Corporate Information Security during Layoffs - What will get stolen

A recent study confirmed the long known fact - any employee that is being fired will try to steal something from his now ex-employer.

While 20 years ago one the companies had to worry about stolen petty cash or office supplies, today such items are not the target of the disgruntled ex-employee. Instead, especially in IT companies the laid off employee will try to:

  1. steal corporate information or documents
  2. steal confidential data,
  3. create some form of flaw in the system that will hurt his ex-employer
  4. all of the above

When dismissing a single employee one can make provisions so that no damage is done - locking out his accounts, security guard being present when clearing the desk etc.

Performing the same amount of diligence when laying off hundreds or thousands of employees is much more difficult. For example, Nortel announced that they'll be laying off more then 3,200 employees. So while HR departments do the headcount and select the redundant, there will be a window of several days to several weeks for a lot of insecure employees to become instant corporate spies undercover system vandals, or a combination of both.

Corporations will soon find that the only defense against such employees is the currently implemented system security and procedures, which will deter any attempts to steal information or assets undetected. And only now will they find out that all the cost cutting on audit systems and data encryption and information protection was not worth the saved amount.

So, what piece of information will get stolen next?

Talkback and comments are most welcome

Related posts
6 steps to securing your backup media
8 Tips for Securing from the Security experts
Be Aware of Security Risks of USB Flash Drives

Dissecting Social Engineering - Free Product Scam

Free stuff is being used as a marketing or brand awareness tool, but it can be used for a much more sinister goal: It can be the tool to collect a significant amount of money via simple social engineering.

The scenario
I get offers for many products by e-mail which i mostly delete or let the spam filter take care of them. But in the past week i got bombarded from several different sources regarding one apparently free product. The sheer amount of e-mails made me read through one of them. It was an announcement for a free distribution of some SEO program.

Just for fun, I clicked on the included link, and got to a page with a style of a typical social engineering 'easy money' page. Here is the analysis of such pages.
At the end of the (very long) page i got to the real deal. They need my credit card in order to send me the free program on a DVD

  • I will be charged just shipping and handling costs for the program which are $7 for US and $10 internationally, and i get free access to the service for a month.
  • I will be billed $100 per month for the SERVICE, after the first month. I understand that I can cancel at any time right from within the site or by just logging a ticket at www.SOMEADDRESS.TLD
Wait, if it is a FREE PROGRAM delivered on a DVD with no strings attached, they can just dump it on rapidshare and let the visitors rip.

Why would they bother with all this shipping? Here is why:

The cost of one DVD, with replication, e-mail advertising (spamming), web site setup and credit card processor charges comes up to
  • $2.76 per DVD for delivery in the US
  • $ 4.54 per DVD for delivery outside US

So, based on the 'shipping and handling' charges, there is a profit margin on each CD of
  • $4.24 per DVD for delivery in the US
  • $5.46 per DVD for delivery outside US

The DVD needs to have something useful - an advertised PROGRAM . It is some program that should improve your Search Engine Optimization and can be whipped up by a programmer within 2 weeks to follow certain logic rules presented in SEO books all over the Internet.
  • Cost for the software - a maximum of $1000 - on rentacoder you get that done for even less.

If 1000 people out of 50,000 e-mails bite the bait, and 1000 DVD's are distributed in US (low margin scenario), there is a profit of $3240 before taxes.

But wait, there is more!
All those 1000 people left their credit card info online in order to be charged the 'shipping and handling'. However, the agreement is that by taking this free item, these 1000 people have opted in to a monthly fee of $100 for some online service which is never really explained and can be as simple as a mailing list for 'Valuable SEO Info'. Of course, the user can opt out at any time, but for the moment he is opted in!
So, just as there are people who forget to send in their rebate vouchers, there will be people who forget to opt-out of the online service, thus getting billed the $100. I would set the percentage of forgetful people at 20%, with 25% of them having a debit card with no funds to be taken. So, out of the original 1000 people who got their wonderful DVD, we arrive at 150 credit cards that will be billed after one month.
So, apart from the initial $3240 before taxes, we get additional $14925 before taxes.

The analyzed model is not a direct scam for all legal purposes, since it delivers a product which is free, and you have been informed of the additional charges that will be incurred after 1 month of usage of the 'service'.
On the other hand the product is promising a MONSTROUS income from Internet sites, which in 99.999% WILL NEVER HAPPEN.
At any rate, be very careful. THERE IS NO SUCH THING AS FREE LUNCH

Talkback and comments are most welcome

Related posts
Internet Social Engineering - Avoid Con Tricks

Tutorial - Hidden Operating System with Truecrypt

Starting from version 6, Truecrypt boasts an interesting function- creation of a hidden operating system. With this article we walk through the process of creating the hidden OS and analyze the possible uses of such a solution.

The concept
The basic idea of the hidden OS is to have two operating systems on the PC

  • the decoy (the visible one) - an OS that is visible to an outsider and actually contains no sensitive data, so it can be safely opened up to external personnel (investigators, customs officers etc)
  • the outer volume - a container partition where the hidden OS resides. It can contain some decoy confidential files. The idea of the outer volume is to explain the existence of a seemingly unformatted partition, since it can be mounted from within the decoy OS to show the decoy confidential files.
  • the hidden one - non-existent at first glance and created within an encrypted partition, which can hold sensitive data and should not be reported to external personnel.

The process
The process of creating the hidden OS is quite simple but takes time
  1. Create an outer container of the hidden OS
  2. Create an inner container and image the running OS into a hidden OS
  3. Re-create the visible (decoy) OS
A prerequisite to the process is having an empty partition (must be the one immediately behind the system system) at least 5% larger then the system partition.

After that, it boils down to following the on-screen instructions and waiting (the encryption and copying can take some time)

The final element of the process is the destruction of the original OS partition - don't worry, it has been entirely copied to the hidden volume. After that comes the only manual part of the process - the user must install the decoy operating system from scratch, and encrypt it's partition.

Usability of the solution
Apart from proving the concept, it does work without any glitches, how effective is it?
  1. Using a hidden OS with plausible deniability- The entire concept as presented within the TrueCrypt software should enable the user to claim that he has divulged all passwords for all operating systems/partitions on the computer. This is disputable to say the least, since any analysis will show a second partition with seemingly random data on it, which is a nice giveaway that there is something hidden there. In most cases where a person is under investigation the investigators will press to gain access to any partitions on the computer.
    • This hiding methodology is public, so even if the existence of the hidden OS is not divulged, the investigators can destroy the hidden OS by filling the outer container with dummy files just to be on the safe side.
  2. Using a hidden OS as a dual function computer - a much more useful case of the Truecrypt hidden OS, it can be used to create a mobile computer. The hidden OS should be used for corporate functions. For field use or use in an insecure environment, the decoy OS should be used, which cannot access the encrypted volume and which should not have any corporate or confidential data on it.
Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
TrueCrypt Full Disk Encryption Review
Tutorial - A Poor Man's Secure USB
Creating secure CD/DVD media for transport usingTruecrypt

Securing an Application Backend - always forgotten

It is a well known fact that 80% of all attacks come from the inside. But in the world of Web2.0 and online applications, the back-end of the system is usually forgotten.

Let's analyze a common web application design

  • The web application is designed to be used by a very large number of users, the users are kept inside the database. The actual web application communicates with the back-end database using a fixed database identity with very high privileges, simply to accommodate every possible function of every user role of the web application.
  • The front end is an advanced web site which can be target to a significant variety of attacks. Since it is a web app, most companies do an adequate job of closing obvious and less obvious holes on the front end.
  • And yet, once you look behind the isolation layer of the front end, security becomes lax. The same database identity is used for all transactions, and in most cases it's password traverses the internal network unencrypted. Also, access to the back end may be relatively easy from within the corporation.

The risk
The risk can be described as "Nobody looks at the cab driver". Actually, nobody (or very few companies) think about the corporate users which work behind the isolation layer of the front end.

Any person with corporate role can know or gain access to the back-end identity. This can be achieved by different methods, ranging from simply reading the config file, network sniffing to social engineering to coerce someone into revealing the identity.

Once the identity is gained, the internal attacker can authenticate as the back end identity and effectively impersonate any front end identity by simulating the proper queries into the database.

In an inside attack, there will always be two attackers:
  • The technical person - one that knows how to write the proper queries
  • The technology person - one that knows how to manipulate the business information within the database as if using the front end interface.

While the single back end identity will probably remain as the solution of choice for all web applications, all providers of such services need to pay special attention to the security of their back end. This security should include:
  1. encryption of internal communication channels, especially between the front end and the back end
  2. physical and network controls that prevent access to the back end even if the back end identity is stolen
  3. independent audit systems which are not controlled by the administrators that control the front end or the back end

Talkback and comments are most welcome

Related posts
3 Controls to Secure Corporate Offline Computers
Control Delegated Responsibility
8 Tips for Securing from the Security experts
4 Controls to Avoid Risks of Fully Trusting a System

Choosing a System Integrator - Follow the money

There are several aspect to choosing a good system integrator for your next corporate solution. Evaluators look at:

  • number of experts
  • references
  • prior work
  • years in the field
  • price of solution
But the most overlooked and very important criteria is the financial strength of an integrator.

While this may not seem relevant at first glance, let's review the following scenario:

  1. A corporation orders a large server and storage system, in the price range of several millions of dollars. Naturally, payment is mostly upon delivery, with meager 30% upon contract signing.
  2. The integrator orders the solution from the manufacturer, pays for the transport logistics, insurance, and ofcourse, receives an invoice from the manufacturer, to be paid within 30 days.
  3. The corporation delays the implementation of the system due to internal reorganization by 2 months. To compensate, they agree to pay another 30% of the contract price to the integrator.
  4. At this point, the integrator has received 60% of the contract price, and needs to settle his invoice toward the manufacturer. Additionally, the integrator needs to cover storage and insurance expenses for the customer. In the cutthroat business of IT integration and RFP's, no integrator works with a total margin of more then 15%-20%.
  5. Therefore, the integrator will be in debt once it settles the manufacturer's invoice.
If the integrator does not have the financial backing to survive such a situation, it will go broke in a hurry.

The customer will be left with a heap of non-functional hardware, and since it must use the purchased hardware, the next integrator who will be called in to fix things will be in a position to dictate the price

Apart from choosing an integrator with good experts, which is a must, do not forget to verify that the integrator has the financial strength to carry the burden of the project, with all it's possible problems.

Talkback and comments are most welcome

Related posts
Paying for Software Support - When to do it?
Software vendor relationship - can you make it better?
3 rules to keep attention to detail in Software Development
8 Golden Rules of Change Management

BackTrack 4 Penetration Test Distro - First Glance

Remote exploit just published the beta of the BackTrack 4 Penetration Testing Live CD.

While the distro looks the same at first glance, it has had a major overhaul under the hood.
Backtrack is moving away from SLAX and this version is based on Ubuntu 8.10.
The backtrack toolset has matured and is full of useful tools which are organized in a meaningful way.

What is still missing from this distro is some functionality available from the past, some refinement and better hardware support for wireless drivers:

First off, the drivers
Although a lot of wireless drivers are supported (Tested with 3 different Intel chips and one Atheros (Cisco)), there is still a very strong issue with Broadcom drivers. The live CD comes loaded with the b43 driver, but it has a lot of issues with the newer Broadcom boards. Unfortunately, the Broadcom STA drivers are not included, and since it's a live CD, there is very little point in downloading and compiling something that will run only for that session. I am thinking of compiling and keeping the compiled drivers on an USB.

Secondly, the missing link
There is currently no easy way to install the Backtrack4 on a physical computer, so we can further modify and include elements. Apart from adding new drivers, i would like to include several tools, like Nessus, which can be downloaded and installed legally by the end user, but not redistributed by Remote Exploit.

Thirdly, the refinement
The audio subsystem of Backtrack is active by default, and set to full loudness. Upon starting the KDE, you are welcomed with a very loud "FINISH HIM!" (probably taken from Mortal Combat). Also, several tools produce a lot of sound effects (Kismet for instance) which is distracting for the user, and also invites curious eyes to your activities. I would suggest that the audio is left deactivated by default, and the user should activate it if and when he chooses.

The Backtrack distro is maturing and becoming the De-Facto penetration testing toolset. There is still work to be done until the final release of Backtrack 4, but we are all rooting for Remote Exploit

You can download the BackTrack 4 Live CD here. Please be patient, the servers tend to go down, probably because of the load.

Security Information Gathering - Brief Example

When embarking on a security evaluation, the first stop for security information gathering is the Internet. Only connecting to the target public servers and DNS yields a wealth of information.
So here is an example what can be learned in a couple of minutes of checkup about a company domain from it's public servers, while NOT DOING ANYTHING ILLEGAL.

  • Domain Name Servers (DNS) - Name servers are the first target of every information gathering. Once you know the domain name of a company, you should check it's DNS. Here is what it will give you
    • The DNS Server provider - by checking who owns the IP you'll know whether it's in-house hosted DNS or outsourced. If it's in-house such a DNS server can be a prime target for inbound attacks, and such servers are less secure simply because the internal IT department is torn between administering all kinds of stuff.
    • The level of isolation of zone transfers - A zone transfer is a completely legitimate function of a DNS server which is used to feed domain information from the primary server to the secondary servers. If it's open to any outsider, he/she can collect a list of all hosts registered in the domain for possible attack targets. Most zone transfer attempts will fail, but even the way they fail gives an excellent information
      • Failed with message REFUSED or NOAUTH - you can communicate to the server on the appropriate port (TCP 53) but zone transfer is not allowed. Even so, you can try to attack the server via TCP SYN flood on that port
      • Failed with message connection failed - you can't connect to the appropriate port, forget about zone transfers and TCP SYN flood
  • Mail Exchanger (MX) - Mail exchangers are mail servers specifically dedicated to receiving e-mail for the target company domain. They usually are not the main corporate mail servers, but information from them can be useful to understand what types of adversaries are on the other side if you choose an e-mail vector of attack. And here is the summary of info from the MX
    • Mail server provider - by checking who owns the IP you'll know whether it's in-house hosted MX or outsourced. If it's in-house such a MX server can be a good target for inbound attacks.
    • Mail server banner - the default banner, unless modified gives the information about the server software, so you'll know what you're up against and search for known vulnerabilities.
  • Web server - the same elements that apply to MX apply here, so we won't repeat them again.
  • Typical server names - while the generic servers are in scope of the security administrators and usually well secured, a company can have any number of registered servers for testing or internal uses. These servers are in most cases excellent targets for attack, since they are usually 'temporary' and not treated by corporate policies. These server names can include 'www1', 'test', 'dc', 'gc', 'domain', 'mail', 'pop' and the like.

of the trade
There are a lot of tools that can help you in information gathering. I have written a small program that will get you started. Here is a screenshot

Also, to check who owns an IP address, you should make good use the whois services of the Internet registries like RIPE, APNIC, AfriNIC, ARIN and LACNIC

Talkback and comments are most welcome

Related posts
Check Your DNS Zone Transfer Status
DHCP Security - The most overlooked service on the network

Cracking a TrueCrypt Container

This week i tried to open an old TrueCrypt container. It turned out that i had forgotten the password. So I endeavored into the realm cracking the TrueCrypt container. Here are my experiences

The problem
I have a TrueCrypt container in which i hold my personal documents. The container is created with TrueCrypt 6.1a. Since i haven't been using the documents for a while, the password slipped from my mind. I a moment of desperation I tried to crack the password.

The preparation
To automate the process, I used the true.crypt.brute tool in version 1.9b. It is a very straightforward tool to use, but it has one drawback - it tries to crack based only on a pregenerated wordlist. That means that you need to generate your possible passwords list and let it rip.
First, i created a simple encrypted volume with a 2 character password to check the software.

It went through 819 passwords within 45 seconds and decrypted the password. This would mean that the brute force crack would run through around 64800 passwords per hour.

For a wordlist generator I used the old but excellent WG

Fist attempt and disappointment
If the password was in the interval between 2 and 4 characters and it contained only uppercase and lowercase alphabet and numbers, that means that you have 6,377,500 passwords to go through. The worst case scenario for a 4 character password is a bruteforce crack of 98 hours (4 days)

But, there is no 4 character password in a serious TrueCrypt container - especially mine.

Second attempt and disappointment
As luck was on my side, I was fairly certain of what the password was, only i couldn't tell which uppercase/lowercase letters i used and which numbers i added.
So i created a custom wordlist which included only the 13 letters contained in my password, and i set the password size between 16 and 18. I stopped the password generation at 33 million passwords. If i should run only those passwords, it would take me 21 days to go through them - and that's not a complete list!!!

A final attempt
As a final scenario i prepended the first part of the password - to which i was certain and left only 7 letters and 10 numbers to be padded. I distributed the workload on 4 machines, i cracked the password in 4 days.

The generic brute force attack on any target, including a TrueCrypt volume is extremely difficult to achieve since the time needed to try the passwords is very long. The only logical approach is to perform the 'due dilligence' of knowing the partial password before attacking the TrueCrypt volume.

Talkback and comments are most welcome

Related posts
Creating secure CD/DVD media for transport usingTruecrypt
TrueCrypt Full Disk Encryption Review
Tutorial - A Poor Man's Secure USB

Reduce Risks in Projects with 'Deal Breakers'

Most projects fail due to a manager's ambition or pressure to complete on time. This leads to significant errors.

Here are two examples from the opposite sides of the spectrum

  • I have been witness to a very large and very risky project, which was initiated with nearly no regard for the risks involved. The project was completed successfully but only with the titanic effort and dedication of the project team.
  • Only 2 weeks later, I was a witness to a project which had major issues with coordination, communication and breached deadlines, but still it went ahead. Sadly, the project finished with a major issue, mostly because of project staff fatigue which led to human error.
With these two examples, one must always be prepared to properly implement boundary conditions to ensure proper risk management.

You should ALWAYS be prepared with an answer to the following question:
  • What is the 'deal breaker' of the implementation? Under which conditions should we abort and re plan?
The answer to this question should not be just any obstacle. Whatever the answer is, it should be related to
  • Risk to business continuity
  • Risk of impact to core business operation
  • Risk of major personnel harm

Talkback and comments are most welcome

Related posts
Security risks and measures in software development
4 Controls to Avoid Risks of Fully Trusting a System
Information Risks when Branching Software Versions

Designed by Posicionamiento Web