Stratum Security Blog

 We have a new post over at the ThreatSim Blog “Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now“. It is a list of 9 things that everyone should be doing with their existing devices, infrastructure and network. Other than a lot of hard drive space (heh) the recommendations don’t cost much.

Stratum is conducting an anonymous survey to see what kinds of egress network security controls are in use within the enterprise. These are controls that would detect or prevent the exfiltration of sensitive data. We have already compiled a significant data set from our own customers. Please take a moment to complete the poll below. The results will be presented at this month’s ISSA Meeting in Tampa Bay, FL as well as here on our blog. Thanks!

Stratum is proud to be sponsoring the first OWASP Tampa Day this Monday, June 20th. The free event will feature presentations aimed at providing developers and Information Security professionals with an introduction to application security. The event features 4 presentations from application security experts and ‘sold-out’ in less than 48 hours with 76 registered attendees. You can visit the event’s Eventbrite page for more information.

Stratum’s own Trevor Hawthorn will be presenting PCI for Developers: Lessons from the Real World,

Any organization that stores, processes, or transmits credit card data must comply with the Payment Card Industry’s (PCI) Data Security Standards (DSS). PCI can be daunting even for compliance and security experts. If you are a developer, it can be a major headache. Sooner or later the day will come when you (or your developers) will need to integrate PCI into your Software Development Lifecycle (SDLC). During this talk Trevor will discuss what is required to meet PCI compliance, and examine how a wide variety of organizations tackle their compliance obligations.

Stratum is also a sponsor of the OWASP Tampa chapter.

We are finally able to share something exciting that Stratum has been working on for the past several months.

If you look at recent data breaches– the kind where the attackers are inside the network hanging out and shipping sensitive data out of the network– you will find two things in common: spear phishing is how they got in and some form of data exfiltration is how they got out. Read Mandiant’s M-Trends report or the Verizon Data Breach Reports; it’s all discussed in-depth. Attackers are exploiting user endpoints to get right to the heart of the network. Why mess around with finding a perimeter vulnerability (sure they still exist) when you can own something in the soft chewy center of a network with access to almost everything? While this represents a major, actively exploited attack vector, the industry does not have a comprehensive, repeatable and scaleable solution to test organizations’ susceptibility to these attacks. Until now.

Today we are announcing our new Security-as-a-Service (SaaS) offering:

ThreatSim allows customers to easily run their own advanced attacker simulation campaigns that tests users, user end point devices, network security controls, 3rd party security solutions and incident response plans. ThreatSim answers three critical questions that all organizations should be asking right now:

1. How can attackers get in?
2. How do attackers get my data out?
3. What can we do to prevent it?

The ThreatSim website, www.threatsim.com, has more details on our new service, including how to sign up to be a beta customer. We will provide more updates here on our blog and via our ThreatSim twitter account, @threatsim. For inquires please email us at info@stratumsecurity.com or fill out the Request A Demo page on the ThreatSim website.

Starting with my first ever foray into PCI compliance, I have consistently encountered many clients (and even more potential clients) who have struggled with understanding their PCI requirements. While this may seem like a relatively easy task based on the information provided by the card brands, it is my experience that to those who’ve never dealt with PCI before (and even those who deal with it on a casual basis), it can be a daunting task.

Flashback to a couple of months back: Trevor and I were discussing a prospective client with this exact issue when we came up with the idea of developing a website that asked simple questions and provided clear answers. Many discussions followed, a majority of which were with current and prospective PCI clients. We found that even seasoned PCI compliance professionals thought this was a “no-brainer.”

Today Stratum is happy to announce the culmination of all of our talking, skype-ing, and coding with the launch of www.whatlevelami.com – a site that aims to be a quick online tool aimed at helping visitors easily and quickly identify their PCI requirements. While the site doesn’t cover every potential entity involved in PCI, it covers PCI Merchants and Service Providers. We’ve tried to make the site as simple as possible, using JavaScript and CSS to do most of the work. We’ve even gone as far as providing definitions for terms unfamiliar to those outside PCI (they’re underlined…simply mouse-over them and the definition will appear).

We would love to hear your feedback on the site, and would of course appreciate you spreading the word about its existence. Enjoy!

WFTS posted the video of the Smartphone Security piece that aired last night. You can watch the video below.

Yes, that was my wife sending me the rigged SMS message. Thanks Honey!

In all seriousness, the exploit used in the video utilized the Webkit Floating Point Datatype Remote Code Execution Vulnerability (CVE-2010-1807). I used MJ’s exploit code to compromise a stock Verizon Motorola Droid (A855) running Android Eclair (2.1). The exploit code was about 33% reliable, but I found running it against an Eclair Emulator to be far more reliable (~80%).

You can watch a full length video of the exploit demo below. I had put this together to show Michael George of WFTS how an attack might work. This was against an emulated Motorola Droid (A855) running Eclair (2.1).

If you have any questions about either of the videos, or smartphone security, please post them in the comments below. Also, make sure you read the previous posts on our blog regarding smartphone security:

• WFTS ABC Action News Smartphone Security Piece
• The New World of SmartPhone Security

Today I was interviewed by Michael George of Tampa’s WFTS ABC Action News. He was interested in doing a piece on smartphone security; specifically what are the threats, how attacks occur, and what (if anything) users can do to protect themselves. Michael had a very good understanding of the current state of smartphone security: “Don’t run for the hills yet, but soon it will be just as messy as your home computer.”

I figured it was appropriate to cover my talking points on this blog post, so that others can reference the materials, and hopefully we can start a great dialogue in the comments on how to best tackle smartphone security. I will post an update with a link to the story once it airs (Anticipated 11PM on 1/7/11).

Why should people care about smartphone security?

The mobile phone is arguably the most personal technology device that we own. People have a real relationship with the phone, the data it holds and what they do with it. There are three primary reasons why people should care about smartphone security:

1. Protecting the integrity of the device so that you continue doing what you want to do on your phone (texting, surfing, shopping, calling, etc.) without the threat of information being made public.
2. Securing the data on the device so that if it is lost, someone else cannot retrieve all of your data, such as passwords, emails, pictures, etc.
3. Safeguarding the device itself so that you don’t have to buy a new one if you lose it.

What are the risks associated with using a smartphone?

Generally speaking, the risks of using a smartphone are similar to those of using your home computer. Specifically, the following personal data may be compromised by poor smartphone security:

• Personal data (phone #s, email addresses, photos, etc.)
• Account credentials (Facebook, Twitter, Bank of America)
• Ability to use your device

GPS location data is unique to smartphones when compared to desktops and most laptops. This data can also be at risk if your phone was to be compromised by an attacker or rogue application.

How are smartphones attacked?

Much like how the risks of using a smartphone are similar to those of using your home computer, so are the ways in which smartphones are attacked. The following are examples of how smartphones are targeted by attackers:

1. Trojans such as Gemini, which emerged in China, sends personal data from a user’s smartphone to remote servers. It can also potentially turn your phone into a zombie controlled by the attacker. Trojans are traditionally attacked to legitimate software (sometimes unknowingly) and are equitable to computer viruses.
2. Rogue applications are applications that are supposed to be one thing, such as a game, but also include code that performs other actions. The TapSnake android game not only entertained its users, but also tracked their GPS locations every 15 minutes and allowed other people to pay to view this information.
3. By “hacking” your own phone, you can actually make it less secure. “Jail-breaking” or “rooting” your phone can leave you exposed to hackers. For example, rooting the iPhone enables remote access via SSH and the default root password is commonly known. The iBontNet.A worm used this insecure configuration to steal online banking credentials from ING Direct account holders. Also a Dutch hacker in 2009 held “jailbroken” iPhones for ransom by charging €5 to provide instructions on how to secure the affected phones and remove the “hacked” wallpaper

What can you do to help secure your smartphone?

Following the checklist below will go a long way in helping to secure your smartphone. However, realize that no smartphone is 100% secure, and always practice caution when installing applications, visiting websites, or clicking on links.

• Only install applications from trusted sources, like Apple’s AppStore or Google’s Android Market
• Review the permissions that applications ask for, and when they don’t seem right, do some research online before installing
• Install a security suite such as Lookout Mobile (Android, BlackBerry, Win7) or Trend Micro for iPhone that looks for malicious applications and/or websites
• Install updates for applications and firmware
• Don’t click on links from unsolicited emails or text messages
• Set a strong password for your phone
• Install a remote location identification application like Lookout Mobile or MobileMe so that you can locate and/or wipe your lost phone

More Information

For more information on smartphone security, you can watch Trevor’s ShmooCon 2010 presentation entitled, The New World of SmartPhone Security.

On Sunday, November 14, 2010 the Dallas Cowboys defeated the New York Giants 33-20. Fans of the NFL had a number of reasons to watch this game; a historically bitter NFC East rivalry, the Cowboys’ new coach Jason Garrett testing his coaching prowess against a strong opponent, or simply wanting to catch a glimpse of the Giants’ new $1.6 billion New Meadowlands stadium. I personally was watching the game, or at least as much that was covered by the NFL’s RedZone channel.

You might be asking yourself why I am talking about a sports event on an Information Security blog. Well for those of you who don’t know, the New Meadowlands stadium, filled with 80,851 fans, completely lost power during the 3rd quarter of the game. The complete outage lasted only 5-6 seconds, but for someone with a Smart Grid security background, the first thing I thought was terrorism. Thankfully this was not the case, and there are no indications of such; rather a New Jersey Sports and Exposition Authority transformer failure caused the outage.

Power Outage at the New Meadowlands

What concerns me is that while the stadium was able to restore power from the total blackout in a timely manner, the outage itself may have provided terrorists with a previously unidentified target: large stadiums filled with Americans. I have read about sporting events being the target of terrorist attacks before, but not when the power (or lack their of) was the target. Imagine the chaos that would have ensued if the stadium was without power for several minutes or hours. Several of the NFL players that night voiced similar concerns.

• The Giant’s star Justin Tuck commented that, “You start worrying about is your family all right.”

As I was watching the situation unfold on the RedZone channel, Fox’s Joe Buck, Troy Aikman, and Pam Oliver (who were covering the game) made the following observations:

• Troy Aikman – “They didn’t know what was going on nor did anyone else. But they hit the ground. A number of those guys did.”
• Pam Oliver – Described the scene as “organized chaos” and “extremely scary” when the lights went out.

Interestingly, when Buck and Aikman were describing the scene at the New Meadowlands, they failed to mention that during the blackout, fire alarms also sounded. They did mention that an announcement came over the PA system telling fans to remain in their seats and to stay tuned for evacuation instructions, if necessary.

Fortunately, no major incidents occurred as a result of the power outage. However, I hope that those responsible for securing the New Meadowlands, and all public venues, use this as an opportunity to better understand their own weaknesses and how they may now have an additional threat from terrorists; power outages.

Attacks like this are covered in my book, Securing the Smart Grid. Syngress has made part of the chapter covering threats like these, entitled “Threats and Impacts: Utility Companies and Beyond,” available here. It is unfortunate that situations like these are sometimes necessary to identify “unknown, unknowns” to our national security.

Linux ec2 2.6.32-309-ec2 #18-Ubuntu SMP Mon Oct 18 21:00:50 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/

System information as of Fri Dec 3 00:40:20 UTC 2010

System load: 0.0 Processes: 60
Usage of /: 6.2% of 14.76GB Users logged in: 1
Memory usage: 6% IP address for eth0: 10.XX.XX.XX
Swap usage: 0% IP address for tun0: 10.X.XX.X

Graph this data and manage this system at https://landscape.canonical.com/
———————————————————————
At the moment, only the core of the system is installed. To tune the
system to your needs, you can choose to install one or more
predefined collections of software by running the following
command:

sudo tasksel –section server
———————————————————————

14 packages can be updated.
4 updates are security updates.

Last login: Thu Dec 2 23:22:38 2010 from pool-XX-XX-XX-X.domain.net

Nikto (http://cirt.net/nikto2)  is an Open Source web scanner that checks for several different types of vulnerabilities, including:

• Over 6400 potentially dangerous files/CGIs
• Outdated versions of over 1000 servers
• Version specific problems for over 270 servers

Nikto was developed by a friend of mine, Chris Sullo (@chrissullo) and now is maintained by Sullo and David Lodge. Version 2.1.3 was released in February of this year after getting back from a lengthy tour of european pubs, or so I am told.

I personally still use Nikto on all of my assessments, as it provides a good supplement to other automated scanning tools. To help automate the process of scanning hundreds of web servers, I wrote a simple python script that takes a specially formatted host file (ip address or  hostname,port) and runs Nikto continuously against them. doNikto generates separate HTML output files for each line in the host file (Nikto_IP/Hostname_Port.html) in the current directory.

To get doNikto running on your system, simply make sure you have Python installed on your system. Snow Leopard and Ubuntu users, you’re good. Windows users, check out http://python.org. I recommend installing the latest release of Python 2 (currently 2.6.6).

Once you have Python installed, and of course Nikto, download doNikto.py here and install it in same directory as nikto.pl. You can invoke doNikto by simply typing;

python doNikto.py

or you can type:

chmod +x doNikto.py

and call it via

./doNikto.py

Once you have doNikto all setup, it is pretty straight forward to use:

Old-Trafford:nikto-2.1.3 jmorehouse$ ./doNikto.py

USAGE:

python donikto.py [Host File]

Host file should be in IP,Port format, with one host per line.

(e.g. 192.168.1.1,80)

So a sample host file would look something like:

192.168.1.1,80

some.webserver.com,443

forgotten.tomcatserver.org,8080

Finally, you can ctrl-break (ctrl+c) doNikto to skip hung servers and proceed to the next server in the host file.

That’s all there is. Pretty straightforward and something I find useful on a regular basis. Let me know if you have any issues or suggestions and enjoy!