Monday 30 December 2013

2014 - Year of the Privacy?

2012 was a year known famously for the amount of security breaches made. From Sony to Yahoo to Google have inadvertently had their personal data being leaked out. Most breaches were done from the server side.


Source: http://venturebeat.files.wordpress.com/2012/09/securitybreaches_25.png

2013 on the other hand was labelled as the year of the hack. As early as March 2013, companies from Apple, to Facebook and Twitter got hacked and this does not include the hacking incidents in Singapore.


For Singapore, 2013 is seen as the year with a record of hacking incidents. Hacking related incidents such as the hack on Kong Hee's wife website to Anonymous threats to Singapore Government, the XSS attack on PMO and ISTANA website, the web defacement to Singapore schools websites, Singapore's Museum website and personal information got leaked and recently, the bank statements of Standard Chartered high profile clients got stolen.


Kong Hee's Wife Website Hacked


AMK Town Council Website Hacked


Anonymous Threats and Hacks in Singapore




Singapore Art Museum Website Hacked


Singapore Schools Websites Hacked


Standard Chartered Clients Statements Stolen


With such a record number of hacking incidents in Singapore, 2013 will be known as the year Singapore got hacked the most. The year many security professionals from private organizations to governments, were placed on high alert and standby. It was indeed a tough year for security professionals in Singapore.

So what will 2014 be? 

A preview of whats going to happen were shown throughout 2013. Privacy has been another hot topic besides hacking. The case of Edward Snowden leaking out files from the NSA which tackles the US government spying on its citizens, the security of encryption keys, the spying of Malaysia by Singapore, the spying of Indonesia by Australia, the privacy of consumers against telemarketers


The Serious Leaks by Snowden


The Allegations against Encryption Companies


The Spying of Indonesia by Australia


The Spying Report of Malaysia by Singapore


PDPC Backfires on Consumer's Privacy

All of these are previews of what may happen and will be the hot topic of discussion for 2014. While hacking will not stop, i predict that 2014 will be the year of privacy. The year of consumers questioning the privacy of their data and personal information. The year where companies will start concerning themselves with the security of their clients data. The year security vendors will get the most calls about privacy concerns and solutions. 

Even the Security Rockstar Bruce Schneier in his interview with 'Motherboard' said the following related to the security of our data:
"I'm worried about governments, the US and other governments. I'm worried about how they are using our data, how they're storing our data, and what happens to it. I'm less worried about the criminals. I think we've kinda got cyber-crime under control, it's not zero but it never will be. I'm much more worried about the powerful abusing us than the un-powerful abusing us."


So in summary:
2012: the year of Security Breaches
2013: the year of the Hack
2014: the year of Privacy (just a prediction)


Monday 23 December 2013

SANS Holiday Challenge 2013

Its that time of the year again where SANS organizes a holiday challenge for those who have some free time to spare during the holidays.



This year, SANS organized a challenge that includes a PCAP file that needs to be downloaded and analyzed and provide your findings based on the questions provided.

Enough talk! If you are keen to test your analysis and investigative skills, go to this site:
http://pen-testing.sans.org/holiday-challenge/2013 and test your might!


A small tip:

For those not from the US, you might find a problem with the time stamp in the packet frames. To overcome this, you need to set your machine's timezone to UTC - 6:00 or the US/Canada timezone.

Saturday 21 December 2013

Monday 16 December 2013

Singapore Short of Cyber Security Experts - An Opinion

But a tough-to-crack problem is that "young people do not find the job sexy" - Communications and Information Minister Yaacob Ibrahim

Early this month, Communications and Information Minister, Yaacob Ibrahim said in an interview that Singapore is short of cybersecurity experts and many young people prefer going to the banking and financial industries instead of a back end job.



Is Singapore really short of cybersecurity experts? 

As a cyber security professional myself, i cannot say that i fully agree with the minister on this. First and foremost, the number of students over the years taking up security courses be it from government institutions or private schools are increasing. The number of graduates from schools that offered these courses are also increasing. From a private education perspectives, every year thousands of students graduated from Kaplan, SMF, Informatics, MDIS, PSB Academy, SIM...and many more. These are just some of the many private schools that offer courses involving IT and Cyber Security. So definitely, there are many security graduates...but the question is..where are they?


Singapore Poly Graduates got 3rd in HITB CTF Competition (Kuala Lumpur)

Realizing it or not,there were students who participated and got 3rd in the CTF competition in Kuala Lumpur back in 2012. (Yes i was there to witness them) There were many teams from Vietnam, Japan, Netherlands and many more and to have our local lads getting the 3rd place is an achievement worth noticing. So yes, i would say the schools are doing it right, exposing to such real life competitions to understand the way of the hack. A proud achievement to both the poly students and Singapore security community as well.


Source: http://tinyurl.com/mbwe8tw

Is it Not Sexy?

The minister stated that young people do not find the job 'sexy'. On the contrary, people who have work in the security field especially the ones who do the dirty work (not the paper pushers) be it in support, operations and engineering know very well that a career in the security industry is a very very SEXY job! Whenever i type commands in Linux or Unix terminals, it just feels right. Whenever somebody manage to hack or defend, the feeling is orgasmic! Whenever someone manage to troubleshoot and found the root cause of an issue, it feels awesome!  Those who dont feel that way are the ones who work for the sake of work. To be in a security field, one needs to have passion and interest..especially dedication...

How to move forward?

The question is, what then should the government do to entice people into taking up career in security? In my opinion, the government should start with organizing conferences to the public. Interest of a subject starts from young and if they attended such conference, who knows that event will change their mindset and start their journey to be a security professional. I got interested in hacking when i saw the movie 'Wargames' and 'Operation Takedown' not to mention 'Hackers' starring the spicy Angelina Jolie. 

The ministry of defense should also publicize advertisements about cyber warriors protecting Singapore. With all the advertisement about the military defending the land, sea and air..isnt it time for an advertisement about cyber military defending the cyber space? 

Government should also organize cyber security competitions such as Hacking competitions or Forensic competitions. Many of these potential hackers are hungry to test out systems and servers in the internet but most of them have to be calm and contain their urge because its illegal to scan or penetrate a system without permission! Recently Symantec organized 2 CTF events which greatly benefit the potential hackers to showcase their skills and talents. The recent one which was held in Suntec this year was opened to public and many people participated from different companies. Some were professionals from overseas and the winners were locals. This goes to show that Singapore has indeed a pool of talented individuals in the security community. If the government encourage such competitions, not only would they benefit the interests of the people into security, the government can also recruit these talented individuals and provide them scholarships to study or a position to work in a security related position.

Thursday 12 December 2013

Cyber Security in Singapore - Opinions

Recently i was invited by a local radio station to give a talk about Cyber Security in Singapore but due to company and legal reason, i had to decline the opportunity. Nonetheless, these were the questions i was supposed to answer during the talk show.

1) Cyber security in Singapore - has the recent hacking episodes exposed a "weakness" in Singapore's cyber security?

I wouldnt call it a weakness but an eye opener as to what else could be done by potential skillful hackers. In one of the hacking movies back in the 80s called 'Wargames', David Lightman, the hacker stated that 'I dont believe that any systems is totally secure' when someone told him that it was impossible to gain access to the systems. Taking that quote, i believed that there is no way to say that a system, a server or a website is totally 100% secure. There will always bound to have a potential issue, potential backdoor, security misconfigurations, missing or outdated patches that can be taken advantage and exploited. Before the much talked hackings of government sites lately, back in 2011, 17 of our govt sites were defaced by a hacker group called Brazil Hack Team and fortunately, that was all they were able to do. The so called hacking of the Istana and PMO website were not really a hack. It was a client side exploitation of a vulnerability called XSS or Cross Site Scripting which do not affect the server side and still maintain the confidentiality, integrity and availability of the PMO's and Istana's website/server. In other words, nothing was leaked or compromised.


2) As an Ethical Hacker and Security Consultant, what do you think are the challenges in cyber security here, and worldwide?

One of the challenges that we faced not just in Singapore but also in other countries is investments in cyber security. Singapore, similarly like USA and Israel, we invested billions in physical military warfare but not much in the technology and manpower in cyber military. In my opinion, we should also invest not just the F-16s jets but also in technology and skills that could potentially bring down an F-16 jet by using a laptop. When i went to a security conference in Amsterdam, a hacker managed to show how he can potentially hack the control systems of an airplane. If we think that that is farfetched, in 2011, hackers from China managed to hack and control a NASA satellite for approximately 11minutes. Needless to say, when it comes to hacking, nothing is impossible.

Another thing is skillset. Before 2007, local instituitions, polytechnics and Universities do not have courses that involves Ethical hacking. These ethical hacking courses were mostly seen in private instituitions. In the US, schools are established for future and potential hackers. Hacker schools, hacking academy are created so that students are trained from young. In India for example, students are exposed to security at such a young age and you have people like Ankit Fadia, an Indian hacker who published a book on Ethical hacking at the age of 16. However, i am glad that the government understand the gravity of the importance of cyber security and since mid 2007 onwards, ethical hacking modules, courses are introduced in majority of the local institutions. The graduates from these faculties will be the ones who will safeguard our network and infrastructure.

The third thing is Security education and conferences. In Singapore there are not many security conferences that are open to public. There is one that holds annually here called Syscan and i believed that such a conference will benefit the security community here in Singapore. There are also other conferences such as GovWare but such government sponsored conferences are not open publicly and can be expensive at times. If we look at countries such as US, in Europe and even in Malaysia, there are a number of conferences held every year and are affordable and open to the public. Singapore must learn from such countries and organize more conferences open to public that can educate the public in security awareness and the importance of the roles they play in the organizations. Remember that security is a shared responsibility. 

3) Are companies here prepared to deal with cyber challenges? Why or why not?

As long as the company invests in cyber security, i believed that those companies are more or less prepared for potential cyber challenges. Whenever there's a hacking incident, security officers and management will question 3 important things: whether the Confidentiality, the Integrity and the Availability of the information got compromised. Therefore, even if the website got defaced at least the information or data are not compromised, stolen or leaked.
 
4) What have been your experiences in ethically "hacking" company sites? What more can be done?

One of the most important things before ethically hacking company sites or servers is to ensure we agreed on the rules of engagement, the DOs and the DONTs. Trust is a very important matter. Just imagine if we are able to compromise a credit card database,  this is where the word ethical comes into hacking. Such major findings will be alerted to the stakeholders and we will assist them through recommendations on how to remediate such findings. Security managers in organizations must also understand the difference between performing a vulnerability assessments and a penetration testing assessment. Both may sound similar but totally different when applied. 

Companies can additionally invest on security services that perform vulnerability assessments, risks analysis on a periodic basis instead of doing it just because they have to abide by their policies and audit requirements.

Monday 9 December 2013

Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020) - Validating the Findings

Results from Qualys Scan

ISSUE:
Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (MS12-020)

THREAT:
The Remote Desktop feature in Windows enables access to all of the programs, resources and accessories on a user's computer from a second Windows-based computer.

A remote code execution vulnerability exists in the way the Remote Desktop Protocol accesses an object in memory that has been improperly initialized or has been deleted (CVE-2012-0002).

A denial of service vulnerability exists in the way the Remote Desktop Protocol service processes packets. An attacker who successfully exploited this vulnerability could cause the target service to stop responding (CVE-2012-0152).

IMPACT:
Successfully exploiting these vulnerabilities might allow a remote attacker to execute arbitrary code or cause a denial of service.

SOLUTION:


Validating the Findings:

Using NMAP to verify the Vulnerability

#nmap -sV -p 3389 --script rdp-vuln-ms12-020 <IP>


Saturday 7 December 2013

Royal Bank of Scotland - When Modern Hackers meet Outdated Bankers

"As he apologised, RBS boss Ross McEwan admitted the bank had failed to invest in IT systems for decades."



This is one of the reasons why systems in organizations easily failed and get compromised. The failure to invest in IT systems is not just a problem for Ross McEwan but also with other CEOs or bosses. Many simply sees it as something troublesome and still adopting the idea that 'If nothing is wrong with it, why change?'. While it may be true depending on how one applies that theory, in this new generation of increasing threats and cyber criminals, that idea must no longer be practiced. 

Cyber threats are always increasing no matter how secure we think we are. One of the ways to counter these threats is to periodically upgrade and update the systems and servers in the organizations. Bankers should not just focus on the physical aspects of security such as advance money safes, patrolling guards be it human or electronic, security cameras and etc but also the IT aspects of it. This may be in the forms of management of patches, upgrading of OS to the latest available, performing periodic system security assessments and audits and complying to security standards. 

I have seen big companies still using unsupported versions of operating systems such as Windows XP. I have seen how critical services using Windows platform to serve as its host. I have seen how huge organizations still using the likes of Windows 2000 despite its now the year 2013. Of course one of the reasons why bosses do not want to change it is because of the amount of work and money to be invested in. Questions like will it support their current software, will there be an issue upgrading from this to that, will the migration be a painful process and some raise concerns such as whether hiring vendors to support in the migration, can they be trusted, how can they guarantee whether or not their data will not be leaked by these external parties.

The answer is not as easy as one might think but this is where trust comes into play. Agreement documents such as the NDA (Non Disclosure Agreement) and many legal aspects of it will play a part in the human-relationship aspects of it. Bosses should not take advantage of their current security posture into thinking "Why should i change when we have not been compromised before?"... that thinking will definitely be the beginning of the downfall and potential cyber criminals may eventually take advantage of that. Bosses should now think that they would rather 'waste' their money securing and upgrading their systems rather than millions of money being stolen and worse, customers impacted by it will switch banks because of such incidents leaving the affected bank/s into a dilemma situation and meltdown.

Money is no longer just a physical thing. Transactions are frequently made in Ones and Zeros in the digital world and financial organizations responsible in guarding these money should not just ensure that their physical safe is secured but also ensure that the electronic aspects of it are digitally secured as well. 

To quote Richard A. Clarke, the author of Cyber War - “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked."

Friday 6 December 2013

Standard Chartered 'Hacked'

Hack, Evidence, Prosecution, Processes, Trust and Moving on.....



In a recent incident involving James Raj allegedly known as The Messiah, Standard Chartered client statements were found on James Raj's laptop. This quickly escalated to the readers on the journey to hate the Anonymous group that James Raj was supposedly part of. 

While we have no visibility as to how the data got into James Raj laptop, one thing i would questioned is the evidence gathered. It is not just simply about blaming him since the data was on his laptop. Investigators must find evidence that can illustrate that it was indeed James Raj who stole the information. This must be in the form of logs from both the laptop and Fuji Xerox. A company like Fuji Xerox would surely have all the log gatherings and management in place and investigators must ensure that the log tallies confirming that there was indeed a network connection being made from James Raj IP address to the Fuji Xerox's server. 

Cyber forensic investigators must also be able to retrieve the logs from the laptop to confirm that his laptop was not just being used but to confirm that there were no other connections made from other sources connecting to James Raj's machine and used it as a proxy to attack FX. Timing of connections made must be in sync. Metadata of logs should not be tampered (especially by amateurs evidence handlers)

Below is a high level graphical example as how James Raj's machine could be used in the stealing of data.



How could this be possible?

During #OpTunisia, there were alot of protests against the Tunisian government. This led to outsiders wanting to take part as well. As they were outside of Tunisia, they relied on the internet to voice out their unhappiness against the Tunisian government. Government websites were hacked and defaced (no information was stolen) by hackers. The Tunisian government fought back by blocking all connections outside of Tunisia to connect to the government websites. A hacker known as Sabu managed to find a Tunisian citizen machine to use as a proxy to connect to the government website. All he had to do was to connect to that machine as a proxy and attack the Tunisian government website from that machine. Reports stated that due to little pool of experts in handling such incidents, the owner of that machine was arrested and left the hacker free.  

Source: From the Book 'We are Anonymous' by Parmy Olson. Page 143 - 146

Lesson that we can Learn

Skillful hackers do not connect and hack directly to the target from their own machines but that does not mean that n00b hackers do not know how to hide their tracks as well. Investigators will need to identify the logs properly and securely and ensure that in no way the evidence are tampered during the course of investigation. These logs must be in both the machine and the server to ensure that the evidence that connections made are true and in sync. If logs or files are suspected to be deleted,  investigators should clone the entire image of the hard disk, use a data recovery tool and identify the evidence from there. The operating system itself should be checked whether ports such as telnet and other shell like services or vulnerabilities were opened/present. This could be another evidence to suggest that James Raj's laptop were already vulnerable to have other machines connecting to his laptop possibly using his machine to leverage on the attack. Until all these are gathered, only then will the public be confident of the methodologies, processes and techniques used during the gathering of the evidence and cover all possible factors of external party using Raj's machine as a proxy to attack.

Recent News may give Govt a Hard Time

Recent news about a government chemist in the States who was found guilty on tampering with evidence which resulted in many innocents going to jail will definitely be running in many minds questioning about the genuinity of the evidence and prosecution of James Raj should James Raj be found guilty of the charges made against him.




Moving Forward

In order for organizations and companies to know whether they are ready for such an attack is to perform vulnerability assessments on their network and servers. Only then will they know how they can fare against a potential attack. One of the mistakes made by organizations is trusting their own security department on handling such assessments but as they always say, its better to have a new pair of eyes to see what their own internal team may be blinded to (similarly like doing an audit). Hire ethical hackers/pentesters to simulate a real world attack on your servers and networks and see how deep they could penetrate into. Of course, rules of engagements and non disclosure agreement must be made to maintain confidentiality and integrity of the assessment with both parties involved. 

Thursday 5 December 2013

Security Conferences in Singapore - 2014

Here are some of the list of security conferences in Singapore for the year 2014 i have gathered so far.

What: Cyber Intelligence Asia
When: 14th March 2014
Where: TBA
Link: http://www.intelligence-sec.com/events/cyber-intelligence-asia-2014

What: Suits and Spooks Singapore
When: 20th March 2014
Where: Marina Square
Link: http://www.suitsandspooks.com/2014/03/suits-and-spooks-singapore/

What: Black Hat Asia
When: 25th - 28th March
Where: Marina Bay Sands
Link: http://www.blackhat.com/asia-14/

What: Syscan
When: 3rd - 4th April 2014
Where: Swissotel Merchant Court
Link: http://www.syscan.org/

What: RSA Conference Asia Pacific & Japan
When: 22nd - 23rd July 2014
Where: Marina Bay Sands
Link: http://www.rsaconference.com/events/ap14


Wednesday 4 December 2013

DNC Registry - Why it will be a Failure

So two days ago on the 2nd Dec 2013, the PDPC (Personal Data Protection Commission) Singapore announced the Do Not Call Registry for Singaporeans to register if one does not wished to receive nuisance calls or SMS from telemarketeers.



All of the major local medias started to write and publish about it spreading the news about this so call awesome thing for consumers.



Source: http://business.asiaone.com/news/do-not-call-registry-opens-consumers

But will this work? Are you not going to be receiving any nuisance call from telemarketers? If one thing i learned about security and personal data protection is to NEVER give out my contacts to any public website. The reason is simple: SPAM! And worse...a potential SCAM!

5 years ago back when i was an IT support engineer, i received many 'cases' where users received many Junk or SPAM emails from external domains. My question to them is simple: Did you ever subscribe to any newsletter using your corporate email address? And alas, all of the answers were YES they did. Some even argued that those sites they subscribed using their corporate email had a fine print saying that their contacts will not be distributed...  Here's a fact... Thats hardly True! 

Recently, i just signed up a new line with a major telephone company here. No one knew our new house number except for ourselves yet days later someone called me and threatened me about me owing money to  a loan shark. They somehow knew my address as well as my name. Now how the hell did they get my information when that information was not shared.. I asked a friend about this so called phenomena and he shared that these loan sharks have contacts in the telephone companies and these loan sharks can get these information anytime they want. There's no such thing as privacy. I thought for a second and concluded... he was right! Our information will never be safeguarded no matter how many fine prints you read. 

Now back to the DNC registry. Why do i think that this wont work. While it may sound like a good initiative , i have to say that this eventually will not work and huge corporations will see this as an issue and if this affects potential businesses then be prepared to have this initiative back fire. Personally, i did not provide my email or phone numbers to the registry. Despite it being from an established organizationt, i still refuse to believe it. Call me a paranoid dude, but with the things i have experienced, that site could simply be another huge harvester to collect all my info and worse case scenario, sell/distribute them to private telemarketing companies. 

So how can we protect ourselves? 

For SMS advertisements, there is an option with every SMS to Unsubscribe. This is one of the rules that government enforced to telemarketers; to give the option for consumers to unsubscribe. So if we dislike the annoying SMSes, just type in the given number to Unsubscribe from the service. Its a bit irritating to do this with every sms but we have to do our part if we want to have peace. 

For Emails, i recommend people not to use their personal or corporate email address when subscribing or signing up for anything online. No matter how much you think your information will not be leaked to others, it will eventually. To prevent this, create a new email address and use that email address to sign up for anything. However, you need to do your part to check your new email address for incoming emails but 95% of the time, its just more advertisements and promotions that you can find it online. Also, do not input your full email address when writing blogs, sending messages online. Whenever you do that, your email address or phone number will be guaranteed 'stolen' by online harvesters. Put your email address like this instead:
name (at) organization (dot) com
This way, email harvesters will not be able to understand and will not collect this information.

For telephone calls, this is a tough one. Im pretty confident that everyone of us get/got a phone call from insurance companies or bank organizations trying to talk to you into buying their 'promotions'. Do not scold them or shout at them. What i usually do is this. When i received a call with a published number, i will listen for a few minutes until i verified that its just a call from companies trying to sell me something. I will then politely tell them that im in a meeting/lunch/in toilet/etc, and tell them to call back in 10mins or 30mins. Once acknowledged, save that number and set it to your Block List. Its easy right? You dont have to be angry or anything. But what if its a private number? Then politely tell them that you are busy and ask them for their number to call them back. Usually, they will not provide the number and usually, they will not call you back when you insist. 

Remember, YOU HAVE EVERY RIGHT TO DO IT! 


Privacy?


From the movie: Operation Takedown.






SSL/TLS use of Weak RC4 cipher - Validating the Findings

Results from Qualys Scan

ISSUE:
-SSL/TLS use of weak RC4 cipher

THREAT:
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS ) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features.

SSL/TLS protocols use ciphers such as AES,DES, 3DES and RC4 to encrypt the content of the higher layer protocols and thus provide the confidentiality service. Normally the output of an encryption process is a sequence of random looking bytes. It was known that RC4 output has some bias in the output. Recently a group of researches has discovered that the there is a stronger bias in RC4, which make statistical analysis of ciphertext more practical.


The described attack is to inject a malicious javascript into the victim's browser that would ensure that there are multiple connections being established with a target website and the same HTTP cookie is sent multiple times to the website in encrypted form. This provides the attacker a large set of ciphertext samples, that can be used for statistical analysis.

IMPACT:
If this attack is carried out and an HTTP cookie is recovered, then the attacker can then use the cookie to impersonate the user who's cookie was recovered.


This attack is not very practical as it requires the attacker to have access to millions of samples of ciphertext, but there are certain assumptions that an attacker can make to improve the chances of recovering the cleartext from ciphertext. For examples HTTP cookies are either base64 encoded or hex digits. This information can help the attacker in their efforts to recover the cookie.

SOLUTION:
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in SSL and TLS. However, newer versions of TLSv addressed these issues.


Validating the Findings


Using SSLscan

#sslscan --no-failed <IP>


Using Nmap

#nmap --script ssl-enum-ciphers -p 443 <IP>


Using SSLAudit.exe