually inspect your network and verify that there are no new devices floating around. You should make sure that no laptops are set up to bridge a connection to the outside world. You should do your best to lock down the network. Then, when you’ve done all you can do, scan to fill in the holes.

Good luck.

Small Business Attack – Rogue Wireless

The best attacks are often also the simplest. It’s easier to just steal someone’s wallet or purse than it is to hack into a vendor and download their credit card number. It’s easier to offer someone a chocolate bar for their password than it is to send them a phishing email and hope that it works. Similarly, it is easier to break into a network from the inside than it is from the outside.

For example, an attacker could stroll in to your office, wait for a distraction, and plug in a wireless access point and then run any desired attacks from the outside. For example, the WL-330 is the size of a pack of cards. (As is the DWL-G730AP.) It’s easy to smuggle in and easy to set up. Then, all the attacker needs to do is to have an excuse to get into your building.

Of course, those can’t be hard to come by. After all, it’s not like your organization ever orders pizza, calls in for service to a printer or has a cleaning staff, right? I’m also sure that there is no secluded place that an attacker could sit with a laptop and run exploration tests. Most buildings don’t have parking lots, nearby coffee houses or bathrooms, right?

Oh, wait.

Maybe there is a problem.

Site Review – LinkedIn – Part 2

As a followup to my previous post on LinkedIn, I would like to recount a story that a friend told me the other day. I was visiting with Adam Steen of 25 Connections. Adam’s business is knowing people, and he knows pretty much everyone in the Des Moines business world. If you need a connection in this area, Adam is the guy to go to.

As with many of us in the small business world, he uses LinkedIn to help manage his contacts. However, his business is all about personal connections. This is great for his business, but does introduce a new type of attack that I had not previously considered.

Several months ago, Adam met someone who works in the financial industry. After a pleasant first meeting, he received a LinkedIn connection request. As we all do, he accepted the connection and thought no more of it. Then, last week, Adam got a call from a friend of his who informed him that this connection was using LinkedIn to call Adam’s friends and set up appointments. Of course, he accepted this appointments because the person knew Adam trusted him. After all, if Adam says someone’s good to work with, they usually are. However, Adam didn’t actually vet the connection. Instead, the attacker was using social engineering to make it appear as though he had. Once the appointment was made, Adam’s friend found himself sitting through one of the most uncomfortable high-pressure sales situation he had ever experienced.

So, how did this attack work?

First of all, it is entirely dependent on the nature of the social networking site. If the site is configured to allow your contacts to see one another, you have to consider whether the individuals to whom you are connecting are worth this level of trust.

Secondly, the attack is only useful if the connections are generally trustworthy. If Adam’s name hadn’t meant anything to the person being called, the appointment wouldn’t have been set up and the attack would have been foiled.

Third, if you have a number of close personal contacts who know you but not each other, and you use a social network that allows your friends to see one another, you may be vulnerable.

Now, in Adam’s case, he was able to identify the untrustworthy individual and remove him from his network. Since this particular variant was based on personal contact, the removal of the personal connection foils it. However, it would be trivial to make such an attack far more malicious. An attacker could forge an email from the trusted link that carries a malicious attachment or link. The target then, thinking that the message came from someone very trustworthy, would be fooled into running the code, allowing the attacker to get whatever information they wanted.

So, how do you protect yourself… and more importantly, your contacts?

Think about who you’re connecting to and if you get a request from a friend of a friend, make sure that it’s legitimate. This could be as simple as picking up the phone and calling the purported shared link. (Odds are that you don’t talk often enough anyway.) Also, if you are in the habit of connecting people to one another, try to connect them at the same time. I find that it’s easiest to send an email to yourself and copy them both on it. That way, they get one another’s address, see that you are vetting them both and you have a copy of the connecting email should you need it later. This also makes it more likely that someone who bypasses the process would be more likely to be caught, as it would seem more unusual from the start.

This may be a good time to review your contacts and make sure that they’re really what they should be.

Small Business Defense – Network Reconnaissance

Yesterday, we looked at the attacker’s view of Network Reconnaissance. Today we consider defenses. As before, your best defense is to segment your network, which limits what an attacker can see from any point on your network. However, there are some things that you can do to reduce the information that an attacker can see if they do get in.

The first is to limit what is actually running on each system. If you have workstations, ask yourself if anyone needs to connect to the systems remotely. If not, turn off all services and activate the local firewall. If so, consider which systems need to communicate and setup VLANs or local firewalls to only allow access from known-good systems.

Second, is to identify the key systems that could be targeted. On those systems, in addition to the basic hardening for workstations, look at scanning defense applications like SentryTools or PSAD. As well, you should be careful to keep all systems up to date. Even if attackers get a network map, it’s not too useful if there is no way to get in.

Lastly, at the network level, there are a few other techniques that can be used. Implementing an Intrusion Detection System will help alert you when someone runs a scan like this. Additionally, you could put a dedicated tarpit system on the network. This system would slow down an attacker and make them easier to detect. Of course, both of these solutions are sufficiently complex that they go beyond the scope of this blog post. However, this will hopefully help get you started.

Small Business Attack – Network Reconnaissance

Suppose an attacker gets into your network. Last week, we discussed a few tools that they might use to profile different systems, but we didn’t look that deeply into network scanning. Once they’ve done some of the more-basic and subtle checks, they may go on to more active exploration. The advantage of more active exploration is that an attacker can identify all services on all systems in a very short period of time. The disadvantage, of course, is that they are more likely to be detected.

However, since this is an attack day, let’s look at what the attacker can do here. Once they have control of a system, they can use namp to scan the system. Suppose you have an internal file server, other workstations and printers. In seconds, the attacker will have a list of all systems and what’s running on them. For example, here is a (slightly altered) list of systems available from a wireless network.

# nmap 192.168.4.*

Starting Nmap 4.75 ( http://nmap.org ) at 2009-09-04 14:01 CDT
Interesting ports on 192.168.4.21:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
8654/tcp open  unknown

Interesting ports on 192.168.4.249:
Not shown: 997 closed ports
PORT      STATE SERVICE
6006/tcp  open  X11:6
9220/tcp  open  unknown
16001/tcp open  unknown
MAC Address: 00:40:63:99:58:E2 (VIA Technologies)

Interesting ports on 192.168.4.254:
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
2000/tcp open  callbook
MAC Address: 00:B0:D0:C0:54:11 (Dell Computer)

Nmap done: 256 IP addresses (5 hosts up) scanned in 12.61 seconds

So here, an attacker would know that 192.168.0.254 and 192.168.0.21 are running ssh, and therefore are likely Linux or Unix servers as well as the brands. For example, a Dell Computer that is running ssh may well be a server worth attacking (in this case, it’s not… but it could be). So, in twelve seconds, the attacker will know exactly what to target. Sure, it’s a noisy and noticeable way to profile a network, but if you don’t notice the attack, it’s well worth the risk.

But what can you do about it?