Archive | Mini-Whitepaper RSS for this section

How Hackers Find Attack Targets (mini-whitepaper)

Hackers are always searching for ways to target and dismantle security. But, the questions do indeed continue about how hackers find a way in, how they exploit vulnerabilities, and ways to do this dismantling. What is the main answer? Research!

There are many different things that hackers do that gives them the wide open door into vulnerabilities:

  • Hackers study their target well in advance of actual hacking. They do their homework, and figure out how strong the target is, how to exploit the vulnerability, method of attack, backup plan, and anonymity.
  • Hackers commonly use search queries through search engines to create a map of the target’s vulnerabilities. Many different items can be for display when creating a map, such as server statistics (downtime/uptime), platform usage, coding languages, and other miscellaneous unspecific information.
  • The map is configured carefully to build a complete intelligence database (which can be shared for high fees across the hacker community). It compiles a lot of information not only through research as explained above, but also uses government databases, financial filings, court records, etc. Who would’ve thought to check for stuff like that?
  • The hacker’s main purpose after doing the research is to identify any security and technology officers on staff at the company. The hackers needs to know the security architect, how powerful they are, some of the recent meetings, new plans, etc. The hacker reads how the roadmap is for the officer, and whether the time to attack is good soon, or whether the hacking should be held off. (Not really a lot of time to decide, to be honest)
  • The last stage of research before the planning of the attack, the hacker looks for business partners, trusted or strategic customers, suppliers, etc. that are used by the target. It may be easier, sometimes, to attack a smaller business partner than the actual target, some have argued. But, this information is dependent on the information gathered in the search engines and other info.
  • Once this is all compiled, all of the information offers a list of likely points within the target to attack.
  • The attack is usually staged, literally, in efforts to find the target point, nailing it at the right time, and exiting without being caught. This is in hopes of securing the vulnerability exploit well, and knowing the best route to escape.
  • The hacker attacks when ready, and the operation is complete soon after. The idea or methodology for a hacker is to “push in, pull out” or like Facebook would say “Move fast, break things”. What a philosophy!

There is little that can be done, when you have a public company, and all the information on the company is widely available. People will do their research. You can reduce the significance of the threats of hackers by conducting the same research yourself, setting up your own map, and conducting competitive counter-intelligence. This can be a difficult things to learn.

It’s best to take necessary operations to ensure that if a hacker comes nearby, to always be ready using the following methods (some may not apply to your business):

  1. Secure all servers with adequate security protection. Through good amounts of searching on search engines, you can find a wealth of free tips and more whitepapers on good server security. Simply searching for “server security” will result in a lot of good results. Also, it’s good to look for SQL Security, which is a very good, invaluable resource.
  2. Encrypt passwords incoming to your server! When people enter passwords in to your website (for accounts and logins), make sure they get encrypted. If the passwords are being sent in plaintext form, this can make the passwords easy to read while in transmission to the server from the user’s browser.
  3. Always have good passwords at your end. Everyone should have a very good password. It’s best to have a password consisting of at least 8 total characters in the form of at least one capital letter, one small letter, one number, and one symbol. This is the best way, and the only other way to prevent it from being hacked easily. There is no longer 100% protection from your password being stolen. Some of the best passwords can be stolen easily. But, at least having a very good password will protect you while other security methods can be implemented (fingerprint scanners, voice activation, unique ID codes, etc.).
  4. Encourage your users to have good passwords, by forcing them to use the characteristics described above for their password.
  5. Have weekly meetings with your staff about how best to implement security policy, some of the latest threats, the analytics behind your network (server uptime/downtime, security breaches, etc.), and future plans to implement policies.

By following all these simple steps, your company can become widely aware of hackers and be able to implement good security policy that will save a lot of time and money!

Advertisements

How to question security at your company? (mini-whitepaper)

The following are good questions to do/answer about security at your company (some may or may not pertain):

  1. Are employees trained and appropriately monitored with how to stay safe (on the computer/online)?
  2. Are cash-handling processes, flow, etc. documented well?
  3. Are wireless communications locked down or protected?
  4. Are your cash registers, networks, and procedures correctly up-to-date with the latest software updates?
  5. Do your terminals for the call center display only necessary information about customers?
  6. Are the facilities well maintained and well-lit for safety, not only for customers but also employees?
  7. Is physical access control in place and used well?
  8. Are your defenses developed and well maintained with new updates in virtualization and private clouds?
  9. Are doors, walls, and windows properly resilient?
  10. Are there proper security measures in the parking lot, such as cameras, fencing, lighting, call boxes, patrols? (Probably best for large companies with huge parking lots)
  11. What are the hours of operation?
  12. Can the HVAC system be used as a portal to your company? (In other words, can people get in to the HVAC system and get into your building?)
  13. What are consequences of physical disruption of the HVAC system?
  14. For the loading docks, do you have a visual record of each delivery and associated personnel? Do you know each delivery person, are they commonly the one who do the deliveries, and do they deliver similar amounts of good each time?
  15. Is the loading dock ever left unattended or does someone maintain it all the time (people change shifts as needed)?
  16. Can security systems be connected to inventory systems? Does it increase efficiency?
  17. Are your employees trained to recognize and properly handle a suspicious package? Do you have common rules established for it?
  18. Are all records appropriately encrypted, locked up, or any other way protected?
  19. How does data get destroyed, if needed? Paper shredder? File deletion?
  20. How are records secured when they are transferred to you, whether physical or digital?

Thanks to CSO for inspiration!

 

Protect Yourself NOW

Security Awareness at Your Business, What about BYOD? (mini-whitepaper)

What exactly does it take to make your business more secure? You might ask… “Do I need to secure all the computers with antivirus software?”  – or – “Do we have to set up a network security policy?”  – or –  “Is security really necessary? It’s costly, why do we need it?”

It is possible to consider all of those questions, and possibly even answer them in your own mind. It is necessary to have antivirus software and a good security policy. It is also good to keep an eye on all of your employees as necessary to make sure they stay on task. 😉

However, let’s focus on some of the main data here…

  • Security awareness can be determined as the knowledge of how security systems work, and being able to apply them to an object. It matters to the physical and digital assets of the organization…AKA, your money, data, etc. Maybe it matters these days to say “Time is money, data is money, and so on…etc.”
  • Educate your employees on these matters, especially on the types of threats that can be seen in today’s malware world. Many things, especially on smartphones, are easy to spot. It’s good to keep an eye on the latest information about threats.
  • Password security is always important! Therefore, educate everyone on the basis of password security…including executives. Everyone you know in your business needs to be educated and re-educated. It’s so easy to become comfortable with choosing an easy password. Get out of the habit before it costs your company a fortune!
  • Protect your information and develop a policy for social media, BYOD, etc. It is important to educate your employees on how they should post on social networks anything about your company. The last things you need is for a pre-release to be leaked, private data leaked, a controversial issue light up, etc. Also, make sure to keep your employees off of non-work apps on their smartphones, and only focused on work. (BYOD at work says use smartphone for work only)
  • Back up your rules with consequences (honestly enforce them too), to make sure if security policies and procedures are broken, at least the employee will know how much trouble they’re in.
  • To scale this security awareness project further, download NIST’s Special Publication 800-50 – Building an Information Technology Security Awareness and Training Program to learn how to make your own.

 

Serious Java Vulnerabilities Have Many Things in Common (mini-whitepaper)

If you’ve seen many of our posts here, you’d know that we report about Java vulnerabilities. As often as they come, they must have something in common, right? Indeed.

Let’s discover the vulnerabilities of CVE-2012-4681 and CVE-2012-5076, what’s similar and what we can learn about these two serious vulnerabilities. These use a Java reflection mechanism that breaks applet security restrictions, and allow a malicious payload. In other words, they bypass security and execute malicious code.

Now, Java reflection is used in programs commonly, usually those requiring the examination of runtime behavior of applications running in Java Virtual Machine. It is very convenient for Java developers (despite saving time) to write Java programs, but it also opens up more opportunities for exploits.

Now, to open up for the technical part, which you can skip if you don’t understand Java or it would give you a headache. 🙂

== TECHNICAL START ==

Java reflection has many functions and they are:

  1. GET class
  2. GET all members and methods in class include private ones
  3. Invoke methods

Java’s big vulnerability in dealing with reflection is that it allows hidden fields. Obviously, this isn’t a true flaw (meaning the Java developers don’t see a problem), but it would help to change this attribute to avoid further problems.

Now, CVE-2012-4681 used Java reflection to induce a hidden field that was called statement.acc. It implemented, also, the “setfield” function, which changes the value of the ACC file (found in the hidden field).  To break the code, “Java.beans.statement” would be implemented.

So, in Java, we’d see:

SetField(Statement.class, "acc", localStatement, localAccessControlContext);

Then, as we analyze CVE-2012-5062, we see the big offender, “util. GenericContructor”, which is used to create an object from a restricted class. We would implement it like “sun.invoke.anon.AnonymousClassLoader”, and then call its function “loadclass” – that would deliver the malicious payload. Here is a breakdown of how the payload would work:

  1. GET the method “loadclass” and then invoke.
  2. GET the method “r” in payload and then invoke.
  3. Using “Class.forName” to load a target class
  4. Using “getDeclaredFields”, which would enumerate all fields (not including hidden ones).
  5. Using “setAccessible” to expose hidden/private fields.
== TECHNICAL END ==

Obviously, it’s time, researchers, to keep an eye on Java reflection vulnerabilities.

All about TPM Chip in Windows 8 – Microsoft is Many Years Late

What is the TPM Chip?

  • Microsoft released Windows 8, and with it came the Trusted Platform Module (TPM Chip) is a chip that allows a certain operating system to recognize a chip to verify the operating system and its modules. This provides even better security, so that Windows can only be installed on hardware that is verified through the TPM Chip.
  • Now, it is unclear whether or not it will be required for Windows 8, however, it is in testing mode at this point. In future versions of Windows, it will probably be required. Which also makes it difficult for those using Windows on a virtual machine, and will probably require people to acquire a specific compatibility license to run Windows on virtual machine, or dual boot with a Mac-based computer.
  • Confused yet? Apple was one of the first, if not the first, to introduce an OEM chip, which required people to have if they wanted to run Mac operating systems. Which meant, for example, Mac OS X couldn’t be installed onto a normal computer, it had to be on “Mac-branded hardware” as they state in their terms-of-use on Mac OS X.
  • What does this bring to the security of operating systems necessarily? It provides very low level security, and will be just another possibility to block bootkit attackers and other boot-based viruses/rootkits.
  • Some experts say that TPM will probably be included in new PCs, tablets, and other Windows-branded devices. There’s no current way to just “install it”, however, Windows 8 is engineered to be able to recognize the TPM Chip.
  • When did this idea come about? Probably the late-1990s was when this idea came about, because security experts were realizing the issue that software antivirus/firewall was not strong enough to block the threats. It would take more than just software-based protection programs.
  • What other implementations (other than Apple’s chip) are in place?The Google Chromebook is a good example of implementation, because when it boots, the TPM chip object in there checks the modules on the system. If one is bad, it automatically replaces it with its “last known good module” (in its comprised library of last known good modules), keeping itself protected.

 

For the future of TPM technology

  • It’s possible the makers of the TPM technology would be working with security/OS vendors to create antivirus that can be built over top of the TPM chip, which would scan the operating system and kernel before it starts up.
  • What’s different than boot-time scanners offered by companies like Avast, for example? Boot-time scanners offered by software companies still use Windows modules to help scan the whole computer. However, since the modules are part of the operating system, the boot-time scan cannot get to the OS kernel deep enough. Although, it can scan the system before it loads services/drivers, it cannot necessarily get a good look at all of the drivers/services or the MBR/BIOS for that matter.
  • By allowing antivirus to scan computer before operating system starts (at all), it will also keep on top of things so malware cannot hinder or suppress the scan.

 

This is just one of the many security features included in Windows 8. Take a look!

Windows 8 Security Features Explained (mini-whitepaper)

Windows 8 is apparently more secure than Windows 7. Perhaps this is true, and it is best to learn what security features there are for the new operating system. Some of these security features are verified to help out very well in the security of Windows 8, and some may not be in time, or lastly some may not work at all.

One of the most discussed security features is Secure Boot. Now, Secure Boot is a Unified Extensible Firmware Interface (UEFI) specified in the boot process to check cryptographic signatures of kernel-mode drivers, making sure they aren’t modified or corrupted. In other words, the boot process is now made to check if the operating system has been corrupted by malware or some other issue.

This is all part of a hardware restriction process called Hardware DRM. All non-ARM devices have the option to turn Secure Boot off, however ARM devices must keep it on. Experts state that it will be resistant to rootkits, since the MBR and BIOS cannot be accessed, unless if someone working on the computer penetrates it.

Next, Windows 8 features better built in antivirus software, with a much better improved Windows Defender. The software in Windows 8 is combined with the optional tool Microsoft Security Essentials. Now, with Windows Defender super-powered with MSE, it has much more anti-malware features.

With better anti-malware features, Internet Explorer is now made with better features as well. It has the ability to prevent zero-day exploits much greater than previous versions of Internet Explorer. With the challenges of exploiting Windows 7, there was the issue risen up again for Java and Flash Player, so hackers can gain control over the operating system. Those browser plugins are now easier to exploit than the Internet Explorer’s code.

A new application sandboxing environment called AppContainer provides the ability to run all apps in a controlled environment, where it controls how apps work. This prevents apps from disrupting the operating system. Of course, this is just supplemented by Internet Explorer’s SmartScreen filter, which prevents the download/install of known malicious software. However, Windows 8 now has SmartScreen available for any app, allowing even more prevention. Of course, this means Microsoft employees are going to increase in numbers, if they really want to keep up. Now that hackers know their new challenges, they will be relentless.

The questions are still played on whether Windows 8 will be a repeat of Vista or not. The reality of the situation, is if Windows 8 has big popularity, then the security issues will also light up big time. However, many will stick to Windows 7, so the security issues for Windows users are not close to be over. Feel free to take a look at related articles below for Symantec’s opinions, which aren’t too well on the new OS.

Added October 31, 2012: Trusted Platform Module, read more

Keep up with the latest security tips on our blog here. In addition, please donate to help us continue to write these awesome whitepapers.

Security & BYOD for the iPhone 5 (mini-whitepaper)

As you upgrade to the iPhone 5, please keep in mind some principles, both personal and business.

  • If your iPhone will be handed down to a child, make sure ALL critical data is removed from there. This includes all business data, personal details, etc. It is highly critical to maintain your business and personal identity.
  • As new devices are created, new threats are created as well. These security threats need to be identified and taken care of. Just because it is a new iPhone does not mean it’s immune from security threats. Security is a losing battle, because hackers are always trying to stay one-step ahead of programmers/developers. While developers are working around the clock trying to prepare these new capable hardware/software, hackers are doing the same working against them.
  • The iPhone 5 is set to accelerate BYOD, which means better available options to network administrators. Things like data copying, wiping operations (erasing loads of data), etc.
  • The iOS 6’s Passbook feature can store financial information for securing digital transactions. If you’re comfortable storing that information go ahead, otherwise just keep it off.
  • Emails, texts, and calendar appointments can be modified by the Siri app, without requiring the administrator to log in to the device.
  • If Apple succeeds in the acquisition of AuthenTec, it allows for a fingerprint identification security system for the device, making it more secure physically. But this technology is pending at the moment.
  • Apple calls the iPhone 5 “The thinnest, lightest, fastest iPhone ever”, but they mention nothing about security do they?

 

If this has helped you personally or your business in any way, please consider making a donation to help further the seCURE Connexion project.

%d bloggers like this: