Malware Prevention Tip

This was first posted by me on LinkedIn.

In Microsoft Windows environments blocking executibles from running in a user profile (c:/Users/*) can provide another layer of protection against malware that launches from user space. This will likely require tuning because some legitimate applications and updates decompress and launch executibles from within the User profile and could get blocked. To get started with blocking executibles see the links below for details on Software Restriction Policies and AppLocker. If you do implement this, please do testing first. Do not just edit the Group Policy for your whole domain and push it without extensive testing. It is free if you have at least professional versions of Windows. AppLocker may require Enterprise licenses.

Software Restriction Policies
https://technet.microsoft.com/en-us/library/bb457006.aspx 

AppLocker

https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx

 

I have seen this be effective in the real world and it was discussed recently on the Brakeing Down Security podcast.

PFsense Gets Big GUI Update

PFsense recently released version 2.3 and the graphical user interface (GUI) has been updated to a much more modern look. It blew me away when I logged in after the update. The release notes give more details, but it looks like the key points are the GUI update and changes that allow easier updates. There are some additions and subtractions of available packages as well. Check it out.

https://pfsense.org/download/

Nmap Scripting

Did you know that Nmap has a scripting language and can do things such as enumerating details on WordPress sites like usernames and installed plugins, check for vulnerabilities or do brute forcing? On the Security Weekly podcast episode 457 they brought up Nmap scripting and the fact that a ton of scripts come included with Nmap. I had no clue. On OSX the scripts directory for Nmap is located here /usr/local/share/nmap/scripts If you use another OS just do a search for *.nse and you will find the scripts directory.

Nmap script usage:

nmap --script <script name> <target>

Example of a script that enumerates visible folders and files on a web server:

nmap --script http-enum google.com

 

http://wiki.securityweekly.com/wiki/index.php/Episode457

https://nmap.org/book/nse-usage.html

 

Evil Encryption?

Encryption has been all over the news lately with the big fight between Apple and the FBI. Punches are flying left and right, but what is really going on? An unfortunate part of this debate has been that many of the people discussing it have little knowledge of how encryption works. They just feel that the FBI or police should be able to access the data held inside a terrorist’s work phone. In many situations, granting law enforcement access makes sense, but encryption is different than a locked house or a safe in the basement. The goal of this article is to discuss the FBI v. Apple case, the state of encryption and why encryption doesn’t mean “going dark”.

First, let’s look at the legal side of the FBI v. Apple case. In the United States, search warrants and subpoenas are used everyday to retrieve evidence for court cases. Search warrants give authorities the legal right to search and retrieve evidence from an individual or property. To obtain a search warrant, law enforcement must present a judge with a convincing reason that a search for, or retrieval of, specific evidence is necessary. Another legal instrument used to obtain items like testimony from someone is a subpoena. For instance, if you witness a bank robbery, a subpoena might be issued that compels you to appear in court and describe what you saw. Both a search warrant and subpoena are similar in that they are used to obtain access to something that exists. This is where the Apple case is different.

The FBI did not issue a standard search warrant or subpoena to request the suspect’s Personal Identification Number (PIN). Apple does not store anyone’s passcodes, so that is not something that they can provide. What the FBI has done is use something called the “All Writs Act of 1789”. The Act can be read as allowing a judge to grant whatever is deemed necessary to help in solving a case. A judge used the All Writs Act to issue a demand that Apple create a weakened version of their operating system to assist the FBI in accessing a terrorist’s work phone. Most people have heard of a search warrant and a subpoena. That is because they are used thousands of times each day around the United States. That is not the case with the “All Writs Act”, which is used much less often. Not only is the All Writs Act used less often, in the FBI v. Apple case it is being used in a way that would be similar to a judge requiring a bulletproof vest manufacturer to create ammunition that can pierce their vest. Despite the fact that the bulletproof vest manufacturer does not want to provide such ammunition as a product. Apple was being demanded to weaken the security of one of their products, which goes against the company’s mission and goals. Asking Apple to create something that does not exist is what sets this case apart from a legal perspective.

How encryption works also makes this debate different than others. The FBI initially could not unlock the phone in question because it was encrypted and they did not know the PIN. Not even Apple knew the PIN. This is different than a safe. If the FBI wants access to a safe and does not know the combination, they could have the safe pried open, cut through, cracked by a specialist, blown open and so on. Encryption is different because the only way to open something that is properly encrypted is with the key. The reason encryption is used is that it protects data by making it appear like a jumble of nothing to those who don’t have the key. When the correct key is supplied to the encryption software the data is made readable. If you do not know the key, you can try to guess it. Guessing could take minutes with a short simple password, or it could take hundreds of years if the password is sufficiently long and complex. iPhones can be setup to use a short 6 digit PIN, which provides access to the encryption key. Normally a 6 digit PIN would not be good protection. Apple makes the short PIN stronger by slowing the speed guesses can be made and optionally destroying the key after too many bad guesses. Without those security features a 6 digit PIN would not provide good security. As it turns out, there was a weakness in those security features. That was proven when the FBI gained access to the iPhone. Weaknesses like the one the FBI found are exactly what they want and they would prefer they were provided by design. Weak security makes is much easier to decrypt any phone.

If something is keeping the FBI out of a terrorist’s phone you may wonder if it is really that important. Whether you know it or not, most of us are constantly using encryption and it keeps us safe. Two of the primary items that encryption protects are authentication and data. When you connect to a banking website, the communication between you and the bank is encrypted. That means that when you enter your password to authenticate yourself with the bank nobody can listen in and grab it. There are also a variety of ways encryption protects our data. One way encryption protects data is when one of our devices is lost or stolen. If the lost/stolen device is not encrypted, it is trivial to access the data within it. Unfortunately we are not back in the 1990s or early 2000s. Back when phones only contained a contact list and call log. Phones now contain a great deal of sensitive information. They store things like schedules, home addresses, GPS location data, banking apps, company email, cloud storage apps, credit card info, pictures and videos of our kids, access to our home’s security cameras and maybe even a digital key that can unlock our house or car. On all iPhones, and optionally on most Android phones, encryption protects that information. Most people do not want to be victims of a crime, so using encryption as a protection makes sense. We do things like lock our homes when we are out or asleep, use an alarm system, carry pepper spray, use firewalls and other technology to protect ourselves and so on. Encryption is needed because it protects sensitive data and communications from criminals.

What if we did not protect ourselves and companies with encryption? In the digital world not using encryption is like driving a brand new BMW into the worst part of town. Then getting out and leaving it unlocked with the keys in the ignition, windows down and a duffle bag full of cash in the backseat. With no encryption, the password you use to log into a device does not make it any harder for someone with physical access to look at the data within it. I can pop an unencrypted hard drive out of a laptop in a couple of minutes and use an adapter to plug it into another laptop where I then have access to all of the non-encrypted files. If the laptop’s hard drive was encrypted, I would only have access to what looks like jumbled randomness. Banking online without encryption would make fraud so easy, banks would have to stop offering online services. Email accounts would be constantly breached and used to send out spam exponentially more than they already are. Companies and governments would not be able to protect sensitive information that is stored in a digital format. Anywhere that that takes credit card payments and processes them over a network, or the Internet (Most large retailers and increasingly more and more smaller stores) would have even larger numbers of credit card theft and fraud than they already do. I could go on and on. The idea is that without encryption we would be forced to move backward and go non-digital with anything important.

With so many smart people in Silicon Valley there must be another option! What about encryption where there are two keys that can unlock the data? One that the government or a company like Apple holds, and one that the customer holds. If the FBI needs access, then they get a search warrant and are provided the key. That doesn’t sound like a terrible idea. Technically it is possible to create two keys for every device, but simply creating two keys is not enough. The keys need to be protected and a key vault at Apple or anywhere else would be a big target. Protecting the keys would be incredibly expensive and no one can fully guarantee their safety. Why can’t the safety be guaranteed? Most government agencies and private companies have proven time and time again that they are not good at protecting themselves from electronic attacks. Frequently large organizations with tremendous resources can’t keep things like detailed background checks of CIA operatives safe (Office of Personnel Management breach), credit card transactions secure (Target, Home Depot, …) and so on. Heck, even the “impossible to crack by the FBI” iPhone was broken into without the help of Apple. Security in the digital age is not easy. It only takes one small mistake to create a major hole and that is all the bad guys need. Total digital security cannot be guaranteed because it sadly does not exist.

Speaking of bad guys, the largest and most convincing argument against the use of encryption is because it helps criminals and terrorists commit crimes. Nobody is just dying to be blown up or shot by ISIL. So why not just make encryption illegal? Murder, bombs and suicide vests are all illegal, but that has not stopped terrorists from using them. Encryption is not much different. The very popular and strong Advanced Encryption Standard (AES) algorithm was published by the National Institute of Standards and Technology (NIST) back in 2001. It is far too late to take AES or any other published algorithms back. They are out there for all to use and are not going away. For that reason, a U.S. or even a worldwide ban on encryption would do little to prevent criminals and terrorists from using it. Encryption is not magic, it is math. Terrorists that have scientists working to build them effective bombs out of household ingredients would have little issue with creating encrypted communications if necessary. Making encryption illegal would only prevent law-abiding citizens and the most unsophisticated of criminals from using it.

If making encryption illegal wouldn’t be effective, then how do we deal with terrorists and other criminals? What nation state spies and law enforcement are saying about “going dark” due to encryption is not accurate. Encryption does not actually make law enforcement agencies or militaries as blind as you might think. Authorities can and do use vulnerabilities that exist in our software and operating systems to provide more effective spying. Encryption does not matter when you hack somebody’s phone or laptop and install software that listens in on the microphone all the time, takes screenshots and records all the entered keystrokes. This is done, and the NSA’s Robert Joyce has even explained that there are so many known and unfixed software and operating system issues that they don’t have to heavily rely on finding or buying the unknown ones to take advantage of. When a cell phone or laptop can be hacked from a cubicle on the other side of the planet, it is hard to say anybody is going dark.

This article has described the FBI v. Apple encryption debate, the state of encryption and why nobody is “going dark”. The point of this article was to explain what is going on and to make you think logically, not emotionally about where you stand on the encryption debate. As long as we want to live in a digital world we have two options in regards to encryption. The first option is to accept the reality that encryption exists, is not going away and for the most part provides law-abiding citizens, companies and other organizations with a great deal of security. The second option is to live in a world where only criminals and terrorists have the best protection.

 

References

http://www.apple.com/customer-letter/

http://thelawdictionary.org/warrant-n/

http://thelawdictionary.org/subpoena/

http://www.dailymail.co.uk/news/article-3347671/ISIS-army-scientists-set-wage-chemical-biological-war-West-Experts-warn-weapons-mass-destruction-carried-undetected-Europe-Union.html

http://www.engadget.com/2016/01/29/zero-day-exploits-arent-as-important-to-the-nsa-as-you-think/

http://masssurveillance.info/

http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

Getting Started with PowerShell

Recently I’ve been working more with PowerShell and it has to be my favorite product from Microsoft. It is strange to have a favorite Microsoft product when you normally only have a least hated one. I knew you could do a lot with PowerShell, but I never did a deep dive on it. If you do not have a strong programming background and are new to PowerShell I have two video series to recommend. They are both provided free from Microsoft and are the Getting Started With PowerShell 3.0 Jump Start and Advanced Tools & Scripting With PowerShell 3.0 Jump Start videos.

Jump Start goes over the basics and provides useful information:

https://mva.microsoft.com/en-us/training-courses/getting-started-with-powershell-3-0-jump-start-8276?l=r54IrOWy_2304984382

Scripting will help you move from using one liners to creating adaptable tools:

https://mva.microsoft.com/en-US/training-courses/advanced-tools-scripting-with-powershell-3-0-jump-start-8277?l=WOWaGUWy_8604984382

Up Your Password Game

Passwords Are Increasingly Annoying

It doesn’t take many years in this increasingly connected world to rack up dozens of accounts for online shopping, work, banking, video/music streaming and etc. This is the Internet age, and the need for a large number of user accounts is just an annoying fact of life. How does anyone even manage the passwords for all these accounts? Do you have a few passwords you reuse for all your accounts? Do you use simple passwords that are easy to remember, like Matt9900 or kitten38? If you answered yes to either of those questions, then I have a New Year’s Resolution that will make your life easier and more secure.

What You Should Do

Everyone that does not already use a Secure Password Manager should make a New Year’s resolution to start. No, I’m not talking about a Word or Excel file you keep on your desktop called “Passwords”, or a sticky note on the bottom of the keyboard. What I am talking about is a software/service like Lastpass.com, Roboform.com or Keepass.info that helps you generate and manage strong passwords. Password managers work by using a single strong password/passphrase to protect all your passwords and provide features that help with the generation and management of passwords for all your accounts. Most password managers will even auto-magically fill in your login information on websites with the click of a button.

To get more information on two solid secure cloud based and inexpensive password managers take a look at http://www.roboform.com/how-it-works and https://lastpass.com/how-it-works/. At most you are currently talking around $10/year and there are free accounts with less features. Sign up, start using one today, but remember to use a strong password like “##IHadChipotleW/ThePurplePeopleEater7788” as your master password. A good non-cloud based password manager is Keepass, which is open source (free) and available on pretty much every platform. For most people a cloud based option is the better choice because you don’t need to figure out a way to back it up and sync across multiple devices. I use a cloud based password manager and also Keepass.

One of the many benefits a password manager provides is not constantly having to reset passwords for accounts because you can’t remember them. In addition to this, you don’t have to worry when there is another big data breach that now someone has the single password you use across all your important accounts. Let’s talk about passwords and why it is important to use strong ones.

Why it is Important to Use Strong and Unique Passwords

To understand why strong and unique passwords are important, you need to know the basics of how passwords work and how to crack them. When you create an account with a website and give it a password of pass1234 (Not a good password at all!) the website can store it in a number of ways. The worst way would be to take the password and just store it as is. If a password is stored without being obscured it is called cleartext. Anyone with access to the website’s  cleartext password database, which may be bad guys, can see everyone’s passwords. Surprisingly, there are sites that still store passwords in cleartext, which is one reason you can’t just use one password across all your accounts, even if it is a good strong passphrase like $$IHadChipotleW/ThePurplePeopleEater7788. Passphrases are a great way to generate a strong master password for a password manager that are easy to remember. Just make sure to use uncommon phrases and add capitalization, and numbers/symbols.

A better way for a website to store user passwords is to take the password and run it through something called a one-way hashing function, which obscures the password and outputs it in a fixed length. They call it a one-way hash because it is easy to put something through it one direction, but essentially impossible to go back through the other way. Like putting meat through a grinder to make hamburger. An example of this would be the password pass1234 run through the SHA1 hashing algorithm, which results in the hashed value 789b49606c321c8cf228d17942608eff0ccc4171. When logging into a site it takes the password you enter and runs it through the one-way hash. If the output matches the hash stored when you set your password, you are allowed to log in. This is good, but hash analysis can be used to easily figure out simple passwords.

Cracking a password is essentially the process of guessing passwords until you get the correct one. Most sites, work computers and etc. will stop you from guessing passwords after a couple attempts. If someone steals the password database all bets are off. The attacker now has access to the hashes and can guess as much as they want. One way this works is by creating, or using an existing table that contains common passwords and the resulting hash value. This is then compared to the hash value of the unknown password. If you get access to a password database and it has a password with the hash 12uiy, you can compare it to your hash table and look for a match. Ex. hash table: apple = a8990, bravo = 12uiy, orange = 90adf and pear = 0123e in this case you search your table of known hashes and find 12uiy is in your table and matches the word bravo. That means the password is bravo. It takes time to generate hash tables, so the longer, more unique and complicated, the harder it is to use hash comparison to find someones password from the hash. This is why using a strong password is important. Every password can eventually be cracked, but the harder it is, the longer it takes. So while pass1234 may take seconds or minutes to crack, ILoveWalrusAndMuffinsOn9900$$ Will take much longer.

Comparison of hashes is made even harder when organizations do something called salting passwords, which is taking the password you enter and adding something additional to it before hashing. Using this method makes it harder for an attacker because a new hash table needs to be created for every user at a specific site, if done right. This takes a lot of extra time, so it is easier for attackers to focus on simple and common passwords in those situations. Bcrypt is another way to make passwords harder to crack, which is even better than salting alone. Just remember a lot of people don’t properly store user passwords, so advanced password storage features are something that can’t be counted on.

Conclusion

In conclusion, I am saying to simply stop using the same couple passwords on all your accounts and accomplish this by using a password manager.