The guys from Packt Publishing asked me to review a new book from their “Instant” collection: “OSSEC Host-Based Intrusion Detection“. This collection proposes books with less than 100 pages about multiple topics. The goal is to go straight forward to the topic. OSSEC being one of my favorite application, I could not miss this opportunity! The book author is Brad Lhotsky, a major contributor to the OSSEC community. Amongst the list of reviewers, we find JB Cheng, the OSSEC project manager responsible for OSSEC releases. It is a guarantee of quality for the book!
For a while, DDoS are back on stage and one of the classic techniques still used today is the DNS Amplification attack. I won’t explain again the ins and outs, there are plenty of websites available which describe it – like the good article from CERT.be. This type of attack is well-known and can be fixed in one click or by changing one line on a configuration file for most DNS servers! A few days ago, I asked myself: “And what about Belgium? Do we still have lot of vulnerable DNS servers in the wild?“. As you probably imagine, the answer is… “Yes, there are!” But how to have an good idea of the disaster? To collect some statistics, I looked for DNS servers in the Belgian IP space…
I don’t know if you already noticed but it looks to be a never-ending story: Companies got pwned and data leaked on the
Internet pastebin.com. Then starts the game of press releases…
Most companies try to reduce the impact of the breach they suffered and it looks like Holliwood movies with animals involved in stunt scenes: ”No Animals Were Harmed in the Making of This Film“.
Let’s take a practical example which occured recently in Belgium. Rex Mundi is a group of people (Note: I don’t say “hackers“) who like my country! Not for our beers or the french fries (and even I’m not sure) but they like our websites:
Previously they already targeted some companies like buyway.be, habeas.be. Their latest target is the Internet provider Numericable. They claimed to grab 6000 customer records:
Their method is always the same: They grab interesting data (usually customer information), publish a sample and ask for some ransom by threatening to disclose the full set of stolen data. I don’t know if companies paid, I hope not! The goal of this post is not to debate about those stories which remain illegal. But, as I said above, companies tend always to reduce the impact of such attacks. Again with Numericable which communicated that the stolen data were not “critical“. They didn’t contain billing information but only names, e-mail addresses and phone numbers of visitors who requested information via a website.
I’m sorry but ALL data are VALUABLE! There will always be people ready to get them. Two scenarios:
- Use the data to perform statistics or try to attract new customers (think about a competitor – another ISP)
- Use the data to perform attacks (spear-phishing) – “Dear x, you contact Numericable recently blah blah blah…“
This behavior is a side effect of the business: Companies must keep customer confidence and prefer to try to minimize the impacts of such attacks. So, nobody was harmed in this attack? I’m not sure…
days weeks ago, I wrote a blog post (link) about a (unsuccessful) WordPress bruteforce attack agains this site. I captured the attackers’ traffic in a big pcap file. It was a good opportunity to perform a quick analysis to try to extract some statistics. Here follow more details about the attackers. I extracted the offending IP addresses (15K+) and fired a big Nmap against them. I agree this was a rude approach and, in some countries, port scanning is prohibited. No complaint was received and I detected only one “back” scan from one of the targets. [Note: during the scan, no kid, no animal was injured and no attempt to abuse resources was performed]
Lot of Belgian newspapers and sites reported today (Example of article - in French) that a project of law will be discussed soon (deriving from the EU Data Retention Directive) to request providers of telecommunications (Internet – Mobile services) to keep a trace of electronic communications. Wait, the article should say “will be discussed again soon“, Belgium being very slow to address this topic. I’m not a lawyer but I tought there was already such law in place. The EU directive was adopted in 2006 and there was already huge debates in Belgium in 2010 about this topic (status here). I also wrote a blog post about this. If anybody has more information, please share! Is the text of the law available somewhere? Why did the Belgian government decided to put this project again on the table? After the stories around PRISM or the French DGSE, maybe they would like to be transparent?
Today I read an interesting document which landed into my mailbox. It’s about a call for proposals initiated by the European Commission “Home Affairs” DG. The document was a CFP (“Call For Participation“) part of the programme called “Prevention, Preparedness and Consequence Management of Terrorism and other Security related Risks for the Period 2007-2013” (called the CIPS Programme). Here is a quoted definition extracted from the descriptive document:
This Call for Proposals corresponds to the implementation of Part A of the Work Programme and aim at awarding grants to transnational and/or national projects that contribute to the development of the “European Programme for Critical Infrastructure Protection” (EPCIP) as well as policy measures aiming at upholding, and/or guaranteeing security and public order during a crisis situation.
According to the same document, the total budget allowed to this programme is 9.3M EUR for this year. The complete description is available here. Immediately, I asked myself what kind of projects could be accepted and sponsored? To be fully transparent, the European Commission published the list of winners from previous years on the same website. Here is a link to the 2012 awarded projects. Some examples:
- “Fight and Investigation of Cyber Attacks Against Critical Governmental” by Estonian Police and Border Guard Board (218K EUR)
- “Identification of threats against critical infrastructures and decision support” by Province of Novara, Italia (380K EUR)
- “Formal Methods: Business Impact of Application to Security relevant Devices” by the University of Piemonte Orientale, Italia (373K EUR)
But the project which attracted my attention was the one called “SNAPSHOT” which stands for a “Social Network Analysis Platform for the Support of european and HOmeland Threat prevention strategies“. Here is the description:
The SNAPSHOT project aims at increasing the global security awareness of critical infrastructure operators (CIOs) by developing a ground-breaking software platform for monitoring and assessment of evolving threats based on premium and exclusive methodologies of open source intelligence. Particular emphasis is brought upon the analysis of online social media, which are considered invaluable sources for intelligence, since they contain evidence of opinion trends, population response to critical events and therefore may provide key elements of policy and decision making in the realm of critical infrastructure security.
Global, monitoring, open source intelligence, social media, evidence, trends, etc. This sounds like a known story isn’t it? I tried to find more information about this project but no luck. Transparancy?
Do you remember the “Pass The Bomb” game? All kids played this game at least once. The principle is simple and funny. There is bomb which is programmed to explode after a random time. Players must pass the bomb from hand to hand and say a new word which must contain letters from a chosen card. The player who has the bomb when it explodes loses. [Note to the NSA: The term "bomb" refers to a game - I'm not a terrorist!]
Today, I had the feeling to see a new kind of “Pass The Bomb” game at acme.org [The names have been changed to protect the innocents]. A mail reporting a security issue arrived in a generic mailbox (something like abuse) with a Cc: to a physical non-tech person. I’m pretty sure that the mail was too technical to be handled by the abuse team. The non-tech person read the message and forwarded it to a first person with more focus on security. Then the mail was forwarded to another person in the team where resides the security issue. Then this person forwarded the message to someone else in the same department. At all steps, the list of Cc: increased. Then, no news… I hope that the bomb did not explode in the mean time!
This story is a good example of a “Pass The Bomb” game in information security. Email is not a proper way to handle such issues. I don’t say that the communication channel is bad (depending on the type of incident) but all communications and actions should be logged into a stronger system (like a ticketing system, a Wiki, a notepad, …) with proper follow-up. Most people have a “FF” reflex (“Forward and Forget“, not “Follow Friday” for the Twitter addicts). I don’t blame them, that’s the human behavior. They have their regular business to be done. But, some people in the chain maybe already started their summer break. What if the mail was forwarded to an out-of-business contact? At the moment, I’m pretty sure that nobody took the lead on this security incident… Tip: have a proper incident handling procedure in place.
A reflexion about the multiple SIEM (“Security Information and Event Management“) products available on the market… I’m currently working with a customer on a big SIEM implementation in an environment that must be PCI compliant and integrates a multitude of devices coming from non-heterogenous security vendors (big-players). Security visualization being one of my favorite topics, people often ask me what the “best-SIEM-solution-ever” or I’m contacted by vendors who announce new products with new features more and more performant and easy to use. A classic argument used by niche players ((c) Garner ) is the extreme complexity of their competitors. They claim to have an “out-of-the-box” solution: No need to write complex rules, reports are available through a click & run interface, etc. Really?
Let me demonstrate that a good SIEM must be one deployed for your devices and applications by you and for your business! Most SIEM vendors propose useful “compliance” packages. You must be [PCI|SOX|HIPAA|ISOxxxxx] compliant ? There is a corresponding (and expensive) package which includes all the required stuff to generated reports “just by pressing a button“. Have a look at the screenshot below:
This is a query coming from a PCI compliance package installed in a well-known SIEM environment. This query is part of the PCI requirement #1 – Firewall Configuration – and should return disallowed traffic from DMZ to untrusted hosts (example: a server in the DMZ trying to connect directly to the Internet). Translated in full English, the query select events:
- IF the target is not :
- known as a regular destination from the DMZ
- OR known as a trusted target
- OR known as a “cardholder” target
- AND IF the destination port is not known as allowed (via an Active List)
- AND IF the traffic is not coming from a VPN device
- AND IF the traffic is not coming from a SIEM device
- AND IF the source is flagged as an attacker from the DMZ
Don’t take too much time to understand the rule syntax, it’s not the goal here. The problem that we detected was the following: the report generated too much noise. There was a lot of false positives like:
Source (DMZ) Target Destination Port 192.168.x.x x.x.x.x 123
This event is a DMZ host (192.168.x.x) trying to communicate with a NTP server (x.x.x.x). Based on the query describe above, a solution could be to tag the NTP server IP address as “trusted” but we don’t control the IP addresses behind the FQDN and the same IP address could be the destination of other communications. Another solution could be to add the NTP port (123) into the list of trusted ports in the DMZ. This is not a solution: By trusting the port, it could be used by another server for other communications and not be listed in the PCI report.
Our solution was to replace the active list containing the trusted ports by a new one with two fields: the DMZ source and the destination port. This way, we can define precisely who is allowed to use which protocol.
Another example: some PCI reports returned no results at all while we knew that some events were generated! In this case the problem was located at the events normalization level. The reports used the field “Attacker Asset ID” but this field was not used by some collectors. Only “Device Asset ID” was available. Solution? Again we had to change the queries and look for “Attacker Asset ID” OR “Device Asset ID“.
Those are two good examples to prove that there is NO SIEM solution that could be implementd out-of-the-box! Don’t trust vendors. Choose the solution that will match most of your requirements but expect to take time to deploy it!
My clock tower is completed! I left home yesterday at 6AM to Disneyland Ressort Paris and I’m just back at 6AM. It’s too late to go to bed so I finished to write my Nuit du Hack wrap-up. This was the first time I attended this event. During the last years, I always attended Hack in Paris which is organised at the same place the week before. The Nuit du Hack is first of all the biggest CTF contest organised in France. For this edition, more than 1300 people attended the event. It’s an impressive organisation! But before the CTF, talks are also organised during the day. Here is my quick review of them.