Thursday, November 3, 2016

Russian researchers expose breakthrough U.S. spying

By Joseph Menn | SAN FRANCISCO

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

Kaspersky published the technical details of its research on Monday, which should help infected institutions detect the spying programs, some of which trace back as far as 2001.

The disclosure could further hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have hurt the United States' relations with some allies and slowed the sales of U.S. technology products abroad.

The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.

Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.

"There can be serious negative effects on other U.S. interests," Swire said.
ADVERTISEMENT
.

TECHNOLOGICAL BREAKTHROUGH

According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.

Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.

"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.

Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.

Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.

Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.

GETTING THE SOURCE CODE

Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.

Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.

It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.

Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."

According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.

"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."

Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.

The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kasperky said.

Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

(Reporting by Joseph Menn; Editing by Tiffany Wu)
Russian researchers expose breakthrough U.S. spyin...

Monday, October 24, 2016

Russian researchers expose breakthrough U.S. spying program

http://www.reuters.com/article/us-usa-cyberspying-idUSKBN0LK1QV20150217


By Joseph Menn | SAN FRANCISCO
The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said. (reut.rs/1L5knm0)
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.
A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
NSA spokeswoman Vanee Vines said the agency was aware of the Kaspersky report but would not comment on it publicly.
Kaspersky on Monday published the technical details of its research on Monday, a move that could help infected institutions detect the spying programs, some of which trace back as far as 2001. (bit.ly/17bPUUe)
The disclosure could hurt the NSA's surveillance abilities, already damaged by massive leaks by former contractor Edward Snowden. Snowden's revelations have upset some U.S. allies and slowed the sales of U.S. technology products abroad.
The exposure of these new spying tools could lead to greater backlash against Western technology, particularly in countries such as China, which is already drafting regulations that would require most bank technology suppliers to proffer copies of their software code for inspection.
Peter Swire, one of five members of U.S. President Barack Obama's Review Group on Intelligence and Communications Technology, said the Kaspersky report showed that it is essential for the country to consider the possible impact on trade and diplomatic relations before deciding to use its knowledge of software flaws for intelligence gathering.
"There can be serious negative effects on other U.S. interests," Swire said.
TECHNOLOGICAL BREAKTHROUGH
According to Kaspersky, the spies made a technological breakthrough by figuring out how to lodge malicious software in the obscure code called firmware that launches every time a computer is turned on.
Disk drive firmware is viewed by spies and cybersecurity experts as the second-most valuable real estate on a PC for a hacker, second only to the BIOS code invoked automatically as a computer boots up.
"The hardware will be able to infect the computer over and over," lead Kaspersky researcher Costin Raiu said in an interview.
Though the leaders of the still-active espionage campaign could have taken control of thousands of PCs, giving them the ability to steal files or eavesdrop on anything they wanted, the spies were selective and only established full remote control over machines belonging to the most desirable foreign targets, according to Raiu. He said Kaspersky found only a few especially high-value computers with the hard-drive infections.
Kaspersky's reconstructions of the spying programs show that they could work in disk drives sold by more than a dozen companies, comprising essentially the entire market. They include Western Digital Corp, Seagate Technology Plc, Toshiba Corp, IBM, Micron Technology Inc and Samsung Electronics Co Ltd.
Western Digital, Seagate and Micron said they had no knowledge of these spying programs. Toshiba and Samsung declined to comment. IBM did not respond to requests for comment.
GETTING THE SOURCE CODE
Raiu said the authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.
"There is zero chance that someone could rewrite the [hard drive] operating system using public information," Raiu said.
Concerns about access to source code flared after a series of high-profile cyberattacks on Google Inc and other U.S. companies in 2009 that were blamed on China. Investigators have said they found evidence that the hackers gained access to source code from several big U.S. tech and defense companies.
It is not clear how the NSA may have obtained the hard drives' source code. Western Digital spokesman Steve Shattuck said the company "has not provided its source code to government agencies." The other hard drive makers would not say if they had shared their source code with the NSA.
Seagate spokesman Clive Over said it has "secure measures to prevent tampering or reverse engineering of its firmware and other technologies." Micron spokesman Daniel Francisco said the company took the security of its products seriously and "we are not aware of any instances of foreign code."
According to former intelligence operatives, the NSA has multiple ways of obtaining source code from tech companies, including asking directly and posing as a software developer. If a company wants to sell products to the Pentagon or another sensitive U.S. agency, the government can request a security audit to make sure the source code is safe.
"They don't admit it, but they do say, 'We're going to do an evaluation, we need the source code,'" said Vincent Liu, a partner at security consulting firm Bishop Fox and former NSA analyst. "It's usually the NSA doing the evaluation, and it's a pretty small leap to say they're going to keep that source code."
The NSA declined to comment on any allegations in the Kaspersky report. Vines said the agency complies with the law and White House directives to protect the United States and its allies "from a wide array of serious threats."
Kaspersky called the authors of the spying program "the Equation group," named after their embrace of complex encryption formulas.
The group used a variety of means to spread other spying programs, such as by compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny, Kaspersky said.
Fanny was like Stuxnet in that it exploited two of the same undisclosed software flaws, known as "zero days," which strongly suggested collaboration by the authors, Raiu said. He added that it was "quite possible" that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.
(Reporting by Joseph Menn; Editing by Tiffany Wu)

Saturday, July 2, 2016

How I Cracked a Keylogger and Ended Up in Someone's Inbox

https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/

How I Cracked a Keylogger and Ended Up in Someone's Inbox

It all started from a spam campaign. Figure 1 shows a campaign we picked up recently from our spam traps with a suspicious document file attachment. Notice how poor the English is; this shall serve as a sign of warning to the email recipients.
Spam Samples
Figure 1: Spam Sample
The attachment uses the ".doc" file extension but is actually an RTF (rich text file) file format. The file contains a specially crafted RTF stack overflow exploit. This was determined to be the CVE-2010-3333 that exploits the Microsoft Word RTF parser in handling the "pFragments" shape property. This vulnerability had been patched more than half a decade ago.
RtfExploit
Figure 2. Obfuscated shellcode in a specially crafted RTF file
As you can see in Figure 2, the exploit and the shellcode were obfuscated to avoid antivirus detection. After extracting, cleaning up and decoding the exploit, I figured out that the shellcode would download and execute a file from the domain volafile[.]io
Shellcode
Figure 3. Shellcode HEX dump

THE PAYLOAD
Malware_icon
Figure 4. The downloaded executable file

The downloaded file is a Microsoft .NET Win32 executable. A quick hex dump preview of the file gave a very interesting clue that I am dealing with a HawkEye keylogger build.
HawkEyeHexDump
Figure 5. Hawkeye Keylogger string in the malware body
And with a little bit of Google-Fu, the string pointed me to a website which develops this keylogger. In the website, they've listed all of its "awesome features".
HawkEyeFeaturesList
Figure 6. HawkEye Keylogger Features
In my quick dynamic analysis, the keylogger drops a copy of itself to the Application Data (%appdata%) folder and uses the filename WindowsUpdate.exe. It sets an autorun registry to facilitate persistency in the Windows system even after reboot.
AddToStartupsrcCode1
Figure 7. Keylogger's Installation routine
It also drops the following files in the infected system:
  • %Temp%\Sysinfo.txt – the dropped malware executable path
  • %Appdata%\pid.txt – the malware process ID
  • %Appdata%\pidloc.txt – the malware process executable location
I then observed network activity from the keylogger process that tries to obtain the infected system's external IP address from checkip.dyndns.com. This legitimate website is commonly used by malware to determine the IP address of the infected system.
CheckIP
Figure 8. Get infected machine's IP address packet capture
After a short while, SMTP network activity was observed where the system information of the infected system was sent to the attacker's email address.
EmailSystemInformation_
Figure 9. Email sent by the keylogger to the attacker's email address that contains the system information
The information may include:
  • CPU Name (computer name)
  • Local Date and Time
  • Installed Language
  • OS Installed
  • Platform
  • OS Version
  • Memory installed
  • .Net Framework Installed
  • System Privileges
  • Default Browser
  • Installed Firewall
  • Internal IP Address
  • External IP Address
  • Recovered Email settings and passwords
  • Recovered Browser and FTP passwords
As previously mentioned, the keylogger was compiled with Microsoft .NET. So the next thing I did is to decompile the executable. I used an open-source .NET Decompiler called ILSpy to accomplish this task.
IlSpy
Figure 10. Hawkeye keylogger decompiled source code
I took a closer look in the decompiled source code and compared it to its list of "Awesome Features". I can confirm that its claim is 100% legit. I found the following features in its code like:
Keylogging.
KeyloggingSrcCode1
Figure 11. Keylogging routine
A clipboard stealer/logger.
ClipboardSrcCode
Figure 12. Clipboard logging routine
A browser, FTP, and Mail Client password stealer. It also attempts to steal password manager credentials and Windows keys.
BrowserStealer
Figure 13.
A worm-like USB infection routine that will allow the keylogger to spread to other Windows machine.
USBSrceCode
Figure 14. USB infection routine
It may also target the users of online gaming platform Steam. It deletes the configuration data and login data files so that the user will be forced to login again. This is an opportunity for the keylogger to steal the user's Steam credentials.
SteamClear
Figure 15. Steam deletion routine
The stolen information including the desktop screenshot are sent to either to the attacker's email address or FTP server depending on how the keylogger was configured.
SendEmail
Figure 16. Email sending routine
The attacker may also configure the keylogger to upload the stolen information through a HTTP tunnel to a PHP host, but the code seems to be voided.
UploadPHPSourceCode
Figure 17.
The most interesting part I've found in the decompiled code however is a C# constructor named Form1(). This is where the keylogger configuration was stored. But to secure the attacker's email and FTP credentials, these data were encrypted using Rijndael algorithm and Base64.
Form1SrcCode
Figure 18. The keylogger configuration
As you may know, those encrypted data are not always secure, especially if the decryption routine is in the decompiled source code!
DecryptData1
Figure 19. The keylogger calls the Decrypt method
The image below is the "Decrypt" method where it accepts two string parameters: the encryptedBytes and the secretKey. The secret key happens to be a hardcoded string HawkSpySoftwares
DecryptSrcCode
Figure 20. The decryption routine
As mentioned, the keylogger uses the Rijndael algorithm and the secret key is salted with the Unicode string "099u787978786", also hardcoded.
GetAlgorithmSrcCode
Figure 21. The keylogger uses Rijndael algorithm
Out of curiosity, I copied the decryption part of the code, modified it accordingly and compiled it in MS Visual Studio, and of course the decryption was successful. (sorry, I need to blur the credentials :))
KeylogConfigCompiled1
Figure 22. The decrypted email and FTP credentials
Naturally, I checked out these email inboxes.
EmailLoginPage
Figure 23. Supposedly the attacker's email login
They appear to be email accounts on compromised systems. So I've checked the email settings, and surprise surprise! The emails sent to this inbox are rerouted automatically to the attacker's Gmail account. You can see in the screenshot below the consistency of the downloaded keylogger's filename and the attacker's Gmail username (Seemaexport….).
ForwardedEmailAccount_O
Figure 24. Emails are rerouted to the attacker's own email address
CONCLUSION
Perhaps the attacker knows that the HawkEye keylogger can be easily cracked, and to protect their own email credentials, they've hijacked a compromised email account as the initial receiver that eventually forward emails to the attacker's own email address.
We have reported the compromised email accounts to their rightful owners, in order for them to change their passwords and remove the attacker's email address from their reroute message settings.
Since this was written, we received similar spam messages with RTF attachments but this time containing the CVE-2012-0158 exploit. The payload is the same keylogger but they have used a different compromised email account as the first receiver of the stolen data .
The two vulnerabilties used in these attacks are old, but still widely used in email attacks. As usual, it is advisable to update your systems with the latest patches, to protect you from these old exploits used by cybercriminals. Trustwave Secure Email Gateway's AMAX (Advanced Malware and Exploit Detection) was able to detect these attached RTF exploit in the email gateway.

Saturday, June 18, 2016

How Hired Hackers Got “Complete Control” Of Palantir

https://www.buzzfeed.com/williamalden/how-hired-hackers-got-complete-control-of-palantir

How Hired Hackers Got “Complete Control” Of Palantir

Palantir hired a cybersecurity firm last year to test its digital defenses. A confidential report shows how the pro hackers were able to dominate the tech company’s network.
Fred Tanneau / AFP / Getty Images
Palantir Technologies has cultivated a reputation as perhaps the most formidable data analysis firm in Silicon Valley, doing secretive work for defense and intelligence agencies as well as Wall Street giants. But when Palantir hired professional hackers to test the security of its own information systems late last year, the hackers found gaping holes that left data about customers exposed.
Palantir, valued at $20 billion, prides itself on an ability to guard important secrets, both its own and those entrusted to it by clients. But after being brought in to try to infiltrate these digital defenses, the cybersecurity firm Veris Group concluded that even a low-level breach would allow hackers to gain wide-ranging and privileged access to the Palantir network, likely leading to the “compromise of critical systems and sensitive data, including customer-specific information.”
This conclusion was presented in a confidential report, reviewed by BuzzFeed News, that detailed the results of a hacking exercise run by Veris over three weeks in September and October last year. The report, submitted on October 19, has been closely guarded inside Palantir and is described publicly here for the first time. “Palantir Use Only” is plastered across each page.
It is not known whether Palantir’s systems have ever been breached by real-world intruders. But the results of the hacking exercise — known as a “red team” test — show how a company widely thought to have superlative ability to safeguard data has struggled with its own data security.
The red team intruders, finding that Palantir lacked crucial internal defenses, ultimately “had complete control of PAL’s domain,” the Veris report says, using an acronym for Palantir. The report recommended that Palantir “immediately” take specific steps to improve its data security.
“The findings from the October 2015 report are old and have long since been resolved,” Lisa Gordon, a Palantir spokesperson, said in an emailed statement. “Our systems and our customers’ information were never at risk. As part of our best practices, we conduct regular reviews and tests of our systems, like every other technology company does.”
Martin Bureau / AFP / Getty Images
Virtually every company is vulnerable to hacks, to varying degrees. In recent years, red teams generally have had a high success rate in getting deep inside of companies’ networks, and they virtually always find at least some security flaws, according to an industry source. That Palantir did a red team exercise shows that it wanted to identify and repair any such flaws. The Veris report notes multiple strengths in Palantir’s defenses, including an “excellent” response by its security staff.
“Regular red team testing is the industry standard of excellence in maintaining a proactive security posture,” David McGuire, the director of Veris’ adaptive threat division, which handles red team services, said in an emailed statement. “Since the red team exercise conducted in 2015, Palantir has consistently carried out similar exercises with Veris Group and other vendors on a regular basis.”
Veris, a cybersecurity services and consulting firm based near Washington, DC, works with customers including Microsoft, AT&T, and the Department of Justice, according to its website. For Palantir, Veris staff acted as hackers to find out whether Palantir’s cybersecurity team could detect and stop them.
The exercise was not meant to test whether Veris could breach Palantir’s external wall. Instead, the red team was deliberately let in, to simulate what would happen if a Palantir employee succumbed to a very common and highly effective break-in technique called “spear phishing” (in which staff are targeted with innocuous-seeming emails containing harmful links or files that give attackers access to a computer). But from that point on, the Veris team went into hacker mode, using a range of tricks to spread through Palantir’s cyber fortress, the report shows.
That fortress turned out to have major vulnerabilities, and the Veris intruders soon sat themselves on the throne. In what the report calls a “complete compromise,” the intruders uncovered encryption keys and administrative credentials that allowed them to travel widely inside the network, accessing source code, office surveillance footage, and the internal wiki, which held sensitive data about customers and projects, according to the report.
Beyond these secrets, the red team intruders accessed Palantir’s network equipment, which would have let them control the company’s internet connection if they so chose. They even found what appeared to be “access to customer infrastructure,” according to the report, or hardware powering customers’ information technology. The report says that any hacker who got this far would “possibly” be able to hack Palantir’s customers as well.
Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says.
In a sign of their deep access, the intruders created a software tunnel to smuggle data out to their own servers, without being detected for most of the exercise, according to the report. Their presence was finally discovered, the report says, after they broke into the laptops of information security employees — but even then, the intruders were able to monitor the employees’ countermoves in real time, shifting tactics to evade them.
Henry Miller News Picture Service / Getty Images
Palantir wasn’t totally defenseless, the report shows. Its network was segmented in a way that initially prevented the Veris intruders from moving very far, forcing them to take a riskier approach that increased their chances of being detected — though they managed to slip through without setting off any alarms. The company also made use of two-factor authentication, which at first “severely hampered” the intruders’ plans but ultimately just forced them, again, to use a more conspicuous strategy to gain access, according to the report.
When Palantir’s information security employees finally discovered the intruders, they “provided a rapid network response in which they identified and mitigated” the “majority” of the red team’s actions within days, the report says. Compared with other large companies, this defensive response was unusually robust, the industry source said, based on a reading of the report.
Started in part with CIA money, the 12-year-old Palantir has developed an aura of secrecy and potency that helps it recruit bright engineers and attract corporate clients. Its chairman is Peter Thiel, the widely admired venture capitalist and former PayPal CEO (who recently admitted to secretly funding a lawsuit brought by the wrestler Hulk Hogan against Gawker Media). Part software shop and part consulting firm, Palantir places its “forward deployed engineers” on-site at client offices and uses custom-tailored software to crunch vast amounts of data.
Its customers include financial institutions, such as the giant hedge fund Bridgewater Associates, and government groups such as the military’s Special Operations Command. Palantir is the third most valuable American technology startup, behind only Uber and Airbnb.
At the same time, Palantir has recently lost blue-chip clients, has struggled to stem staff departures, and has recorded 2015 revenue that was less than a quarter of its customer bookings, according to a BuzzFeed News report in early May. The report, based on a trove of internal documents and insider interviews, revealed that 102 employees had left Palantir this year through mid-April, or 5.8% of all staff.
Jacques Demarthon / AFP / Getty Images
When it comes to cybersecurity, experts advise companies to fortify their internal defenses — to ensure an initial breach doesn’t become a total takeover. Hackers are so good at getting through the external wall, often using spear phishing, that cyber experts routinely just assume such attackers will get in, according to Anup Ghosh, CEO of cyber threat firm Invincea.
“Almost every breach you read about happens through spear phishing, and the weak link is the human behind the keyboard. Spear phishing always, always works. You can’t un-train human behavior,” Ghosh told BuzzFeed News. “How do we make it so that these attacks can’t compromise the whole computer?”
As of last fall, Palantir had an inadequate answer to that question, the Veris report shows.
When the red team intruders from Veris got inside, they found that standard user accounts had local administrative access — rendering Palantir more vulnerable. This setup “effectively granted administrative access to the red team” and “removed a major hurdle in the attack methodology,” the report says. In general, tech companies tend to give more control to employees than more traditional companies do. For Palantir, allowing low-level users to have high-level access was a “high” risk, Veris concluded.
“Administrative privileges should be granted explicitly and only when necessary,” Veris says in the report, urging Palantir to “remove standard domain users from the local administrators group or implement controls to delegate administrative permissions as necessary.”
The red team soon found that a local administrative account — with an easily identifiable name — was enabled on numerous computers in the network, with identical password hashes on each computer, the report says. A password hash is a way of obscuring a password in a hard-to-crack format.
But the red team didn’t need to crack the hashes. Since they were already inside, they could use a technique called “pass-the-hash” to feed hashes, rather than the underlying passwords, into password verification systems, allowing them to hop from computer to computer, the report shows.
(Pass-the-hash attacks are a widely known way of exploiting a vulnerability in Windows systems, and Microsoft has released security updates to mitigate the problem. “But ultimately, all we’re doing is we’re in an arms race with the hackers,” Jonathan Cogley, founder of security software company Thycotic, said in a presentation on pass-the-hash last year.)
Veris classified the riskiness of the pass-the-hash vulnerability as “high,” recommending that Palantir disable the local administrative account where possible and use unique passwords for each computer.
The red team had difficulty, however, moving outside its network segment, analogous to a walled room inside a building. So the team infiltrated a terminal server — a central server where multiple people, including some with privileged access, log on and perform important tasks. From this new vantage point, the intruders scanned the surrounding network and found credentials for a domain administrator account, which conferred a high level of access, the report shows.
Terminal servers make an obvious target for hackers, since they often contain high-level credentials. They tend to be well protected, however, making a hack risky. In Palantir’s case, the red team found that logon activities at the terminal server were “not heavily monitored,” according to the report.
After scooping up credentials for a system engineer, the intruders broke into systems related to the proxy server, an important data hub. They then set up an encrypted tunnel running outside the network to their own servers, for pilfering data. This step, again, would be risky for a hacker. But the tunnel “went undetected for most of the engagement,” allowing the red team to “access and data-mine internal Palantir web applications, as well as access servers of interest,” the report says.
“The lack of egress controls can allow an attacker to establish unrestricted communications with a remote server, outside of Palantir’s network,” the Veris report says. “An attacker can also leverage this vulnerability to successfully exfiltrate sensitive data from Palantir’s systems.”
Before long, the red team had found the central wiki, where they “observed sensitive data pertaining to customers, budgets, deployments, and locations,” according to the report. Palantir uses quirky codenames to refer to its customers — as of last month, “Nancy Drew” was Nasdaq, and “Stones” was BP, for example — and the red team was in some cases “able to map codenames to customers,” the report says. In a separate application, the intruders found “source code for a number of sensitive projects.”
The red team’s next target was a secure database — essentially a safe — that stored the credentials to access critically important systems. A master key, itself stored in a secure file, would open the safe.
That the red team even found this safe at all is a concern, the report suggests. Several “essential information systems,” including the safe, were “relatively easy to locate and access on the domain,” according to the report.
After analyzing the master key file, the intruders were able to decrypt it, opening the safe, the report shows.
Using information they found there, the intruders accessed switches and other devices that underpinned communication on the network. Anyone with access to a company’s network equipment can control the flow of network traffic — with the ability to filter traffic or even reroute it — though there is no indication the red team attempted to do this.
In addition, “access to customer infrastructure appeared to be stored” in the safe, according to the report. In enterprise computing, “infrastructure” is a broad term that includes the servers, routers, and other pieces of equipment that a company relies on for its business.
A hacker, moreover, could exploit weaknesses in the safe’s security “to access credentials and valuable information that will ultimately lead to compromise of most, if not all, of Palantir’s network devices, systems, and possibly customer infrastructure as well,” the report says. Veris urged Palantir to add another layer of security to the file containing the master key.
McGuire of Veris said in a phone interview with BuzzFeed News that, in general, a red team would never do anything “destructive” during an exercise, nor would it ever “test organizations that are not signed up for the assessment.” He said: “The demonstration of access is as far as we go.”
Even Palantir’s defense efforts were visible to the red team. The intruders found an “InfoSec Onboarding” page on the wiki that detailed Palantir’s security infrastructure. They monitored security devices and “ensured that their actions were not being logged.”
This was when, according to the report, the red team intruders had “complete control” of the Palantir domain. Their final task was to break into the Mac laptops of information security employees — the fortress guards. This they did, using a system that typically sent out software updates, and soon were able to get passwords and screenshots, review saved files, and “observe all user activity,” the report says.
They were finally caught while attempting to upload a screenshot to one of their own servers, according to the report. A piece of security software called Little Snitch — which regulates data sent out from a computer to the internet — was installed on one of the information security employees’ laptops, and it flagged the suspicious upload attempt, the report says. Little Snitch, while popular in the cybersecurity world, was not standard software for these employees, according to one person familiar with the matter.
Soon, Palantir security employees identified the red team’s attack tools and set up firewalls to block communications to the red team servers. These defenders “successfully demonstrated the ability to trace malicious activity across the domain and take the appropriate steps to neutralize an insider threat,” the report says.
But the red team still had an edge.
“The assessment team was able to observe all investigative actions as progress was tracked and noted,” the Veris report says. This allowed the intruders to “maintain their presence in the network, even after discovery,” by changing key elements of their attack tools.
According to the Veris report, “the red team successfully evaded defenders up until the last day of the engagement.”
Sheera Frenkel contributed to this report.

Saturday, September 26, 2015

Troy’s ultimate list of security links

http://www.troyhunt.com/2015/09/troys-ultimate-list-of-security-links.html

Saturday, 26 September 2015
I’ve got a heap of resources I constantly come back to in talks, workshops and just during the course of my everyday work. Frankly, I have trouble remembering them all myself plus I reckon they’re kinda useful for other people too so I thought I’d drop them all into a post here. If you’ve got good stuff I’ve missed (and you almost certainly will), drop it into the comments below as I’d love to add to my own set of resources plus that way it gets shared with everyone. Enjoy!

SSL / TLS / HTTPS

  1. Is TLS fast yet – A great site debunking the myths of SSL/TLS speed cost
  2. Firesheep – A watershed moment for SSL by demonstrating the ease with which unprotected traffic can be intercepted and sessions hijacked
  3. Qualys SSL Labs – Tests a variety of attributes of the SSL implementation by pointing it at any URL
  4. CloudFlare – Get SSL for free on any website
  5. Let’s Encrypt – It’s coming, and it promises to fix the current mess that is CAs and configuring certs
  6. Betsy’s free wifi – Shows a young girl standing up a rogue wifi hot spot
  7. Chromium HSTS preload list – All the sites submitted for HTTP strict transport security preload (a depressingly small number of them)
  8. HTTP Shaming – Sensitive data sent insecurely? Name and shame!

DDoS

  1. Krista’s professional DDoS service – Video of an innocent teenager promoting a DDoS service
  2. Norse – Totally awesome real time map of DDoS attacks that’s absolutely mesmerising to watch
  3. Booter promotional video – Very professional advert for a “booter” service (complete with “Epic DDoS interface”)
  4. networkstresser.com – Example of a DDoS service… protected by CloudFlare… the world’s largest provider of DDoS defences…

SQL injection

  1. sqlmapThe tool for mounting SQL injection attacks tests against a running site
  2. Drupal 7 SQL injection flaw of 2014 – great example of how impactful it still is (patch it within 7 hours or you’re owned)
  3. Ethical Hacking: SQL Injection – If you really want to go deep, here’s five and a half hours worth of Pluralsight content

XSS

  1. XSSposed – List of sites found to be vulnerable to XSS (including attack vector)
  2. Dutch banks doing the Harlem Shake – Video collage of a number of Dutch banks with XSS risks being made to do the Harlem Shake via a script reflected from the URL
  3. XSS Filter Evasion Cheat Sheet – Because XSS payload filtering is almost always insufficient
  4. </xssed> – Heaps of XSS news and lists of vulnerabilities

Security scanners

  1. NetSparker – My favourite dynamic analysis tool due to ease of use and practicality (especially good for developers who may not live in security land)
  2. OWASP Zed Attack Proxy (ZAP) – Great tool for dynamic analysis security testing and ha a whole raft of other users too (oh – and it’s free!)
  3. Burp Suite – Seriously powerful with a heap of different tools and a freebie version to get you started
  4. Fiddler – Not a security tool per se, but I use it extensively to inspect website behaviour, tamper with requests and modify responses on the wire
  5. Acunetix – Popular dynamic analysis tool similar to NetSparker but is let down a bit in the usability stakes IMHO
  6. Nikto2 – Freebie open source app scanner sponsored by NetSparker

Exploit databases and breach coverage

  1. seclists.org – Heaps of exploits consolidated from various bug tracking lists
  2. Exploit DatabaseVery comprehensive list of vulnerabilities
  3. PunkSPIDER – Lots of vulnerabilities of all kinds all over the web (about 90M sites scanned with over 3M vulns at present)
  4. Data Loss DB – Good list of breaches including stats on number of records compromised
  5. Information is Beautiful: World’s Biggest Data Breaches – Fantastic visualisation of incidents that give a great indication of scale

Cracking software

  1. HashcatThe tools for cracking hashed passwords; totally free with a great supportive community
  2. John the Ripper – Also top notch password cracking software with some different approaches to Hashcat
  3. RainbowCrack – Rainbow tables are becoming less relevant in the era of fast GPUs and tools like Hashcat, but it’s worth a mention anyway
  4. Aircrack-ng – For all your 802.11 WEP and WPA-PSK key cracking needs

Hacking and penetration testing tools

  1. Metasploit – The canonical pen testing tool; seriously advanced and enormously powerful
  2. BeEF – The Browser Exploitation Framework offering remote control over a target’s browsing session
  3. Kali Linux – All your pen testing bits in one image!
  4. Backtrack-linux – Fallen out of favour a bit as Kali has emerged, but still deserves a mention
  5. Nmap – For all your mapping of network things needs
  6. Wireshark – When you need to down to monitoring at the packet level

Vulnerability definitions

  1. The OWASP Top 10 Web Application Security Risks – The canonical categorisation of the top risks on the web today
  2. SANS 20 Critical Security Controls – Great consolidation of security controls presented in an easily consumable fashion

Security headers

  1. Fiddler extension for CSP – Massively streamlines your creation of a CSP by building the policy as you browse
  2. SecurityHeaders.io – Everything security header related and a great place to assess your current state
  3. Report URI – Analyse your CSP and HPKP headers plus log your exception reports there
  4. Make any website do the Harlem Shake – if you can run this in the console against a website, they almost certainly don’t have a CSP prohibiting arbitrary content from being loaded into the site

Passwords

  1. OWASP Password Storage Cheat Sheet – There are plenty of bad ways of doing it, this is a great resource documenting the good ways
  2. Jimmy Kimmel “What is your password” – video of interviewing people and engineering them into disclosing their password
  3. Diceware – A popular method of creating strong pass phrases suitable for use as a password

Password managers

  1. 1Password – Still my favourite password manager; client based, runs on all devices and the keychain is syncable via multiple mechanisms
  2. LastPass – A web based password manager (albeit with rich clients as well), one of the big players in password managers
  3. KeePass – A popular free alternative to commercial password managers

Account management

  1. Adult Friend Finder password reset – Enumeration done wrong; initiate a password reset for any email address and be told if they’re a member of a highly personal site
  2. Entropay password reset – A great example of not disclosing the existence of an account (try resetting an account that isn’t registered on their system)
  3. Botnet brute force attack against GitHub – I regularly use this as an example of how hard it can be to defend against brute force

Personal security

  1. F-Secure’s Freedome – My VPN of choice with lots of exit nodes around the world and a promise of no logging
  2. mycreditfile.com.au – This is an Aussie version so do find one local to you if you’re not down under, but identity protection and credit alerts is a “must have” today IMHO

Googledorks

  1. Google Hacking Database – Great collection of Googledorks categorised by various classes of expose data
  2. Google Hacking for Penetration Testers – In case you prefer books over web pages

Other tools and links

  1. Have I been pwned? – How could I not include this?! My own tool, now being put to particularly good use by large enterprises monitoring tens of millions of people
  2. Mailinator – create temporary email addresses for testing
  3. Shodan – Find devices connected to the web (cameras, SCADA systems, etc.)
  4. Reitre.js – “What you require you must also retire”: Helps identify JavaScript libraries with known vulnerabilities
  5. urlQuery.net – Analyses web-delivered malware by inspecting an individual URL and identifying malicious behaviour
  6. Phish5 – I’m yet to use them but I hear good things; phishing attacks are enormously effective and these guys help you test your organisation for how well equipped people are to recognise the attacks
  7. Plain Text Offenders – Been emailed your password? Name and shame!
  8. Kaspersky Real Time Threat Map – Very cool visualisation of the real time threat Kaspersky is seeing
  9. Tor Browser Bundle – Access the underwebs and browse anonymously

Security statistics reports

  1. Verizon Data Breach Investigations Report – The annual DBIR is based on real world security incidents and is a great resource for evidence-based security metrics
  2. WhiteHat Security Statistics Report – Based on findings in the websites they monitor with their security products so another good evidence-based report
  3. Trustwave Global Security Report – Another annual report driven from real world investigations (plus they use the terms “threat intelligence”, “seedy criminal underground” and “data defender” so you know it’ll be good!)
  4. Websence Threat Report – Created by Websense Security Labs, a fairly high level overview of the threat landscape
  5. HP Cyber Risk Report – More cyber, more statistics, more reports

Noteworthy books

  1. We are Anonymous – Still one of my favourite security books, a look inside Lulzsec and how it all unravelled
  2. Ghost in the Wires – The story of Kevin Mitnick’s early days and an absolutely fascinating read
  3. Data and Goliath – Just because you’re paranoid doesn't mean they’re not after you! Excellent read on data collection by Bruce Schneier

Other things you should be reading

  1. What Every Programmer Absolutely, Positively Needs To Know About Encodings And Character Sets To Work With Text – Because encoding is one of those things you just need to know

Awesome people you want to read and follow

  1. Mikko Hypponen
  2. Brian Krebs
  3. Jeremiah Grossman
  4. Scott Helme
  5. Bruce Schneier
  6. Kevin Mitnick
  7. Swift on Security
  8. Brian Honan
  9. Graham Cluley
  10. Rob Graham

What did I miss?

Lots. Leave your favourites in the comments, I’d love to see them!