Category Archives: cybersecurity

It all in the Cloud(s)

The Internet is changing yet again. One of my predictions for 2018 is that everyone will witness a migration from corporate or private data centers to the ‘Cloud’, or Internet hosted data centers. There have been tremendous advances made in both securing the Cloud and sharing with the broader technical community how to secure the Cloud.

Some important reading material about Cloud security includes:

Amazon’s Shared Responsibility Security Model,

Azure’s Security Center, and

Google’s Application Layer Transport Security.

International Cyber Conflicts @ Coursera

I just finished the course ‘International Cyber Conflicts’ at Coursera. The course was developed and led by professors Sanjay Goel and Kevin Williams from the State University of New York at Albany. This was a five week course that consisted of recorded presentations with inline questions; discussion forums; and end of week quizzes.

The presentations and readings for this course were good. After several readings referred to Cybersecurity and Cyberwar by Singer and Friedman; I elected to buy the book. I had been able to obtain the book through my local library on an inter library loan. After the second reading I really enjoyed the book and purchased it via Amazon.

I would say the only downside to this course like others that I have viewed is that the discussion forums were not really that good. The discussion forums themselves merged comments from previous offerings of the course (from about a year ago). I can appreciate why the instructors did this ; in an attempt to seed the discussion forums and get more people contributing. I didn’t think that worked. and then as with many Coursera offerings some people just don’t understand or seek to contribute to the discussions. Tighter moderation might help there.

I enjoyed the course and would recommend it to anyone interested in cyber security. The cost for the course was free unless you request a completion certificate.

USB Forensics

I recently came across two very good articles about USB forensics.

The Hitchhiker’s Guide to USB Forensics was published at the Cyberforensicator site by Oleg Skulkin and Igor Mikhaylov. It is a very well thought out an written description of how to find out by operating system analysis what files have been copied to a USB device. They used a Windows 10 virtual machine and the Oxygen Forensics AXIOM tool to conduct a basic analysis. They are locating evidence about what files have been copied or moved.

I was looking for references to how to investigate just the USB drive itself. I found the SANS Computer Forensic Guide to profiling USB Thumbdrives on Win7, Vista, and XP. This is a blog post by Rob Lee dated September of 2009. This was more in line with what I was looking for given I that one found the USB device and wanted to start treating it as evidence. Rob had written about the differences between analyzing USB thumb drives and drive enclosures. There was much good info in both posts.

The State of Internet Privacy? In Shambles. Moving on.

Many would consider me an Internet Old Timer. I used ‘The Internet’; then ARPAnet back in the days when I worked as a Software Engineer for a US defense contractor. Securing communications and having confidence in message integrity; both in the identity of the sender and in the integrity in the content have always been important if not vital to communications over the Internet. I was struck by this blog post in part because I have heard of Filippo’s work but most of all because I completely agree with his message.

Websites Intentionally Disabling Password Managers

It wasn’t just me. The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often. Lots of that travel is for work but I do get around on personal business and to get away. One of my go to sites for travel is Hilton dot com. I’ve been a Hilton customer for a long time. I like their hotels. I think they treat me well where ever I go. This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser. This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot. It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached. I found the test usually involves matching text to pictures. The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails. Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

New Apple Guidelines Explain What Data the Company Will Provide to Law Enforcement

ars technica has a great article that explains recently published Apple guidelines regarding what customer data the company will provide to law enforcement. Reviewing and understanding Apple’s position is important as the companies consumer devices such as the iPhone, the iPad, and Mac computers running OS/X readily provide users the capability to use both local and cloud storage for data.

The guidelines that are referenced in the ars article were posted by Apple under the heading “Legal Process Guidelines for U.S. Law Enforcement” and were released on May 7th, 2014.

Seminars at the John Jay Center for Private Security and Safety

If you are near New York City and interested in cyber security and criminal justice I suggest attending the seminars at the Center for Private Security and Safety at John Jay College in Manhattan. I attended seminars on cybersecurity and cyber espionage. The presenters that I saw are faculty from the college. I found the seminars to be very well prepared and presented. The technical level of the seminars seems targeted at an undergraduate upper class person (Junior or senior) but all questions both more and less technical in nature were answered.

Why Security is Hard: When APTs became TPAs

Trying to secure the Internet and all it’s users, content, and services is a difficult job. The Internet is a global resource that supports many different cultures and languages. The purpose of the various Internet web sites that appear on the Internet vary from commercial sites selling products and services to informational sites about many more topics that most people need or care to know about. There are a myriad of operating systems and applications used to produce and access those sites. As if Advanced Persistent Threats (APT) were not bad (or scary) enough there is now a new term used to describe the attacks that security personnel are trying to secure all these operating systems and applications from. Welcome Targeted Persistent Attacks (TPA)!

The first read where I came across TPA was over at Tech Republic. During an interview with the Research Vice President at NSS Labs they report:

“The truth of the matter is that an APT is sometimes made up of known exploits/vulnerabilities that are not that Advanced; so the term APT doesn’t define the action correctly. TPA highlights that the actor is going after a specific target such as company X or an entire industry sector like financial services, and will be persistent in attacking the target”

Uhh? So the reason we need a new category of product is because some malware writer slacked off and didn’t use the latest, most advanced exploit or vulnerability and instead used something that Microsoft already addressed a couple of Tuesday’s ago?

To be fair this blog post that also appeared at NSS labs makes a better case for the new term (TPA that was). What NSS Labs seems to be talking about here is threat or breach detection. Of course, there is also a TPA focused Breach Detection Systems (BDS) product buyers guide.

Using a Heat Map to Relate Security Information

I have been thinking a lot about how security practitioners can share information. They need to be able to tell the masses about security issues. I usually refer to this as security awareness. They need to be able to communicate the current security and risk state to organizational leaders. I came across an interest web site that uses a Heat Map to relate security state information.

Exploit of Trust Hack in a K-12 School

I was contacted the other day and asked to assess the threat posed by the email below. The message was sent to much of the professional staff of a local school district. The subject line read “URGENT. MUST READ.”. The email was from an email account at a North Carolina, US University. The contents of the message was a link to a web site that read in part “Contact Update”.

Following the link users were taken to a web page that looked like this (see below). The title of the page is “School Support Team” and asks the user to enter their first and last names, date of birth, email address, username, and password (p-word with confirmation).

There is no title that associates the site with the school district. If anything the form asking for a “p-word” should have raised a caution flag to anyone who saw this.

A number of people who received the email message contacted the IT department and asked what they should do. As the IT administrators fielded more calls they sent email messages to all of the district’s users alerting them not to respond to this message.

In the end several employee’s acknowledged that they had not only received and read the email message but that they had followed the link and filled out the form. I wish I could say that these were all low level folks who didn’t know better. But I can’t.

When discovered by the IT staff these employees were advised to change their passwords immediately. Should their accounts have been disabled and thus forced to choose a new password. Probably. But the IT staff and the district don’t have policies in place to mandate such a move.

What’s worse is that some employees complained that they could not change their passwords. You see they would not be able to remember anything else. And some of those same people reported that their school password matched that they use for their home email and banking. Yes. That was priceless.

Some employees complained that the web filter that blocked them from viewing their favorite web sites while at work should have stopped the message getting through or stopped them from being able to access the web site and form. The reality is that the message was delivered via email address from a university. This message exploited the trust relationship formed because the supposed sender was in the “dot edu” domain. The chances that the web or email filter at a school would block a message from another school is thin. An important takeaway from this should be that web sites hosted at free web providers like this one should be blocked. I did advise that they add the site “webs.com’ to their blacklist.

What can come of this? I would expect that any account for which the user entered a username and password will be probed. My guess is that this was a data gathering exercise and that the probes will not start immediately.

If you are a school district IT professional here is what you should add to your defenses. The link in the message referred to a free web hosting site at webs dot com.

The web site used a form that was created at the free form Freedback dot com.

I would suggest adding these sites to your local blacklist.

I did contact Freedback dot com, Webs dot com, and the university that the email came from. To their credit the team at Freedback dot com responded to my twitter requests to block the site within hours. The team at webs dot com responded the next business day. The University still has not responded.

What’s the threat here? Given the use of the “p-word” I don’t think the attacker is local to the east coast of the US. This could be just a person or company that sells into schools gathering data so as to avoid cold calling. This could be an attacker trying to locate users who give up their passwords with the intent of later finding other accounts (think Yahoo Mail or GMail).

My strong recommendation to the person who called me was to step up security awareness training for all district employees.

Brian's End of the Internet

Ramblings that the whole world can see!