SCADA and security

Posted on November 30, 2011 by Steven Branigan

A recent article  by Hal Hodson of Information Age reports that the FBI has publicly stated that hackers have successfully targeted SCADA systems in three unnamed US communities. The attacks were reported to have the potential to shut down electricity at a nearby mall as well as the potential to dump sewage. Just weeks earlier came an announcement from the Illinois Statewide Terrorism and Intelligence Center that claimed a water pump failure was caused by a hacker attacking the pump control system. The failure came from the attackers repeatedly turning the pump on and off. (The Illinois hacking attack has been refuted the FBI, so then it must not be one of the three sites reported above, right?)

So, what exactly is SCADA? Supervisory Control and Data Acquisition. SCADA systems control power production and distribution, such as those used for the generation of electricity or the delivery of water to communities. They are basically used to support the infrastructure that we rely upon. Thus, the failure of SCADA systems can impact a large number of people.

In a display of the potential damage that can be caused by an attack on the SCADA network , let’s look back to Stuxnet . This malware was reported to have targeted very specific Siemens based SCADA systems. (The attack was so specific that there was speculation that the purpose of the malware was to damage the nuclear facilities of Iran.) While details are hard to come by, it appears that the Stuxnet attack resulted in damage to centrifuges. (The centrifuge is used to separate different isotopes of uranium.)

Stuxnet caused incorrect data to be reported, which lead to the control systems effectively “mis-operating” the equipment. This “mis-operation” then resulted in damage. Stuxnet further revealed that it is difficult to prevent SCADA systems from malware attack. Theoretically, Stuxnet should not have been able to infect the SCADA systems controlling the centrifuges. However, in practice, it did because somehow the malware was introduced, either through an Internet connection or carried in via a USB. This reveals the risks of taking SCADA systems that are already network capable systems and making them accessible via the Internet.

So, you would think that a malware infection such as Stuxnet could not happen again. Not so fast, as Iran has reported that they are now dealing with another virus, the Duqu virus, that is targeting their civil defense system.

Well, what can we learn from all of this? Certainly, virus scanners are less effective now, especially against a determined adversary. Therefore, it truly is important that SCADA systems be shielded from the introduction of malware, whether it is via the Internet or through a USB device.

As consumers, we all have an interest in the security of the SCADA systems that manage our power, our water, and even our prisons.

Filed under: data security | Leave a Comment »

How to find hidden passwords (and how to protect them)

Posted on September 30, 2011 by Steven Branigan

While preparing to teach a computer forensic workshop, I discovered a new live Linux distribution entitled C.A.IN.E, (Computer Aided Investigative Environment.) This software is one of a few live Linux distributions that allows a user to boot Linux from a CD or DVD and start a forensic investigation. The distribution includes tools to make forensic and analyze forensic images. Since it is freeware, it is easy to make use of the software as part of the workshop.

In addition to Linux tools, NBCAINE version 2.5 includes WinTaylor, a set of tools that are designed to run on a Windows system.This software can be loaded onto a USB through the “dd” utility. (Once loaded on the USB,  a user can boot the live distro off of the USB and not access the WinTaylor tools or plug the USB into a running Windows system and access the WinTaylor tools.) Included in the WinTaylor section of the software are Windows based tools from NirSoft that allow a user to recover passwords saved in popular web browsers, view recent file activity on the Windows system, view information about USB drives attached to the computer and more.

The NirSoft tools include some noteworthy ones that are designed to uncover passwords stored on Windows systems. For example, when you log into a password protected website, Internet Explorer (and other browsers) give you the option to save the login information so that you don’t need to enter it the next time. A Nirsoft utility, iepv.exe(Internet Explorer Password Viewer), retrieves and displays the userids and passwords. If you use Microsoft Outlook and save your POP3 or IMAP password,  the Nirsoft utility mailpv.exe will retrieve and display the accounts and passwords saved in Outlook. And, WirelessKeyView.exe will display the wireless network names and associated passwords that are stored in your system.

I encourage you to obtain these tools and run them on your system to reveal how many passwords are stored on your system. If you discover sensitive passwords stored on your system and you allow others to use your system, you will want to ensure that you clean out the stored passwords.

While you might not be able to delete all of the saved passwords, at least you will now have a better handle on all of the passwords stored on your system that are recoverable.

Filed under: data security, forensics | Leave a Comment »

Revenge Hacking

Posted on July 31, 2011 by Steven Branigan

Revenge is a powerful motivator for hacking. Take, for example, the case of Barry Ardolf of Minnesota. Trouble started when Mr. Ardolf was accused by a neighbor of kissing their 4-year boy on the lips. When the parents confronted Mr. Ardolf, he confessed that the accusation was true. Naturally, the parents of the 4-year old contacted the police. This made Mr. Ardolf angry and he decided to seek revenge.

As part of his revenge, court documents indicate that Mr. Ardolf used aircrack, a freely available wireless security tool, to discover the Wired Enhanced Privacy (WEP ) password for his neighbor’s network.  With the neighbor’s WEP password, Mr. Ardolf could use his own computer to connect to the neighbor’s wireless network. Once connected to the wireless network, Mr. Ardolf would be able to access the Internet using the  neighbor’s IP address. Thus, any activity performed by Mr. Ardolf on the Internet would be tracked back to his neighbor’s residence. This provided the opportunity for Mr. Ardolf to take revenge by taking actions that would appear to be done by his neighbor.

Meanwhile, the “hacked” neighbor had been getting reports that coworkers were receiving bizarre email messages that could not be explained. The neighbor had taken the step of bringing in a security consultant to monitor activity on his network. During the time that the monitor was active, the Secret Service investigated an email threat that was found to have been sent from Mr. Ardolf through the neighbor’s wireless network. Since it was sent from “hacked” network, the IP address of the email message came back to the neighbor, not Mr. Ardolf. This lead the Secret Service to visit the neighbor, who turnover over the information from the monitor. In the monitor logs was Mr. Ardolf’s POP3 username and password, presumably known only to Mr. Ardolf. This piece of incriminating information cause the government to turn its attention toward Mr. Ardolf.

The username and password found in the monitor log gave the government probable cause to obtain a search warrant for Mr. Ardolf’s residence. Examination of his computers revealed that he had sent the threatening email, as well as created false email addresses and MySpace accounts designed to appear to be the neighbor.

Further, evidence was uncovered  that Mr. Ardolf had in his possession underage illicit images. He appears to have sent these images from the fake accounts that he created, apparently to “frame” his neighbor.

There are a few lessons that show up from this case. One is that revenge is a powerful and dangerous motivation, one that I covered in my book from a few years ago, High Tech Crimes Revealed.  Revenges is a dangerous motivation since the goal is to damage or hurt another.

Another lesson is that security weaknesses can be used to attack home networks as well as business networks. While WEP encryption is better that no encryption, it suffers from security flaws that can be easily exploited using freely available tools.

In this case, the use of improved WiFi Protect Access (WPA) encryption would have made it more difficult for Mr. Ardolf to break into the neighbor’s wireless network.

 

Filed under: data security, wireless | Leave a Comment »

Are Macs immune to virus or malware?

Posted on May 31, 2011 by Steven Branigan

A couple of weeks ago, I was asked to check on a Windows-based computer that had recently been infected with a “virus scanner” malware. In this case, the malware (malicious software) would put up a pop up screen that was kind enough to inform you that your computer was loaded with a bunch of virus infections. Further, it offered a link that would allow you to pay for a virus scanner to clean things up, right away. The malware writers made it very difficult for the average user to ignore their malware, as it disabled the buttons that would allow you to close the pop up boxes. Further, it redirected any attempts to run programs such as regedit back to the malware. Cleaning the malware had to be done through Safe-mode.

But, why would I mention this in a posting about Macs and virii? Well, in this case, I was able to track the source of this Windows malware infection back to an email message which contained a series of links to articles that the author thought people would find useful. When the email author, let’s call him Stan, was notified that his email was linked to a malware attack, his response was, quite simply, “That is impossible, because I have a Mac.”

Of course, this is not true. Macs, as good as they are, are not able to scrub malware out of email messages or links on webpages. But, this comment got me thinking, are Macs actually malware free. Dan Moren of Mac World recently released an article entitled “New Mac Trojan horse masquerades as virus scanner“. This articles describes malware written for the Mac that impersonates a virus scanner. Sound familiar?

This is not the first case of the Mac being susceptible to a malware attack. Back in April of 2006, an article from the AP called “Macs no longer immune to viruses, experts say” was released. So, it appears that the Mac has been susceptible to malware for a while.

What Apple has done, it seems,  is taken steps to protect the user environment from malware, as shown in this explanation from Apple. Noteworthy steps include using a sand-box environment and screening the content of downloaded files. So, how did the virus scanner attack affect Macs? Apparently, the malware writers were able find a way around the Mac security and/or screening defenses. It is quite possible that it will happen more often in the future, as Macs continue to become a more popular, more widely used platform and the malware writers become more adept.

So, it appears that Apple has done a lot to secure their user environment, but that malware is still getting through…

Filed under: data security | Leave a Comment »

how safe is your digital data?

Posted on April 30, 2011 by Steven Branigan

The recent hack of the Sony network has exposed user information on approximately 77 million accounts.  The attack, according to an article in the The Telegraph, has potentially exposed passwords and credit card numbers.  If this is true, this is “not good”, since it would imply that the passwords and the credit card numbers were not encrypted when they were stored in Sony’s network.

I registered for the Sony network, so apparently my credentials were among the ones stolen during this attack. At the end of this posting is the email message that I received from Sony about the incident. (I have removed some information that is not important for this posting.) The posting recommends changing the account password once the Sony network has been reactivated.

The Sony network required an email address and a password for a user to log into their network. An email address along with a password is used for authentication to other networks, such as LinkedIN or Facebook. Thus, it is possible that some of the accounts compromised in the Sony network attack can be used to hijack non Sony accounts. The below email message from Sony would be better if it recommended that users change all accounts using the same email address and/or the same password used in the Sony network.

What can users do? When registering for networks such as Sony’s, Amazon’s or others, be sure the email adress and password used for authenticiation on one site is not used for authentication on other sites. This means that a user needs to  ensure that the userid/password used to log into Facebook is not the same as the userid/password used to log into the Sony network. This will limit the potential risk if one network is compromised For example, my amazon ID is not at risk from this attack since I user different account information for the Amazon and Sony networks.

Here is the email I recieved.

" Valued PlayStation(R)Network/Qriocity Customer:
 We have discovered that between April 17 and April 19, 2011, certain PlayStation Network
and Qriocity service user account information was compromised in connection with an illegal
and unauthorized intrusion into our network. In response to this intrusion, we have:
 1) Temporarily turned off PlayStation Network and Qriocity services;
 2) Engaged an outside, recognized security firm to conduct a full and complete investigation
into what happened; and
 3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.
 We greatly appreciate your patience, understanding and goodwill as we do whatever it takes
to resolve these issues as quickly and efficiently as practicable.
 Although we are still investigating the details of this incident, we believe that an
unauthorized person has obtained the following information that you provided: name, address
(city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password
and login, and handle/PSN online ID. It is also possible that your profile data, including
purchase history and billing address (city, state, zip), and your PlayStation
Network/Qriocity password security answers may have been obtained. If you have authorized a 

sub-account for your dependent, the same data with respect to your dependent may have been
obtained. While there is no evidence at this time that credit card data was taken, we
cannot rule out the possibility. If you have provided your credit card data through
PlayStation Network or Qriocity, out of an abundance of caution we are advising you that
your credit card number (excluding security code) and expiration date may have been
obtained.
... When the PlayStation Network and Qriocity services are fully restored, we strongly
recommend that you log on and change your password. Additionally, if you use your
PlayStation Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.
 To protect against possible identity theft or other financial loss, we encourage you to
remain vigilant, to review your account statements and to monitor your credit reports. We
are providing the following information for those who wish to consider it:   
- U.S. residents are entitled under U.S. law to one free credit report annually from each of
 the three major credit bureaus. To order your free credit report, visit
www.annualcreditreport.com or call toll-free (877) 322-8228.
 - We have also provided names and contact information for the three major U.S. credit
bureaus below.  At no charge, U.S. residents can have these credit bureaus place a "fraud
alert" on your file that alerts creditors to take additional steps to verify your identity
prior to granting credit in your name. This service can make it more difficult for someone
to get credit in your name. Note, however, that because it tells creditors to follow
certain procedures to protect you, it also may delay your ability to obtain credit while
the agency verifies your identity.  As soon as one credit bureau confirms your fraud alert,
the others are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report, please contact
any one of the agencies listed below:
  • Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
  • Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
  • TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O.
Box 6790, Fullerton, CA 92834-6790
 - You may wish to visit the website of the U.S. Federal Trade Commission at
 www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue,
NW, Washington, DC 20580 for further information about how to protect yourself from
identity theft. Your state Attorney General may also have advice on preventing identity
theft, and you should report instances of known or suspected identity theft to law
enforcement, your State Attorney General, and the FTC. For North Carolina residents, the
Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001;
telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General
can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
telephone: (888) 743-0023; or www.oag.state.md.us.
...
 Sincerely,
 Sony Computer Entertainment and Sony Network Entertainment"

From this message, it appears that the attacker were able to get hold of significant personal information. 

So, what can we do to better protect ourselves? Kkeep in mind that some of the networks that we rely on will be compromised by attackers. Thus, it is the user’s responsibility to ensure that ids are different on each site.

Filed under: data security | Leave a Comment »

is the day of the virus scanner over?

Posted on March 31, 2011 by Steven Branigan

I have noticed a new trend emerging over the past couple of years… the virus writers are out-pacing the virus detectors. First, consider the clampi/zeus virus which I wrote about in 2009.  This virus was being used to steal banking credentials and was very successful. Of note was that up to date virus scanners were not detecting the clampi virus.

Then, last year, information came to light on the “stuxnet” virus. This virus has recently been “cracked” by Ralph Langner. His presented his findings at TED (see the video here .) The summary of his presentation was that the virus was very advanced and written to attack specific systems involved in the refinement of uranium in Iran. This is the stuff of spy movies.

Note that clampi and stuxnet virii have the following things in common:

  1. they were not detected by virus scanners,
  2. they wanted to be stealth and not damage the host computer,
  3. they were targetted in their attacks.

So, what can we make of this new trend. Virus detection seems to be losing the battle against the truly sophisticated virus writers, and this is not a good trend. As computers contain more sensitive information such as banking records or nuclear secrets, they will become targets of attack. And, since the virus writers are outpacing the virus defenders at the moment, it is difficult to trust any system connected to the Internet, whether it has a virus scanner or not.

One option that might become useful in the future is a computer that runs a virtual operating system, such as VMWare. A virtual operating system loads its operating system from a static image. Though the VMware operating system might get infected with a virus, the virus itself does not infect the static image from which the VMWare is loaded. (At least not yet.) Basically, the virutal operating system is protected from a persistent virus threat since it reloads the operating system with every reboot.

Of course, this means that making real persistent changes to the operating system, such as installing new software, becomes very difficult. So difficult, in fact, that we probably won’t see people using virtual operating systems for a while…

Meanwhile, the search goes on for a better method to protect systems against persistent virus infections.

Filed under: data security | Leave a Comment »

Ten insecure web applications for your online identity.

Posted on February 25, 2011 by Steven Branigan

Recently, the NY Times published the article New Hacking Tools Pose Bigger Threats to Wi-Fi Users . This article discussed the dangers of a relatively new tool called Firesheep, which allows a third-party to “hijack” active connections to password protected websites. The software, created by Eric Butler, can be downloaded for free. The software is easy to use, as it is an add-on for Mozilla Firefox.

Normally, when we log into a website, we are first directed to a login page protected with SSL. (This appears to the user as “https”, and it encrypts data sent over the network.) When a user successfully logs in, their web browser will get a session cookie, which acts like a digital pass. This session cookie allows a user to access protected webpages without having to continually enter their password. A typical session cookie is composed of a sequence of characters and may look like this:

"SESSION=0009hE0aCdjIp-7kxeQq0kwrvF0"

Keep in mind that anyone presenting a valid session cookie can access protected webpages until the session cookie becomes invalid through a logout. If the session cookie is sent without encryption, it could be read by a third-party using an application such as Firesheep. That stolen session cookie could be used to access protected webpages. Note that while the session cookie might be stolen, the user’s password has not been compromised, since the session id provides no information about the user’s password.

When we log into a website that is secure, we expect that the entire session will be encrypted to protect our information as it is traveling the network. However, in many cases, only the login page is protected, not the accesses to the website after login. For example, when logging into Google, the password entered during the login is protected with encryption, preventing a third-party from stealing the password. Once the user is logged in, a session cookie is set. When the user then accesses an unencrypted Google page, the cookie is still sent, but now in the clear.

The Firesheep application is preconfigured to capture active session information for 26 websites. Below are the ten most interesting of them.

  1. Amazon.com,
  2. Basecamp,
  3. Dropbox,
  4. Facebook,
  5. Google,
  6. Windows Live,
  7. NY Times,
  8. Twitter,
  9. WordPress,
  10. Yahoo

Each one of the above websites transmits the session cookie unencrypted, meaning that a third-party could steal the cookie using Firesheep. If someone can copy your session cookie, they could access your protected webpages. For example, in the case of Facebook, they could access your messages and even post status updates.

The risk of having your session cookie stolen is high on an open (unencrypted) Wi-Fi networks, such as those found at airports, coffee shops and hotels as the communications on these networks can be monitored by a third-party. These Wi-Fi networks often require a user to log in, but this log in does not prevent a third-party from watching all of the network traffic going. And, generally, Wi-Fi networks that require a user to login in via a webpage are generally open wireless networks. The risk of session cookie compromise is lower, but still exists with WEP protected Wi-Fi networks. Wired networks and WPA protected Wi-Fi networks offer the best protection against this type of attack as these networks make it difficult for a third-party to intercept your traffic.

What can a user do? There are only a couple of tips:

#1 – Always be sure to log out from a website when you are done. For example, when you are doing on Facebook, by sure to log out. The logout cancels the session cookie.

#2 – Be aware when using an open Wi-Fi network that your session cookie could be stolen by a third-party. So, be more diligent about logging out when using an open Wi-Fi connection.

Unfortunately, there is not much more that users can do at this time. Application developers will need to upgrade their applications to only transmit session cookies when using “https” and never when using “http”.

Filed under: data security, wireless | Leave a Comment »

Dangers of the “forgot my password” link

Posted on January 26, 2011 by Steven Branigan

This hasn’t been a good month for passwords…

In mid January, George Samuel Bronk plead guilty to a California court computer intrusion charges and possession of contraband images. He searched for women on Facebook, then broke into their email accounts. He didn’t guess the passwords of the email accounts, instead he reset the password for the account using the “forgot my password” link. These links usually ask for personal information such as “what was the name of your first pet?”. Using information from the victim’s Facebook pages, he was able to answer the security questions and reset the passwords for many users. 

Once he broke into the accounts, he searched the sent email folder, looking for photos that the account owner sent to others. In some cases, he found very personal photos, which he downloaded to his computer. And, as a consequence of his attack, the original email owner could not get back into their account.

  As if this was not bad enough, Bronk then threatened to release the compromising photos of the victims unless they sent him more photos to their stolen email account.

  From this attack, we have learned that if a password is too difficult to guess, attackers can try to reset it using publicly available information. Therefore, I strongly suggest that you do not use real information when answering the security questions. Consider answering the question “Mother’s maiden name” as your favorite color, not your mother’s real name. Mix it up in a way that you will remember but an attacker won’t.

Then, the website “Trapster” announced that their site experienced an “incident”. The compromised data possibly included email addresses, account password and phone numbers of customers, but the site was not very specific. Risk of exposure of credit card information from this attack is low since the site did not contain credit card information. If the compromised data included the account password, the  real risk here is that the captured Trapster passwords could be used to log into other sites, such as Facebook. Note that strong, difficult to guess password would be of no help here since the passwords were visible to a third-party.

The lessons to be learned:

  1 – Complex, hard to guess passwords can easily be defeated through the “password reset” link. To protect yourself, make sure that your answers for your account’s security questions are not well-known. For example, don’t say your favorite color is red, say it is your birth month. Don’t give your real birthday, instead change the day, month or year to your favorite number. Be creative with your answers.

  2. Don’t use a single password for all of your Internet access, because if your password is stolen from one site, it can be used for all of sites that you use. For some, maintaining a different password for each account can be too difficult. In that case, make sure that the following passwords are not shared with any other site:

  •  Your online banking password
  •  Your social networking password
  •  Your email password.

  Have I missed any accounts that should have a unique password? Let me know.

Filed under: data security | Leave a Comment »

Top 10 usernames hackers try

Posted on December 31, 2010 by Steven Branigan

The basics: we use usernames to identity a person to a computer system. A password is commonly required in order to ensure that only the proper person is using the username. Hackers know that at least some passwords for most systems are usually weak or easily guessed, and they will often attempt to access computers using password guessing programs. These attacks are often attempted to my systems on the Internet, which are accessible via ssh. Ssh allows for command line access to a remote system over the network, and is a very useful tool to administer systems remotely. Ssh allows an administrator to copy files up to a remote server and down from a remote server too.

Access to ssh is usually authenticated through a username and password, as is the case with most system access. (While authentication based upon a username and password is not great, it is the most scalable option available today.) Ssh, a widely available tool, is recommended for use since it  encrypts traffic, which reduces the ability for hackers to sniff account passwords. (Password sniffing is a problem with http, ftp and telnet communications.)

As ssh has grown in popularity, hackers have needed to devise new methods for breaking into ssh protected systems. One class of ssh hacking tool is SSHater, a tool that will try to guess valid usernames and passwords via ssh. Back to my systems on the Internet. I have configured my ssh server to log all invalid username/password attempts to the audit log, along with the IP address where the attempt originated. Here is a sample from my audit log.

type=USER_LOGIN msg=audit(1291694386.586:32619): user pid=17683 uid=0 auid=4294967295 ses=4294967295 msg=’op=login acct=”root” exe=”/usr/sbin/sshd” hostname=? addr=94.102.1.248 terminal=sshd res=failed’

I have gone through my last year’s worth of audit logs to summarize the most oftenly guessed usernames and sources of hacking attempts.  The most commonly guessed usernames are:  

  1. root
  2. test
  3. oracle
  4. admin
  5. user
  6. postgres
  7. guest
  8. nagios
  9. mysql
  10. tomcat

Runner-ups were; student, cyrus, mythtv, administrator, temp and apache.

And, here are the top IP addresses that have been trying to get in:

  1. 114.141.196.155 (dedserver.net, a dns name with no website!)
  2. 221.143.48.15 (korea)
  3. 61.55.135.182 (china)
  4. 175.125.21.228 (korea)
  5. 94.102.1.248 (turkey)
  6. 121.88.249.143 (korea)
  7. 111.68.108.6 (pakistan)
  8. 173.244.187.10 (ohio, USA)
  9. 118.217.12.34 (korea)
  10. 212.156.122.94 (turkey)
  11. 218.64.215.239 (china)
  12. 91.209.238.2 (mexico?)
  13. 118.219.234.163 (korea)

What can we learn from this? First, notice that the username “root” is one of the most popular usernames guessed. That is because many UNIX systems are configured with a “root” account, and that account usually has full privileges. It is the account a hacker would most like to obtain for a system. To protect against this, make sure that root logins are disabled via the Internet. It is preferable to have a system administrator log in with their own userid, then “su” to a root level account.

Three of the top 10 are accounts (oracle, postgres and mysql) are database accounts. So, if you have these databases and they need to be admininistered from the Internet, be sure that you have secured your database usernames.

Accounts such as admin and guest are typically generic accounts shared by many people. These accounts usually have weak passwords and should be avoided.

In summary, remember to:

  • disable root level logins via ssh.
  • change default passwords for any and all default accounts.
  • review the audit log for login successes from unknown IP addresses.
  • review the audit log for login failures to keep an eye on the latest accounts that are being guessed against your system.

Filed under: Uncategorized | Tagged: , , | 1 Comment »

Tracking and recovering a stolen iphone

Posted on October 28, 2010 by Steven Branigan

A few months ago, a friend of mine lost his iPhone in a movie theater.  He noticed it was missing when he got home. At least he thought it was lost, until he noticed that someone was reading and deleting his emails.  It seemed that the iPhone was found by someone, and that someone was using the iPhone.

He contacted AT&T for assistance. It should have been a pretty easy recovery. The iPhone, when turned on, must register on to the AT&T cellular network with its unique Electronic Serial Number (ESN) and Mobile Identification Number (MIN).  AT&T should easily be able to find the cell tower covering the cell phone, right?

Well, technically AT&T can do that, but as a matter of policy, they don’t release this information without a subpoena. And that would need to come from the police.

Were there other options? Well, AT&T offered to turn off the service to the stolen iPhone and (for a fee) send him a new one. An offer that he took since he wanted to get into the mobile world.

Then, as luck would have it, the thief tried a test application on the iPhone call AirGraffiti. This app logs the GPS coordinates of the cell phone.

Here is a map showing some of the GPS coordinates reported for the cell phone.

  Keep in mind that iPhones are both 3G and WiFi capable. So, when AT&T had turned off the stolen phone’s service, the thief just started using the WiFi service.

GPS map view

There were a couple of challenges in this case. Since the phone was stolen, the thief had no expectation of privacy. However, everyone else in the neighborhood still did! So, we needed to be able to search for the stolen phone only. Next, we wanted to make sure that we were passively listening, we did not want to generate traffic and try to cause the iPhone to respond. And we did not want to listen to content. We only wanted to look for the MAC address of the cell phone.  The MAC addresses should be unique for each iPhone, and it is difficult to spoof the MAC address can be of an iPhone. These restrictions ruled out tools such as wireshark, netstumbler and kismet.

My company builds AP-Finder, software that can track the location of WiFi devices. Since the owner had the MAC address for the iPhone, all I needed to do was run AP-Finder. I searched for the iPhone’s MAC address and drove through the area reported by the GPS coordinates. Sure enough, I got a hit!

Using the results of this search, I contact the State Police and told them about the case and what I had. They came out to do the search using AP-Finder, and sure enough they also got a hit. Using the signal strength feature of AP-Finder, we were able to locate the house containing the cell phone. (Below is a sample of the AP-Finder’s search by MAC feature.

This technique has promise, but there is still more to do…

AP-Finder

 

  The end result. The cell phone was recovered and the thief was charged with fourth degree theft, and third degree computer crime violations. All of this was done without issuing a subpoena to the cell phone carrier or ISP for information.

Filed under: forensics, wireless | Tagged: , , , | 6 Comments »

how not to get a virus

Posted on September 8, 2010 by Steven Branigan

I came across the following virus site when following up on an internet search. http://193.169.235.225/index.php?q=B5AF6D87821K0M332YPU6SPKL92L67Q302… (I have not listed the whole link to protect the reader!)

A quick lookup shows that the IP address 193.169.235.225 is owned by “Jamaica research center” from Titan-net LTD. The IP address is being managed on the Internet by ECOMD-COLOQUEST out of the Ukraine. (Yet, the IP address appears to be physically located in Chicago.)

If you are sent to the website, you are greeted with a pop-up window telling you that your system might be infected. The alert says “

Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs.” (this is the exact quote from the message.)
Then, the browser window looks like a scan is being performed. Check out this image…

Virus Main Screen

 While the pop up messages sound pretty dire, I didn’t see any virus yet. And, whatever you do, don’t accept a virus scan from any of these pop-ups. Instead, just close the windows by pressing the red “X” in the upper right corner of the browser windows.

When you try to close the browser, you will be greeted by one more message.

Exit warning

Read more »

Filed under: data security | Leave a Comment »

private peek into public lives…

Posted on September 3, 2010 by Steven Branigan

The NY Times published an article on September 1st detailing how tabloid reporters in the UK gained access to celebrity voicemails. Using this access, the reporter were able to peek into the very private lives of public figures. (The articles can be found here).

Basically, the tabloid reporters built a list of celebrities’ cell phone numbers by working with private investigators. The reporters then went further and directly or indirectly gained access to the cell phone voicemail.

There were two different, very low-tech techniques that were used to get to the voicemails. The first one involved guess the 4-digit PIN associated with the voicemail. Often, this one succeeded when the default voicemail pin was used, since many people don’t seem to change their voicemail PIN.

The second method was a little more scary. The reporter would call the phone company and convince them to either reset the PIN or tell them the PIN for the voicemail. Either way, once they had the PIN, they could listen to voicemail messages on the cell phones.

Once the reporters started listening to the voicemails of the royal family, the police got involved. During their investigation, the police discovered a list of 91 cell phone numbers and associated voicemail PINs during a search of Glenn Mulcaire’s residence. (This search happened in 2006). Mulcaire was a private investigator working with Clive Goodman, a reporter at the “News of the World”.

Now the police were in tough position. They had a list of compromised voicemails. Should they notify all of the people on the list that their voicemails were potentially compromised? It appears from this article, the answer in the UK is no. The government was under no obligation to notify the individuals that their voicemails were compromised.

Would the laws in the US be different? After all, many states in the US have passed laws where private companies are obligated to notify affected parties when their security has been breached. By extension, would the police in the US be bound to notify people if their cellphone numbers and PINs were found on a list seized in the residence of a hacker? It appears from my discussions with those in the field that the answer is “no” here too.

This article points out a couple of very important issues:

  First, voicemail security is weak while the contents of voicemail are interesting. It seems likely that the contents of voicemails might be interesting in a civil court proceeding or business negotiation. At a minimum, make sure that you have a PIN that is the not the default PIN. It probably makes sense to change it periodically as well.

Second, if the police have discovered that your voicemail was hacked as part of a broader investigation, keep in mind that it appears in the US that they are not under any obligation to notify you. Basically, it comes down to the fact that you alone are ultimately responsible for the security of your voicemail.

Filed under: Uncategorized | Leave a Comment »

MD5? SHA1? – Some facts and mis-conceptions about the checksum value

Posted on August 31, 2010 by Steven Branigan

A checksum is mathematically calculated value that is used to detect data integrity. There are a few well known checksum algorithms in common use, Cyclic Redundancy Check (CRC), Message Digest 5 (MD5), and Secure Hash Algorithm 1 (SHA-1). While there are more than these three checksum algorithms, let’s just focus on these three for the moment.

Checksum algorithms take digital data and spit out a number. For example, let’s calculate the checksum value for the work “Hello” using the CRC algorithm. Using a simple Linux system, we can generate a checksum of the word “Hello” using the following command.

$ echo “Hello” | sum
36978 1

(In the above, the 36978 is the checksum value, and the “1” is the size of the input in blocks. We can ignore the trailing one.) If we change the capital H to a lowercase h and recalculate the checksum value, we will get a different result.

$ echo “hello” | sum
36979 1

Let’s add a space to the end of the input.

$ echo “Hello ” | sum
18510 1

This is what makes the checksum valuable. The output value is different when the input is different. A good checksum algorithm will produce the same value on the same input, and different values on different input. And, it will produce the same value on the same input on any computer.

The table below shows the checksum values for the three different variations of the word hello calculated with the three different algorithms.

Sample checksum values for CRC, MD5 and SHA1

“Hello” “hello” “Hello “ (with space)
CRC 36978 36979 18510
MD5 09f7e02f1290be211da707a266f153b3 b1946ac92492d2347c6235b4d2611184 adb3f07f896745a101145fc3c1c7b2ea
SHA1 1d229271928d3f9e2bb0375bd6ce5db6c6d348d9 f572d396fae9206628714fb2ce00f72e94f2258f a83f9352aa642ceec0a03b126e453a5984cf68ab

Notice that the checksum values for the same word are different when using a different algorithm. CRC does not produce the same value on the same input as MD5. And, MD5 produces a different value than SHA1. This means that you cannot use MD5 to verify a checksum value calculated with SHA1.

Myth – Knowing the checksum value, I can regenerate the input.

Checksum values are not easily reversible because the checksum algorithm throws away information during the calculation. Because of this, the checksum value of “36978” can’t be converted back into “Hello”, because Hello is one of many different possible inputs that could create that value. This leads to another myth…

Myth- A good checksum algorithm prevents collision.

A checksum collision happens is when two different values return the same checksum value. For example, the CRC checksum value for “Hello” is 36978, as is the CRC checksum value for “Jdll0”. (With the CRC algorithm, a collision can be easily generated by lowering the first letter of the word by one character while raising the second letter by one character.) A checksum collision is always possible no matter how good the checksum algorithm is. This is because a checksum has to take a file of some arbitrary size and reduce it to a number. A good checksum algorithm will just make it difficult to predictable manipulate the input to create a known hash value. MD5 and SHA1, since they are cryptographic hash functions, make it more difficult to manipulate input to produce a predictable checksum value.

Myth – A checksum value can be used to prove that data has been read correctly.

Since checksums can be used to detect alterations in digital input, they can be very useful in computer forensics. Checksum values can help to establish a very low probability of alteration of digital evidence once it has been captured. A checksum is extremely effective when it is declared after the acquisition of electronic evidence. The declaration of the checksum should be printed or otherwise stored to prevent potential alteration or tampering. Should the checksum of the evidence later be found to not match the declared checksum, there is a possibility that the evidence or evidence container has been altered. (Note carefully that it is possible, not definite.) Factors such as disk errors and errors in the checksum implementation can also result in a checksum mismatch.
What a checksum cannot do is prove that the correct digital evidence was acquired. Here is an example to consider. My company makes forensic imagers, and forensic imagers undergo validation testing by neutral third parties. Basically, these third parties are checking that the product does not alter the data that it was copying and that it copies all of the data.

During a couple of the different validations by different groups, we were contacted by the testers. The testers had told us that they had noticed that the checksum values that we produced were occasionally different than the ones that they produced using their equipment. Follow-up up investigation revealed that the checksums were indeed different, and in all cases it was because our system was capturing more disk data than their test system was. Well, that is good news for us, but why were they different? It turns out that when you capture more data, you need to run the additional data into the checksum algorithm. That, in turn, changed the checksum value and led to the difference.

This highlights that the checksum algorithm cannot be used to determine if the original disk drive was read correctly. As happened here, the validation team’s checksum values had matched when they did not read all of the data. The checksum value was very useful to determine that the source disk was not modified, but was not useful in determining that the source disk was read completely.

Filed under: forensics, Uncategorized | Tagged: , , | 1 Comment »

wireless networks and spies

Posted on June 30, 2010 by Steven Branigan

Recently, federal authorities announced the arrest of 10 spies. While this happens from time to time, what has made this case noteworthy is the use of private, peer to peer (also known as ad-hoc) wireless networks used by the alleged spies as well as other advanced data hiding techniques. 

The federal complaint, available at Scribd or at mainjustice.com, discusses how temporary networks were alleged to have been used to allow the spies to secretly move data without physically meeting. For example, there is a mention in the government complaint that a secret appeared to be passed between one spy in a bookstore and a second spy that was standing  on the street.

As the communications were not done directly through the Internet but through these temporary networks, agents needed to be physically close to the subjects.  Since the wireless signals are usually limited to 300 feet from transmission to reception, investigators would either need to be near the spies or would need a specialized antenna that could increase the signal strength. Either of these options could be obvious.

In this complaint, MAC addresses were used to identify the potential spies. A MAC address is basically a unique identifier for a computer or smart phone when it is using a wireless network. Since these addresses are unique, the federal agents were able to detect that a network was being set up between the same two individuals repeatedly over a six month period.

This complaint shows a high level of sophistication by the  alleged spies and by the FBI. This should prove to be an interesting case as it wides through the legal system.

Filed under: wireless | Leave a Comment »

what is a good password?

Posted on April 19, 2010 by Steven Branigan

Passwords are a secret used to prove your identity to a computer. We have come to rely on passwords to protect access to important things such as email accounts and bank accounts. The most commonly used type of password is a “static” password, a password that does not change when used. An example of a static password is the PIN that you use to access your ATM or the password that you use to access facebook. Static passwords are oftened used because they are cheap to implement and are well understood by the general public.

An improvement to static passwords is the one-time passwords. Most one-time password systems require the uses of hardware or specialized software, so they are much more costly to implement versus a static password. They are usually harder to support as well. (These factors are part of the reason why online banking is not protected with one-time password.)

When it comes right down to it, static passwords are really not a great way to prove identity. Password programs such as brutus, cain and abel, and thc-hydra are examples of programs that make password guess very easy.

While the above programs make password guessing simple, they are not the only threat to static passwords. Phishing attacks are designed to steal passwords by simulating a real web site that traditionally asks for your password. These attacks have been stealing passwords from ebay accounts, banking accounts and even facebook accounts. Phishing attacks usually start as an email message that comes from ebay or your bank asking you to confirm your account by logging into a website. More sphisticated ones will usually say that there is a fraudulent charge that has been posted to your account and you need to login in if you wish to dispute it or some other trouble with your account.

So, with these issues, what is a good password? Since we are currently stuck with passwords, they need to be complex enough to not be easily guessed. Might sound easy, but people publish lists of passwords. For examples of easily guessed passwords, check out this blog posting. Another good example is the openwall project’s list.

While passwords need to be complex, they also need to be simple enough to be easily remembered.  An article by Mark Pothier in the Boston Globe discusses Microsoft researcher Cormac Herley’s estimates on the costs associated with password resets and makes a case that complex, hard to remember passwords are not often worth the expense.

So, what is a good password? I still vote for a complex password that is regularly changed. Why? Well, in most of the network penetration tests that I perform, I have often found that a weak password exists and allows unauthenticated access to critical resources. Until a better method of user authentication exists, we are stuck with having to better manage our weak passwords. And remember, it needs to be changed regularly to limit the potential for misuse if it is captured, but not too often that you forget it.

Filed under: Uncategorized | Leave a Comment »

is your online bank account safe?

Posted on February 9, 2010 by Steven Branigan

What would you do if your bank called to verify some suspicious transactions? Well, that recently happened to a company I know. It turns out that the “suspicious” transactions were attempts to transfer approximately $9,000 a person to more than 10 different people.

Good thing that the bank noticed and halted the suspicious transaction. It turns out that when suspicious transactions are completed via a business account, the money is difficult to recover. The bank will not refund the money, the account holder needs to get the money back from the transferee.

After the first transaction was stopped, someone tried it again. Eventually, the bank cancelled all online access to the account. What was happening?

Was it an insider that stole the banking credentials? If not, then what? The initial review of systems with access to the banking credentials showed that their virus scanners were up to date. The review also did not show any signs of suspicious access into the systems.

Things were not adding up. But then, a break. A closer inspection showed that the computers used to access the bank accounts were infected with a malware that was not detected by virus scanners.

It turned out that the malware was clampi, a pretty nasty piece of malware that specialized in silently collecting banking credentials. (Symantec has a great writeup on the malware at symantec’s inside_trojan_clampi.pdf)

The malware was able to hide from virus scanners because the malware hides in the registry. The program is a registry key value, not a file. And, of course, the registry key value is encrypted.

There is a way to check your system for a sign of clampi. Check your windows registry for the following key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\”GatesList” . ( If you have this key, you may have a clampi infection.)

A clampi infection is concerning as it is silent and very good at collecting banking credentials. There are a couple of tips to help you avoid losing your banking credentials to the clampi malware:
1- Use a clean computer to access your online bank accounts.
2- Do not use your computer that you use to access bank accounts to access other web sites.
3- Change your online password frequently from a secure computer.

These tips are difficult to implement, but try as best as you can…

Filed under: forensics | Leave a Comment »

Using a credit card over the Internet is safer than in-person?

Posted on September 30, 2009 by Steven Branigan

In early September, the AP reported that a hacker plead guilty to theft of credit card numbers. (The full story, by Denise Lavoie, can be found here.)   The story provided some detail on how the hacker obtained the credit cards.  It turns out that the hacker(s) searched for open or otherwise poorly protected wireless networks used by a corporation to transmit credit cards internally. Once a weak or open wireless network was found, the hackers installed a program to collect the credit card number used for in store purchases.

  In this case, it was less safe to make a purchase using your physical credit card than it would have been to make the same purchase over the Internet.
Why? Because credit card numbers are not generally protected when they are transmitted within a corporate network, and they have not been for years. One of the first reported stories of a case where a hacker broke into a corporate wireless network to steal credit card numbers was reported in 2004.

  What can a consumer do in the short term? No too much other than have a second credit card that you can use if your primary credit is shutoff due to fraudulent use. It is difficult to tell whether a store where you make a credit card purchase is protecting your credit card number. While you can ask the store employees, you might not get a reliable answer because they may just not know. And, if your credit card number is discovered to be ”compromised” by a hacker, you are usually protected.  For example, US federal law (specifically, the FDIC regulation 6500, section 226.12), cardholders liability is limited to $50 for fraudulent purchases.) It is inconvenient to have your credit card compromised since your credit card will be shut off and you will need to obtain a new one. This is a downtime of 2-5 days on average.

The corporations that are not protecting the credits card numbers in transit can do more to protect those numbers, of course. They can encrypt the data that is transmitted internally, and they should look to have their wireless network implementations assessed for security concerns.

Filed under: wireless | Leave a Comment »

wireless network poll results!

Posted on August 31, 2009 by Steven Branigan

It has been a little too long since my last post. It is time to start catching up!

First off, in the last posting, I had asked two short questions.
#1, Can multiple wireless networks co-exist in the same room on the same channel? The answer is yes.  When a user connects to a wireless network by network name, they are actually connecting to a specific access point by MAC address.

 
 Take a look at figure 1 below, a screen shot from AP-Finder. (click on the image to enlarge it.)

wireless-net

It shows three APs. Note that two APs outlined in yellow are on the same channel. They have different network names, and most importantly, different MAC addresses. The different MAC addresses of the APs is the key to how two different wireless networks can peacefully co-exist on the same wireless channel at the same time.  

 This leads us to the the answer for the next question.

#2 Can multiple wireless networks co-exist in the same room on the same channel with the same network (SSID) name? The answer for this one is also yes as well, as long as each wireless AP has a different MAC address.  And, every AP will have a different MAC address (unless someone tampers with them. Unique MAC address are, of course, assigned at the factory when they are manufactured.)

A side effect of the fact that two wireless networks can co-exist on the same channel at the same time is that it is possible to monitor wireless communications on multiple networks (as long as they are on the same channel). In fact, it is possible to monitor communications over a wireless network without ever joining the network. In Linux, this can be done by setting the wireless network card into monitor mode.  Sniffing a network in “monitor mode” allows for a passive way to collect wireless communications that is undetectable by the network users/owners.

Filed under: wireless | Tagged: | Leave a Comment »

Wireless networking poll

Posted on July 17, 2009 by Steven Branigan

I am rolling out a wireless networking poll. (Think of it as a gentle quiz!) I will be asking some simple questions about wireless to help highlight the complexities of wireless interactions.

When you get a moment, please check out the questions and give an answer. I will post the correct answers (along with new questions) soon.

Filed under: wireless | Tagged: | Leave a Comment »

how to do a quick wireless audit

Posted on June 23, 2009 by Steven Branigan

There has been a lot of attention paid to ensuring that rogue access points are not deployed with a corporation, which is understandable. After all, rogue access points, by definition, are deployed without approval of the CIO and/or corporate security organization. In a prior posting, I have discussed methods for identifying and controlling rogues.

Now, let’s look at the users of rogue access points. A significant risk to information security comes from users that use non-approved access points, either rogue access points or hotspots. The access points are merely avenues for potentially insecure communications. The danger happens when these access points are actually used.

 What could be the problem with using an unauthorized (rogue) access point or a convenient hotspot? There are three problems that jump to mind:

  1. You might have permission to use that network. This could lead to embarrassment should it arise that corporate communications are going over someone’s open linksys access point based in their apartment.
  2. The owner of the network could decide to monitor all communications on their network, which might include your conversations.
  3. The wireless network could be so open that anyone could attach to the network and scan all the computers on the local network. This could make it easy to connect to fileshares on any computer attached to the wireless network, for example.

  It is entirely possible for a user to connect to an open network accidentally.  Here is an example of how that can happen.

  When I visit one of my favorite coffee shops, I will connect to their public use wireless network, named “tmobile”. Whenever I go into that coffee shop, my computer will automatically connect to the “tmobile” network. What would happen if that “tmobile” network appeared in the office building? Well, most likely, my computer would automatically connect to the tmobile network, and this could be a problem!

   There is an easy way to test for your environment and see if you have users that will automatically attach to a wireless network.

  1. Get an inexpensive access point, such as a linksys wrt54g.
  2. Set the network name (also known as the SSID) to linksys.  (other SSIDs to use include tmobile, default, belkin54g and guest.)
  3. Do not connect the WAN port to the corporate network or the Internet. This will ensure that no access point users will connect to the Internet.
  4. Plug the access point in.
  5. After about 2 hours, connect to the wireless network and log in as the administrator. Examine the DHCP log. It is in here that you will find the number of people that attached to the wireless access point along with their computer name.

 Using this list, you can help find users that might be suspectible to unknowingly connecting to a rogue access point.

This access point will allow users to connect to the wireless network but will not allow users to use the wireless network for free Internet access.

Filed under: wireless | Tagged: | Leave a Comment »

Next Page »
Follow

Get every new post delivered to your Inbox.