Monday, January 19, 2015

Sony Thrashed, Insider Threats, North Korea Oh MY!


Practical learnings from the attack on Sony Pictures Entertainment

In the wake of the recent aftermath of the cyber-attack on Sony Pictures Entertainment, it is fairly easy to get caught up in the sensational headlines calling this an “unprecedented attack” due to the destructive nature.  The truth is, it actually isn’t entirely uncommon.  We have seen similar destructive attacks on The Sands Casino in 2014, HBGary in 2011, and Saudi Aramco in 2012 to name a few.  In each of these attacks the apparent motive was to disrupt or destroy critical operations at the victim company.   This is really anything but new in the world of Cyber-attacks.
The critical lessons we need to take from the attack on Sony Pictures comes in the form of addressing commonly found weakness in security practices at many organizations around the world.   The need for strong user account auditing and control and file level monitoring are a more practical lessons for most companies in the wake of this attack. 

Let’s walk through some possibilities…

Infiltration of the Sony network: 

 Was it an evil insider? YES… someone with malicious intent was on the inside of their network.  That does NOT mean it was a disgruntled associate or ex-associate.  What it does mean is someone had attained valid credentials that allowed them to move freely through the Sony network undetected and that they had access to the actual internal network.    The criticality of User Account management and life-cycle controls are a key takeaway from this incident.   Common security practices such as the Principal of least privilege, the
                Possible scenarios for attaining Credentials. (most to least likely)
Got Phished and credentials were harvested. 
Had commercial malware harvest credentials
Found Sony credentials in publicly available credential dumps
Bruteforced the credentials of a Sony User

                Possible scenarios for gaining access to the Network:
Remote Access Trojan malware on a compromised internal system.  Most likely the attackers performed a phishing or watering-hole campaign.  Otherwise it is also entirely likely the attackers may have attained access to a compromised endpoint from the underground black market where these systems are a commoditized.   
VPN or Gateway technology allowing remote access was improperly configured or not configured for multi-factor authentication.   We know Sony had two factor authentication with RSA SecureID tokens (Details of these products were in some of the attacker’s public releases) However, perhaps there was a Citrix Server or other Access Gateway solution that was missing the 2nd factor.  External SharePoint or file sharing technology may have been available without multi-factor authentication.  These types of collaborative portal sites often fail to implement multifactor authentication and may have a public internet face 
A 3rd party connection into their network may have lacked necessary security controls.  This has become a reoccurring theme in nearly all the major security breaches and  attacks in recent years.  An attacker only needs to compromise the weakest link, and often times 3rd Party vendors may have direct access to company’s network with little to know scrutiny on the vendor’s security posture.

Data Inventory and Collection

Once they attained access to the network it likely that the attacker performed internal reconnaissance of the Sony network.  We know it was a Windows network, and every Windows machines has built in tools that allow for quick inventorying of all the User accounts (net user /domain) and the Windows machines (net view).   It is also trivial to locate shared folders and file share servers.  Once located a simple recursive find for the word “Password” was used to locate all files and folders containing the word password.  Judging by the publications they were successful

Data Exfiltration

Moving data out of the network may have occurred a numerous ways.  Most likely would be a FTP via standard or non-standard port to an offsite location.  The interesting part is that there is a rumor that they have found evidence suggesting the speed at which the data was moved is consistent with USB 2.0 speeds.  This would lead you to believe it was possibly copied directly to a USB device, but it could also be a decoy/diversion technique.   Hopefully, more details will come out over time.  
It is very worth noting that if multiple terabytes of data are being exfiltrated over the network, there should have been measures in place to attempt to detect the increased traffic.   It is rumored that SPE moved massive files (large High Definition Movie Files) quite regularly which may have made this particular exfiltration difficult to detect by purely volumetric means.  However, discrete firewall rules and intrusion detection thresholds might be something to explore for future protection.

Releasing destructive malware

“Now you are just being mean”  The attackers (note some question if it was even the same attackers) then used some fairly commonly used malicious code and compiled it in to a specific piece of malware with a common privileged Sony credential and a list of Sony systems and deployed it into the network.  Essentially lighting a slow burning fuse as the attackers left the network.   Again, we have seen this type of behavior in other attacks, but none that have caught the US Media’s attention so greatly.  

Extortion / Demands

Originally it was reported that the attackers attempt to extort money from the executives at Sony by threatening them with the forthcoming destruction of their systems and public release of their data.  We know that Sony did not give into the demands initially. 
At some point the demand changed from monetary extortion to demands to halt the release of “The Interview”.   Curiously, this seemed to occur after the media picked up on the fact that North Korea was a possible source for the attack.  This has sparked an extraordinary amount of media attention to this case, as well as an overwhelming amount of skepticism around attribution in cyber-attacks.   However, knowing your adversary is not the main concern when studying this attack.   We know that defeating a strong willed and well-funded Nation State level adversary is not likely to happen.  However, we also know that understanding how the attackers gained access, assessed the environment, swiped the data, and ultimately released destructive malware allow us to focus on mitigation techniques.


Taking proper steps to ensure appropriate levels of security are in place at each step of the attack would help to increase the burden (time, money, complexity) on an attacker; which is a primary goal when dealing with deeply motivated attacks.

Monday, August 11, 2014

Digital Attack Map love.

Testing out Google's/Arbor's Digital Attack Map embedding

Friday, May 24, 2013

Notes on fierce.pl DNS Enumeration script when using KALI LINUX

Notes on fierce.pl DNS enumeration tool written by RSNAKE

If you are running KALI LINUX:  you will be missing the default wordlist aka hosts.txt
you can pull down the host list from http://ha.ckers.org/fierce/hosts.txt and if you are lazy just put it in /user/bin/hosts.txt

go to URL http://ha.ckers.org/fierce/hosts.txt
CTRL-A then CTRL-C to copy all

From terminal
ie.  vi /usr/bin/hosts.txt  
click i
Right click
ESC wq enter

Now... if you want to traverse the subnet more that the default 5 ip addresses up or down, you will need to make a simple correction to the code.

vi /usr/bin/fierce
/verse <
enter
arrow over until you are on top of < then click the letter r and then >
Esc:wq
enter

now -traverse should work correctly.

-H

Sunday, April 21, 2013

security links / podcasts / meetups for dfw infosec newcomers

***minor updates 9/11/2017


Twitter:

If you don't use twitter, wipe away your hipster-anti-hipster and sign up! .  If you are wondering where to start find me @hhopk, look at the people I am following, and follow some or all of them.

 

Training/Videos:   

Irongeek's Hacking Illustrated (Adrian Crenshaw's library of Conference presentations)

securitytube.net/  (long standing list of excellent training video)

https://www.cybrary.it/  Cybrary, courses and whitepapers on Secuirty


Meetups / Chapter meetings (DFW area):


UTDallas Computer Security Group:  Excellent documents and technical presentations:
https://csg.utdallas.edu/
**runs the gamut of high to low tech.. don’t get discouraged, but don’t start with “reverse Engineering”… look at Network Security / Penetration Testing / Pivoting ·  
      

North Texas Cyber Security Group (NTCSG) @
https://www.meetup.com/NTXCSG/ 


Security bSides DFW
http://www.securitybsides.com/w/page/118353951/DFW_2017

DC214 (Defcon local chapter)
http://dc214.org/

Dallas Hackers Associations (DHA) @Dallas_Hackers 
http://www.meetup.com/Dallas-Hackers-Association/

Plano Maker/Hacker Space @theroxyd
http://www.thelab.ms/



OWASP Dallas meet-ups
https://www.owasp.org/index.php/Dallas   



Dallas Makerspace
www.dallasmakerspace.org


Podcasts:




Infosec Daily (recently retired)
http://www.isdpodcast.com/

Security Weekly (formerly Pauldotcom)
http://securityweekly.com/podcasts 


Network Security:
http://netsecpodcast.com/

Exotic Liability:  (basically off the air)
http://www.exoticliability.libsyn.com/webpage/category/podcasts

GrumpySec Podcast:
http://www.grumpysec.com/

Down the Security RabbitHole:
http://podcast.wh1t3rabbit.net/

DevOps Cafe:
http://devopscafe.org/

Security / DevOps Mailing lists:






Cisco:
http://tools.cisco.com/security/center/home.x

OSS:
http://www.openwall.com/lists/oss-security/

Blogs:


Fun tools:

https://censys.io/ 
https://www.shodan.io/
https://riddler.io/
https://www.threatcrowd.org/
https://community.riskiq.com
https://www.threatminer.org/


challenges: (WIP)

infoseclabs • infoseclabs.net

If you want your site added here or know one I am missing hit me up at @hhopk on ze tweetz

Sunday, March 10, 2013

Who really profits from vulnerable Java?

What another Java update? They are almost as frequent as blogs complaining about Java updates.  
However,  few seem to consider the real value of theses vulnerabilities and their subsequent patches.  Value to?  consumers? fuzzers?  Security?
People seem to be looking right past the profit model for java exploits to Oracle.  I hear often in the infosec community "it would suck to Oracle"  or "why dont they clean up their filthu bug ridden code.?"

To put it simply ,  they profit from every patch release.  They load up the not so savvy consumers with bloatware,  adware,  and just plain crap with each Java update.   I am still trying to find the exact relationship between Ask and Oracle.  And what the per install payout is. 

going Pro Se to Dissolve a Writ Of Garnishment concluded

ill save you the essay.

Feb 15th was my court date, and I won.  The judge only needed to hear that 100% of funds in the account were mine and mine only.

case law supports that my parent did have bare legal title to the funds,  but the true owner is the signor who maintains equitable ownership.  The attorney from Regent & Associates had nothing to say.

thanks to my wife, Google Scholar, and my father inlaw for their moral support.