Log Awareness Trainings?

ChuckawareMore and more companies organize “security awareness” trainings for their team members. With the growing threats faced by people while using their computers or any connected device, it is definitively a good idea. The goal of such trainings is to make people open their eyes and change their attitude towards security.

If the goal of an awareness training is to change the attitude of people, why not apply the same in other domains? Log files sounds a good example! Most log management solutions prone to be extended to collect and digest almost any type of log files. With their standard configuration, they are able to process logfiles generated by most solutions on the information security market but they can also “learn” unknown logfile formats. Maaaagic!

Read More →

The Day Windows XP Died!

XP TombstoneTuesday 8th of April 2014, a page of the computer industry has been turned! Windows XP is dead! Of course, I had to write a blog post about this event. For months now, Microsoft warned its customers that XP won’t be supported starting from today. Do you remember: Windows XP was available on floppies and had – in the beginning – no native USB support! What does it mean today? From a end-users’ point of view, their computer will not collapse! No need to repeat some voodoo formulas, it will boot again and work like yesterday… Except if something bad happens. In this case, Microsoft won’t help you (instead they will be very happy to propose you an upgrade to Windows 8.1). Well, this is not 100% true: Microsoft is still ready to “offer” you some support if you subscribe to their Premium Service program! (Business is business)

Things are more nasty from a security point of view! Your computer will still run but will be vulnerable to new attacks. By “new” I mean the ones that will be discovered (because XP will be a very nice target seeing its installed base – see the graph below). But I’m also pretty sure that some vulnerabilities have been discovered for a while and kept below the radar ready to be used in the wild. And this may occur very soon tomorrow. People are still migrating to a newer operating system and the surface attacks will reduce itself with time. For an attacker perspective, this is the right time!

But, is this old Windows XP still a problem? People had quite a long time to switch to alternative OS rights? Have a look at the following statistics. They come from the blog and are based on the last 30 days:

Windows Statistics

Based on Google Analytics, 11% of my visitors are still using Windows XP! Based on my regular audience and the content of this blog, I could expect people to have a “high-level profile” like IT professional, infosec people, etc. Those people should have get rid of XP for a while. Ok, let’s reduce this number by a few percents due to fake User-Agents used by some of you or bots and crawlers. Let’s make a final estimation to 7-8%? This remains a huge amount of vulnerable computers (my blog does not generate a lot of traffic). I’m curious to see statistics for big players on the web… Somebody can share?

If you’re still using XP today, have a look a top of your head, there is sword of Damocles! Windows XP was not only used on desktop computers. They are plenty of services still running on top of it:

  • Bank ATM’s
  • Medical devices
  • SCADA systems
  • PoS
  • Kioks

 What can you do against this? First reaction: upgrade as soon as possible (for laptops & desktops). Installation like medical devices have the bad reputation to not be easily upgradable (or not at all). In all other cases, security best practices apply as usual:

  • Locate devices running XP on your network! Could be stupid but many companies don’t know what devices are connected on the LAN!
  • Prohibit those devices or isolate them in a separate network zone. NAC (“Network Access Control“) solutions can be useful to put them in a dedicated & hardened VLAN
  • Disconnect them from the Internet
  • Don’t run “services” on them
  • Don’t surf from them

Finally, if you have old applications, test them on a newer OS in the “Windows XP” compatibility mode. Please take actions today!

Pwned or not Pwned?

Pwn3d!Just before the announce of the Full-Disclosure shutdown a few days ago, a thread generated a lot of traffic and finally turned into a small flame war. In the beginning of the month, a security researcher reported a vulnerability found on Youtube. According to him, the Google service was suffering of a file upload vulnerability. Reading such kind of post is juicy! Accepting files sent by visitors is always a touchy feature on a website. By example, if you allow your users to upload images to create an avatar, you must implement proper controls to be sure that the uploaded file is in the correct format and does not contain any malicious code. I won’t describe how to protect against this vulnerability and even less discuss about the Full-Disclosure thread but it reveal an important fact: the severity of an issue is linked to its “context“…

Read More →

2nd European Information Security Blogger Awards Announced

Security Bloggers Meet-upToday, Brian Honan announced on his blog the second European edition of the Security Bloggers Awards. In a few weeks, many infosec guys will join London to attend BSidesLondon and/or InfoSecurity Europe. This is the perfect time to organize a meet-up on Wednesday 30rd April. Security bloggers are welcome to have drinks and chats in a relaxed atmosphere. Bad timing for me, I won’t be able to attend…

Read More →

R.I.P Full-Disclosure… What’s Next?

TombstoneSad news received today, a (last) message was posted in the Full-Disclosure mailing-list. John Cartwright, one of the founder and owner, anounced the end of the list (copy here). Personally, I subscribed in December 2006 (more than seven years ago!). I was  a passive reader but learned so many interesting stuff!

I was surprised to read John’s announce but I can fully understand and respect his decision. Operating a public service in 2002 or today is something completely different. The word “public” is the main issue here. Why? First of all, the mailing-list was open to everybody after a simple registration. It started completely unmoderated but, around 2010, some controls were added. Was it a first smoke signal? Maybe… But, the list archive being replicated on multiple sites, Google & co made their job and indexed all the content. Today, the behavior of most organizations changed and they try to keep an eye on what’s being said about them. It became usual to send a request asking to remove some sensitive content. According to John, the number of such requests kept growing with the time. I could imagine the workload to handle this!

Over the years, more and more people subscribed to the list, “young” people jumped into the security community (no, I don’t consider myself as old ;-)) and the list was also known to be, from time to time often, flooded by flamewars. The last example was a few days ago about the vulnerability reported on Youtube… But that’s normal… a space to express yourself open to anymore, people from different countries, different experiences and generations, all the ingredients were present for clashes!

What is a shame is the lack of strong community in the infosec field. What’s next? A fork of a new Full-Disclosure? In which format? Mailing-list, forum, Google group? Personally I prefer a solution based on emails. It’s easy to read, archive, process. Who will join? If the same people move to the new platform, the same problems will occur again. What about restricting the access and moderation? I’m definitively for people freedom but today you can’t definitively publish everything online. Create an “underground” list whitout community? There are already plenty… It’s maybe time to review the concept but we definitively need a Full-Disclosure mailing list!

Thank you John for your awesome work!

Checking Reverse Dependencies in Linux

DependenciesAll modern Unix operating systems provide softwares as packages. I remember the good old times in the ’90s when you had to compile all the applications from their source code. Compiling source code has advantages: you enable only the features you need and perform configuration tweaks as you want. But it’s also a pain to manage dependencies! You should have all the required libraries and tools pre-installed and with the right versions! Today, package managers are very convenient and take care of all the boring stuff.

If package managers handle perfectly dependencies (they will install all extra packages required for you), they also have interesting features like checking for “reverse dependencies“: to give a list of packages using a given package. From a security point of view it can be very useful. Think about the recent issue discovered in the gnutls code (GNUTLS-SA-2014-2). While waiting for a patch to fix such important vulnerability, it could be interesting to know what tools & applications are using this piece of code and to try to mitigate the impact. How to achieve this?

On Debian/Ubuntu, use the apt-cache command with the “rdepends” keyword:

root@kali:~# apt-cache rdepends libgnutls26
Reverse Depends:

On Fedora, CentOS or RedHat, use the rpm command with the “–whatrequires” flag:

[root@dom0 ~]# rpm -q --whatrequires openssl

For the story, libgnutls26 is used by 184 packages on my core Ubuntu home server! Those commands can save you some time and headaches…

Mr Microsoft Support is Back!

Mr Microsoft SupportIn a previous post, I explained how I was happy to have been targeted by Indian phishers who called me to report an issue with my Windows computer. Last Saturday they called back. This time, my VM was ready but I had no time for them. I asked if it was possible to call me back later and they approved! This morning, they called back as promised!

[Note to some operators and manufacturers, they provide better support then you because they really take care of their "customers" ;-)]

When the phone rang, I was not ready but they called again five minutes later. VM? Check! Recording? Check! The scenario is always the same: The “operator” presents himself and asks you if you are in front of your computer. The guy on the line was speaking a very bad english. Impossible to understand the URL he spelled. He forwarded me to a colleague. Let’s go! He asks you first some basic questions to ensure that you’re in front of your computers (and do this all the time during the conversation). Then he asked me to press “Windows-R” and to type an URL: hxxp://www.supportbe.webs.com. It did not work, no problem: he had plenty of alternatives. The second URL was ok ( hxxp://www.infosis.net). From this site, he asked me to download a TeamViewer client and to execute it. It took a long time because my VM did not had a direct access to the web, I had to change the proxy settings live. Once started, the client was unable to contact the Team Viewer servers due to the firewall. Again, I changed this on the fly. Honestly, those guys are really patient! Once the ID and password communicated, the fun began!

Read More →

Book Review: Cuckoo Malware Analysis

Cuckoo Malware AnalysisI’m a Cuckoo user for a long time therefore it was a good opportunity to read the book “Cuckoo Malware Analysis” and write a quick review (The book is published by Packt Publishing). For the readers who don’t know what Cuckoo is, here is a brief introduction…

Malwares are a real pain today! Just by visiting a website or by opening a file attached to an email, you can infect your computer with a malware which will turn in into a bot, steal sensitive information or used it as a pivot to conduct a deeper attack. To learn how those malicious pieces of code are working, they must be analysed: That’s the job of malware analysts. Malware analysis can be performed in two different ways. The first one is called “static analysis“. It is based on actions like scanning the program with antivirus solutions, searching for interesting strings, dumping the code in an hexadecimal viewer, unpacking the code and disassembling the software. The opposite is called “dynamic“, “live” or “behavioral” analysis. In this case, the goal is too look how the malware behaves and what changes are made on the infected system (process & files creation, registry, network connections, etc). This type of analysis must be performed in a safe environment not connected to any other system and that could be quickly restored. Cuckoo is a project initiated by Claudio Guarnieri which helps to setup an environment to perform behavioral analysis of malwares. If you’re interested in this topic, the Internet is full of documents, here is a good one provided by SANS: Malware Analysis Introduction.

Read More →

Hello Sir, This is the Microsoft Support Calling…

Microsoft SupportYou know what? I’m happy and proud to have received my first call from the “Microsoft Support“! When I came back at home, there was already three missed calls on my private line, all of them from a strange number (001453789410). A few minutes later, the phone started  to ring again… I picked up the phone and, amongst the noise of a call-center, I heard: “Hello Sir, this is the Microsoft Support calling!“. Bingo, I’m targeted! Nothing brand new with this type of social engineering attack, but it was a first live experience for me. It was too tempting to play the game! [Note: I had no recording device so I briefly took notes during the conversation]

All the aspect of a social engineering attacks were covered in the caller’s presentation: First, he tried to get my attention (of course I had all my attention! ;-): “I see that you’re using a Windows computer at the moment. didn’t you detect any suspicious activity for a while?“. Then, he tried to scare me: “Your computer is infected with malwares and viruses!“. The next step was to make me confident: “Let’s see how we can solve this together…“.

Then the fun part started! “Are you in front of your computer right now? Oh, I see again some malicious activity!”, then “I’ll ask you to type some commands to solve all your problems“. The guy was very patient and even helped me to find the “Windows” key on my keyboard (“You see, the key with four small squares representing the Windows logo“). Another three minutes to explain me how to press “Windows”-R at the same time. And again a few minutes to spell the URL to type: “W like William, again W like William, etc” (he never mentioned technical terms like URL, browser, etc…). At this point, I expected to collect some interesting URLs with a malicious payload but why do complicated stuff when the Internet is full of remote control services?

He asked me to visit www.support.me which is an alias for secure.logmeinrescue.com/Customer/Code.aspx and gave me the 6-digits code required to download and start the remote support session! During all the conversation, I tried to grab information about him, how did he got my number, how Microsoft detected that my computer was infected. I also asked him to “connect to my computer” to get his own in my firewall logs but no luck… Every time the guy came back to his “script”. After approximatively 15 minutes, I dropped the call (I did not have a computer ready for him).

A few minutes later, I booted a fresh VM and provided the 6-digits code but… it was already expired! Too late… I was so curious of see what operations the guy would have performed on the computer once logged in (anybody has more info?). I’m also wondering why they called me in English. Based on my home phone, they should know that I’m a native French speaker! I’m sure that the same scenario with the victim’s mother tongue could be much more successfull…

Logs… Privacy Issues?

Warning-LogsLogs… We will never get rid of them! It’s a pain to manage them from a technical point of view but collecting events and using them can also introduce more issues in companies… from a legal point of view! Tonight, an ISACA Belgium Chapter meeting was organised within the context of the Open Privacy Forum. If log management remains a hot topic, the legal issues could become a real nightmare compared to the technical ones. The speaker was a lawyer, Johan Vandendriessche. He gave a very good overview of the (Belgian) law regarding our privacy with logs.

[Note: I'm not a lawyer and laws are complex. I'll just give some facts grabbed during the meeting. Please use them "as is"]

First of all, the problematic of privacy must be addressed way before the deployment of a technical solution. Why? The way logs will be stored and processed may require some specific technical features. The first question to ask yourself is “Which log do I need?“. We can use logs for statistics or security purposes. Take as example an Apache event:

x.x.x.x:52772 - - [20/Feb/2014:23:00:05 +0100] "GET / HTTP/1.1" 200 18905 "-"
"NewsBlur Page Fetcher - 3 subscribers - http://www.newszeit.com/site/59364/devrandom
(Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko)
Version/5.1 Safari/534.48.3)"

The Referer, User-Agent and HTTP code and object size are very useful for statistic purposes. And, from a security perspective, we have the source IP address, the source port. Depending on the future usage that we will make of this event, we can drop some information or anonimize it. We are facing here a dilemna: If the law says that we are authorized to log only useful events, more and more companies tend to store a huge amount of events for forensics reasons or behavioral monitoring. The golden rule is always the same: If you keep logs, it must be for a (good) technical reason like ensuring that the network has good performances. They cannot be used to track people.

Then comes the second question: “Does this log contain PII?” (“Personal Identifiable Information“). PII is a very large topic! Even if the identification of a person is not immediate, some information are considered as private. A good example is a car plate. IP addresses were also considered as PII in recent cases! Here a some facts to keep in mind about logs:

  • The scope of logging must be cleary defined. What is the nature of the data? A “data controller” (the person responsible of the data stored) must be able to justify the choices.
  • Logs cannot be used to track employees but people must be aware that their tracks are covered (how and where)
  • Access to the logs must be restricted to authorized people only. Access to logs must generate… a new log!
  • Some logs are mandatory for legal or business reasons
  • Proper controls must be implemented to protect your logs. In this case, the principle of “due care” applies. Companies must implement appropriate controls to protect their logs.
  • Can we re-use old logs (archived) for processing? Yes if the purpose of the search is compatible to the original one.

Many questions were asked during the presentation, which proves that it’s a hot topic. But it also demonstrated that lot of grey zones remain. A last tip: Before processing logs with private data, ask for some help from the legal department of your company!