Wannacry ransomware, a good reason to say no to backdoor requests from government

Today's widespread ransomware attack, using NSA tools, shows the criticality and importance of Cyber security.

It is probably a good time to talk about government requests for having backdoor on personal devices, mobile devices or others. Although, I do believe society and public security is important and governments should do their best to investigate things like breaches, terrorist attacks and so on, but what would happen if a backdoor used by government leaked and attackers gained access to it!??

What happens if NSA and FBI have a large list of backdoors and their network gets compromised! What a dark world it could be!

We, all cybersecurity professionals, are responsible to think ethically, and to the best of our ability, and in benefit of people. Is this better to investigate one terrorist attack, or it is better to leave opportunity for hundreds by having backdoors??

Kerberos ticketing example in real life

Kerberos authentication works based on the concepts of ticket creation and use those tickets for identification and getting access. Windows domains and Active Directory are the good examples of using Kerberos and how authentication and access works within windows domain environment.

Before we start giving a real life example we need to define some terms which will help understanding the main 3 steps of Kerberos authentication:

KDC: Kerberos Domain Controller – Responsible for Key distribution

TGT: Ticket-Granting Ticket – An authentication ticket created by KDC

TGS: Ticket-Granting Service – Creating Service-Ticket to access the required sources/servers



Now a real-life scenario:

Imagine you buy a couple of racks in a data center and need to access them on daily bases. The data center has a head office with multiple data center locations, and you have a rack in each location. Data centers are shared facility with lots of other customers and secured with gates, prevention and monitoring controls. Here are the steps:

1- You need to identify yourself to the head office (KDC) with providing proof of identity including, government identification with picture as well as your sales and contract documents with the data center

2- Head office will create an identification card for you with an expiry date, which has an encrypted chip which can only be read by themselves. (TGT)

3- You will send a request to access the racks and locations that you need. They check and make sure you are allowed and add additional access requirement data to your encrypted chip on your card. (TGS)

4- You will then go to the data center locations and use your card to enter and access your racks.

5- Your identification card chip is read by the data center (They can decrypt the data as they have the password and encryption keys), and once realize the access is allowed by head office, they let you in.

6- You can now access your own racks and resources within any of those data center locations.


7- Once you reach the expiry date on the ID issues by head office, you have to start the whole process from step 1 again to get a new card or extend the ID.

How Crunch – Password file maker works

Reference: Kali Linux - Hacking Tools Introduction









Crunch is a wordlist generator where you can specify a standard character set or a character set you specify.

Crunch can generate all possible combinations and permutations.

With specifying the minimum and maximum length of characters, and the characters themselves,

Crunch will create a comprehensive list of words that can be used for password cracker programs.

Below shows how crunch command is used:

rassoul @kali:~# crunch

Usage: crunch <min> <max> [options]


Below example, will create a password list with words between 2 to 3 character using one of “01234567890abcdef#!” characters. And the result will be saved into a file called password.txt.

rassoul @kali:~# crunch 2 3 0123456789abcdef#! -o password.txt


Below shows part of the created file above as a result of using crunch command:

rassoul@kali:~$cat password.txt

00
01
02
03
….
01#
01!
020
021
….
!!f
!!#
!!!

Essential Application Vulnerabilities and Security Controls

Below list is a high level view of what application vulnerabilities are and how we can mitigate them by introducing proper controls.

Vulnerability Category	Potential Problem Due to Bad Design	Controls
Input Validation	Attacks performed by embedding malicious strings in query strings, form fields, cookies, and HTTP headers. These include command execution, cross-site scripting (XSS), SQL injection, and buffer overflow attacks.	WAF, Input validation and verification
Authentication	Identity spoofing, password cracking, elevation of privileges, and unauthorized access.	WAF, Session Management, Passwords, Two Factor, IDM
Authorization	Access to confidential or restricted data, tampering, and execution of unauthorized operations.	Session Management, Access Controls, IDM
Configuration Management	Unauthorized access to administration interfaces, ability to update configuration data, and unauthorized access to user accounts and account profiles.	Path Management, Access Filtering, IDM, PIM, Session Management
Sensitive Data	Confidential information disclosure and data tampering.	Encryption, Hashing controls
Session Management	Capture of session identifiers resulting in session hijacking and identity spoofing.	IDM, Session Management
Cryptography	Access to confidential data or account credentials, or both.	Encryption, Hashing controls, DB Access Controls
Parameter Manipulation	Path traversal attacks, command execution, and bypass of access control mechanisms among others, leading to information disclosure, elevation of privileges, and denial of service.	WAF, Input validation, Parameter validation, Header validation
Auditing and Logging	Failure to spot the signs of intrusion, inability to prove a user's actions, and difficulties in problem diagnosis.	Detailed logging, Syslog server, SIEM, Alerting, Reporting

Quick CISSP Security Course References Summary

Here are my ISC2 CISSP notes.

If you need a quick and summary index of what is required to pass CISSP exam, this would help.

Click here to get the file

What is PII, PHI and how they are considered Sensitive Information

Below is a quick summary of what PHI and PII records are and under what circumstances they are considered sensitive information.
Note: Take care of your personal records at all time, do not provide these information to anyone unless they are absolutely trusted....


Protected Health Information (PHI)


Protected Health Information (PHI) is an individual’s health information that is created or received by a health care provider related to the provision of health care by a covered entity that identifies or could reasonably identify the individual. The 18 identifiers that are considered PHI are included in OHRPP Guidance & Procedures: Health Insurance Portability and Accountability Act (HIPAA)


An individual’s personal and health information that is created, received, or maintained by a health care provider or health plan and includes at least one of the 18 personal identifiers listed below in association with the health information:

• Name
• Street address
• All elements of dates except year
• Telephone number
• Fax number
• Email address
• URL address
• IP address
• Social Security number
• Account numbers
• License numbers
• Medical Record number
• Health plan beneficiary #
• Device identifiers and their serial numbers
• Vehicle identifiers and serial number
• Biometric identifiers (finger and voice prints)
• Full face photos and other comparable images
• Any other unique identifying number, code, or characteristic

Limited Data Set - a limited data set can include the following identifiers: a unique number code, or characteristic that does not include any of the above listed identifiers, geographic data (without street address), and/or dates


Personal Identifiable Information (PII)


Personal Identifiable Information (PII) is defined as data or other information which otherwise identifies, an individual or provides information about an individual in a way that is reasonably likely to enable identification of a specific person and make personal information about them known. Personal information includes, but is not limited to, information regarding a person's home or other personal address, social security number, driver's license, marital status, financial information, credit card numbers, bank accounts, parental status, sex, race, religion, political affiliation, personal assets, medical conditions, medical records or test results, home or other personal phone numbers, non-university address, employee number, personnel or student records and so on.


Information about an individual which includes any of the identifiers below:

• Name
• Street address
• All elements of dates except year
• Telephone number
• Fax number
• Email address
• URL address
• IP address
• Social Security number
• Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
• Driver’s License numbers or California or other identification card number
• Device identifiers and their serial numbers
• Vehicle identifiers and serial number
• Biometric identifiers (finger and voice prints)
• Full face photos and other comparable images
• Any other unique identifying number, code, or characteristic (e.g., student identification number).

Sensitive Data or Information

An individual’s first name (or first initial) and last name in combination with any of the following:
Social Security Number
Driver’s License Number or California ID card number
Financial account information such as a credit card number
Medical Information

Some critical controls to secure and protect your environment from Ransomeware attacks

Below are some of the controls you can consider to protect your environment from Ransomeware attacks:

• User Training
• Identify phishing
• Train your users to be able to identify phishing attacks
• How to handle attachments
• Block executable and compressed zip files
• Train your users about Macros and risky files
• Incident procedures
• Be prepared and have an incident response plan for Ransomeware attacks
• Protecting the PC
• Blocking emails
• Use security controls, email gateways, AVs, sandboxing, etc
• Restriction on Group Policies and Firewalls
• Block risky applications like Flash
• Block Proxies like Tor
• Block websites with low or no rating
• Block download capability from low rating websites, bittorents, public file shares
• Limiting User Rights
• Do not allow privileged access to the workstations
• Execute application whitelisting when possible
• Revisiting Mapped Drives
• Minimize user access to what is needed
• Protecting the Server and Backups
• Securing File Locations
• Secure file shares, file servers, storages and the permissions on them
• Backup Data
• Backup data regularly and review and verify on regular bases
• Integrity monitoring
• Use File integrity monitoring solutions (FIM)

Using DNS Brute with NMAP to detect subdomains

Reference: Kali Linux: Hacking Tools Introduction

Using “dns-brute.nse” script, we can detect and find sub-domains associated with an organizations domain. This will help with revealing new targets when performing a security assessment. 

The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.

The script will find valid DNS (A) records by trying a list of common sub-domains and finding those that successfully resolve.

Below picture shows a sample output of using dns-brute script with the below command. (corp.example.org is an example domain which can be replaced by your choice)


nmap --script dns-brute corp.example.org

What is Cross Site Request Forgery (CSRF) and how it works

Reference: Hacking and Securing Web Applications

What is CSRF?



Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. 

CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. 

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. 

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Below picture is a simple explanation of CSRF attacks where the legacy website can be a banking website as an example. Attacker, can use the current available session initiate a money transfer to his/her own account.

How to protect yourself against CSRF?

1- First of all, avoid clicking on links and browse website which you are unsure of their safety. Especially when you have logged in to other important websites.

2- Second, always use security softwares like antivirus and anti spyware.

3- Beware of phishing attempts on emails, attachments, etc.

4- Use a safe browser when doing critical tasks and avoid browsing other websites using that browser

5- Always keep your browser up to date

6- Use tools or plugins to clear browser cookies on regular bases

How to encrypt and decrypt files using OpenPGP encryption

Below are some basic simple and useful OpenPGP commands on linux for newbies without going too much into details like encryption algorithms, key management, etc.

First step for encryption is generating the keys:
gpg2 --gen-key

The below command is used for listing the keys once they are created:
gpg2 --list-secret-keys

We need to export the public key to a file to be able to send it out:
gpg --armor --export you@domain.com > mypublickey.asc

Or we can export to the public key to a key server if we have one:
gpg --keyserver search.keyserver.net --send-key you@domain.com

We can export the private key using below command:
gpg2 --armor --export-secret-keys your_email@domain.com > myprivatekey.asc

One the other end,  we need to import the public key first:

gpg2 --import senderpublickey.asc

Next step is to encrypt a file using public key on the other end:
gpg2 --encrypt file.txt --output file.gpg

Once file encrypted using public key, it will be sent back to us and we can decrypt using private key:

gpg2 --output file.txt --decrypt file.gpg

Generic Architecture Design Principles and Considerations

Reference: Enterprise Security Architecture, A guide to Infosec Management

When designing any architecture there are certain principles need to be considered and followed. They will assure the architecture is aligned with business strategy, vision and goals. 

Usually Enterprise architect team is responsible of defining those principles with senior management help and guidance. Below are some principles to be used when designing security architecture.

1. Principle 1: Comprehensive Documentation
2. Principle 2: No plan is fool-proof
3. Principle 3: Successful business operation supported by reasonable and appropriate controls
4. Principle 4: Business requirements require translation into forms that technical architecture designers can form into conceptual models
5. Principle 5: It makes no sense to design something the engineers can’t build
6. Principle 6: Partial understanding results in incomplete designs
7. Principle 7: Use attach trees
8. Principles 8: Business and technical users will avoid complex and hard to use security controls
9. Principle 9: Testing models and final architecture implementations must take into consideration design
10. Principle 10: Ensure architecture constraints are reviewed during the change management process
11. Principle 11: Frequently assess risk
12. Principle 12: Meeting security requirements means the architecture is compliant with regulatory and best practise constraints

Gartner’s Six Principles of Resilience for Digital Business Risk and Security

There are 6 main principles when talking about information security. These principles first introduced in 2016 by Gartner risk and security division.


Principles are:

• Principle No. 1: Stop Focusing on Check Box Compliance, and Shift to Risk-Based Decision Making 
• Security is not the same old beast. Information security must be a top down approach and driven from identified business risk. Risk management and risk analysis is the first big step of any information security work. 
• Principle No. 2: Stop Solely Protecting Infrastructure, and Begin Supporting Business Outcomes 
• Information security is a business enabler. Security is there to help business achieve its goals and targets. The only way of having a successful information security architecture is to make sure it is aligned with business strategy. 
• Principle No. 3: Stop Being a Defender, and Become a Facilitator 
• Again, the aim of information security is to facilitate business to hit the targets. Of-course security is important, but if we are blocking business process, it is useless. 
• Principle No. 4: Stop Trying to Control Information; Instead, Determine How It Flows 
• Big shift in security mind set is moving away from local and limited controls and have a holistic approach looking at flows and process. 
• Principle No. 5: Accept the Limits of Technology and Become People-Centric 
• These days more and more attacks are result of lack of user awareness. Training people and using resources is as important as having technical controls. 
• Principle No. 6: Stop Trying to Perfectly Protect Your Organization, and Invest in Detection and Response 
• We all know it is impossible to have a complete safe environment. Threats and vulnerabilities are always there. Proper incident response plan and operation is crucial for any business. 

Mis-Association attack on wireless Networks and how it works

Reference: Ethical Hacking and Penetration with Kali Linux

Reference: Kali Linux: Hacking Tools Introduction

The technique of mis-association attack is to get a computer connect to your Kali machine using one of the old Wirelesses that it has connected before. Or use the same SSID name as is available and has some clients. For example, if a computer was connected to a WIFI network called “Public-wifi” in the past, that name will be discovered and used to attack to the host.

The steps are as below:

• Find one of the wireless SSID names that the victim has connected before using “airodump-ng”
• Set up a new access point with exactly the same name
• Send a de-auth message to the victim to it will be disconnected from the current AP and try to connect again
• As the SSID you created is already on the victim’s list, it will be connected to your created AP.
• You can start capture victim’s traffic!

To achieve this, below commands and steps need to be followed on Kali Linux:

• airmon-ng start wlan0
• airodump-ng mon0
• You can see the station is trying to connect to a list of Aps that it has connected before (probe column) - e.g Public-wifi
• Note: make sure that SSID is not available on the current list of APs

• airbase-ng -essid “Public-wifi” -c 1 mon0
• This will make Kali an access point and client can authenticate and connect
• Set up DHCP and other setting as per previous section (Rogue access points)
• Now the client station will try to connect to your computer as it has the same SSID on its database
• If client machine is already connected to another WIFI, start a de-auth attach as below
• aireplay-ng -0 0 -a 22:AF:3A:5E:22:3D mon0
• This forces clients to reauthenticate and connect to our machine
• Monitor the output of airbase-ng command to see when the victim connects

Security Tips:

• Do NOT Connect to any public wireless network unless you are 100% certain.
• If you are on public network, Do NOT use any sensitive information over clear text (http, ftp, etc)
• If you are on public network, watch for certificate error messages
• Try using a VPN if you need to use public networks

Vigenère Cipher, Simple and Powerful Symmetric Encryption

Vigenère cipher is a method of encrypting alphabetic text by using a series of different Caesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution.

Below we explain Vigenère Cipher which is a Symmetric cryptosystem. We have a table including 26 characters of alphabet each associated with a number from 0 to 25.

A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U	V	W	X	Y	Z
0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25

Message (Plain-Text) we are trying to encrypt is: “Network Security”

Encryption Key that we will use for this is: “ITC”

First, we find the Numbers for the key work on the table:

ITC = 8, 19, 2



Now we need to repeat the keyword to be the same size as message text. Once that’s done, next step is to shift each character to the right based on associated key number. For example, if the character is “N”, and associated Key character is “I”, then we shift “N” on the above table, 8 cells to the right and that makes it “V”.

Note: If we reach end of the table, we go back and start from the left side.



We will do this for all message text characters in the below table:

MC

N

E

T

W

O

R

K

S

E

C

U

R

I

T

Y

K

I

T

C

I

T

C

I

T

C

I

T

C

I

T

C

KN

8

19

2

8

19

2

8

19

2

8

19

2

8

19

2

CC

V

X

V

D

G

T

S

K

G

K

M

T

Q

L

A

MC: Message Character
K: Key
KN: Key Number
CC: Cipher Character

So, as it can be seen on the above table, the output Cipher-Text would be: “VXVDGTS KGKMTQLA”

How to prevent your sensitive information from being revealed to a keylogger infected computer

What is keylogger?

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. This attack can be achieved by using a software typically called keylogger or keystroker.


Scenario:

Suppose you want to use an Internet café or a public computer to login to your personal account on a bank web site, but you suspect that the computer is infected with software keylogger.

Assuming that, you have access both a web browser window and a text editing window open at the same time. As a security expert you want to protect your sensitive data in particular user credentials from the affected malware.


Summary of the Solution:

Type random characters on the text editor in between of typing your sensitive infomation (e.g. password) on the browser.

Solution:

Keyloggers work based on the monitoring active window interactions with keyboard and don’t recognize the mouse events. If we have both web browser and text editing window open, the best way to get around the keylogger is type quickly between the two windows and when typing username and password on a browser, randomly press characters and type others on the text box and move between text box and browser continuously.

This is confusing the keylogger by receiving a long string or presses characters which is unusable for the attacker.

I would also personally advise even if we follow the above principle, we change the passwords immediately after using in a public suspected area and have multi-factor authentication enabled as well.

Note: If the text editor is not available on the computer, we can use a second application or even a different tab of the browser and use them to type random characters in between.

Data Enumeration phase in ethical hacking

Reference: Ethical Hacking and Penetration with Kali Linux

What is data enumeration?

One of the first phases of Ethical Hacking is to now extrapolate data such as usernames, computer names, network share, and more. Some use-cases below:

• Grabbing detailed system specific information about the systems, networks and hosts
• Utilized various techniques that aren’t defined as exploits
• Non-Intrusive way tgain valuable technical information
• Information include:
• SNMP communities, MIB specific information
• Usernames and Groups
• Advertising Services such as Master Browser

Some common methods of data enumeration are below:

SNMP Enumeration

• Default community string for most of the devices is ‘public’
• The public string could have various permissions tget the information
• MIBs contain extensive system specific information which can be gained
• Kali Linux can be used for number of SNMP tests

DNS Zone Transfers

• DNS service is the core name resolution service for any organization
• DNS servers use lookup and zone transfers synchronize the records between themselves
• Linux BIND and Microsoft DNS are the most common DNS servers
• Zones are owned by DNS servers and if they allow the zone transfer you can get a complete list of DNS records which can identify all hosts on the network
• Nslookup provides simple name resolution testing interface
• Can be used for on-the-fly zone transfers
• Zone transfers can footprint an entire network with ease
• Example: This below return all the DNS records (Need tbe allowed by primary DNS server)
• nslookup
• >set type=any
• >set type=ALL
• >ls -d “yourdomain.com”

Windows Null Sessions

• Microsoft Windows uses SMB (Server Message Block) for data sharing and advertisement of services
• Alternatively CIFS can be used as non-windows replacement
• Null sessions are established by using a ‘null’ user account
• Null sessions can be used tenumeration system information
• Example of connecting ta Windows machine using null account:
• net use \\192.168.66.132\ipc$ /user:null
• net view

• NETBIOS Enumeration
• Netbios operates with or without a WINS server
• Its operation is primarily based on broadcast
• It relies on advertisement
• Advertisements include services, roles, drives
• Netstat can be used tenumeration information
• NBTScan is another command tool
• Example: 
• (On Kali Linux)
• nbtscan 192.168.1.130
• ./smbgetserverinf-I 192.168.1.130
• ./smbdumpusers -I 192.168.1.130 -v
• (On Windows)
• nbtstat -a 192.168.1.130
• Active Directory Extraction
• Uses LDAP protocol
• Ldp.exe is a simple LDAP client
• Authenticate with Guest or npermissions at all