Isolate the Stupid

Posted: 18 September 2014 in Uncategorized

ISOLATE-THE-STUPIDEarlier today I wandered straight into the middle of a conversation between colleagues and overhead one of them say the wonderful phrase “isolate the stupid”. To be fair, I have taken it completely out of context of the original conversation, but I liked the phrase so much I thought I would use it for my own nefarious ends.

We are regularly called upon to provide help to organisations that have suffered a breach, and now need to quickly find out what happened so that they can bolt the door so no more horses escape.

A common contributing factor we see in this kind of situation is a huge, flat internal network structure – one that mixes together on the same logical wire: servers, desktops and peripherals, and horror-of-horrors, bring-your-own devices. All it takes is one stupid simple mistake, such as a user clicking on a misleading phishing email, and the attacker suddenly has unrestricted physical access to the whole internal network environment.

In security parlance, compartmentalisation is the concept of breaking environments into discrete, logical components, whereby a failure is contained from spreading. In almost all these situations, a modicum of compartmentalisation would have either prevented, or greatly reduced the impact of the breach.

Isolate the stupid.


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

 

My Placement Year at Corsaire

Posted: 15 September 2014 in Uncategorized

Doors

At the start of my second year of University it was time to find a work placement for the following year. My tutor kept telling us how employers are increasingly looking for experienced graduates as well as those with academic achievements and that the right work placement will increase our chances of securing a good job. After hearing this, I told myself, “I’ll definitely find a good company and job for my placement year!”

After failing to secure one of the jobs listed on our University website I remembered that my tutor had said we could find our own placement, as long as it was related to our course. Whilst I was updating my profile on LinkedIn, I discovered that I could apply for jobs on the site, so I searched for IT Security positions. The first one I found was at Corsaire, for a Junior Security Consultant. I enjoyed reading the job description, it was the ideal job for me. Then I noticed it was not specifically asking for a graduate but I thought I’d give it a go.

I sent my CV and covering letter asking if I could do the job as a placement for University. After a couple of days, I received an email inviting me for a telephone interview which I gladly accepted and managed to pass. I was then invited for a face–to-face interview with the Managing Director, followed by another face-to-face interview with the Operations Manager and a Security Consultant. After a few days, I received a call from the Operations Manager offering me a job as their first ever Technical Intern!

Expectations
Through my placement year with Corsaire, I was looking to accomplish three things:

  • To put everything I have learnt so far at University into practice
  • To expand my knowledge and skills in security and other areas of IT
  • To use the experience I will gain as a gateway to future opportunities


What it was like
Everything I have experienced within Corsaire has exceeded my expectations. Taking into consideration that this is the first time they have had a student intern in their company, I have received great supervision and training from my supervisor as well as colleagues; I have been given regular feedback about my performance, as well as the chance to experience a range of learning opportunities and to demonstrate my skills and knowledge. Working in a team has allowed me to ask questions and mix with likeminded people who work within my chosen industry. It has also given me first-hand experience of what the job entails and what has been developing in the industry. Corsaire has provided me with all the necessary skills to successfully complete any task allocated to me.

What the people are like
Everyone at Corsaire is very friendly and they have all treated me as their professional equal despite me being a student. Whenever I am in the office, it feels like I am just home with family because they treat me like family even those people with the higher positions within the company.

Overall
Entering the professional world of work can certainly be daunting for anyone, regardless of your age, experience or knowledge but for me, it has been one of the best and most rewarding experiences of my life. My placement has been superbly aligned to my course and has made me more focused on what I want to achieve with my degree.  I feel very honoured and lucky to have been able to work with Corsaire and if I was given the chance to go back in time, I would definitely still apply to this company.

Now that I have finished my placement at Corsaire, there are a lot of things I am going to miss, like learning new things from my supervisor and other workmates, hanging out with everyone after work, listening to our Project Coordinator’s bagpipe music that everyone loves (NOT!) and of course most of all I’ll miss the bacon and sausages that our Managing Director cooks every morning.


Written byDarlene-frame

Darlene Concepcion
Technical Intern
Corsaire

Always Use Protection

Posted: 5 September 2014 in Uncategorized

EvilClippy

Since joining Corsaire in April my eyes have truly been opened to the world of Internet Security. I always knew it was a deep and dark place filled with secrets, unknown sources and even more secrets, but I always figured the statistics were in my favour and I would never be a victim.

Now I’m not saying that I ever sent money to that desperate lady emailing me from Bulgaria, or clicked on one of those ‘Leaked Nude Photos of *insert hot celebrity here*’ ads and I do know the difference between http and https. But I did think that avoiding such obvious scams would leave me safe in my Internet browsing. How wrong could I be?

During one of my first weeks working at Corsaire I made the mistake of leaving my computer unlocked. The number one rule in our office, as I’m sure in most offices, is ‘Do Not Leave Your Computer Unlocked’. My colleague took this opportunity to teach me a little lesson. Returning to my desk I found my browser open on the Gmail login page. Nothing suspicious there, until little Clippy popped up; you know, that annoying Office assistant always on hand to help circa 2008? It appeared that my colleague had full control of my browser window, setting up a fake Gmail login to steal my credentials, with the power to send me to any corner of the Internet they so wished.

This was scary in itself, but it also got me thinking about all of my passwords; I can be rather lazy when creating new ones. I like to have two or three on rotation, changing the odd number or adding in a capital letter to differentiate. If that wasn’t lazy enough already, I then save them to my browser’s password autofill function. You wouldn’t need to be a genius to crack the code and gain access to my saved payment methods, social media sites and personal details.

Needless to say I have updated my passwords to slightly more cryptic ones, deleted my browser’s password storage and removed my credit card details from all shopping sites. I have also learned the joys of the Password Safe, a pin-secured digital safe place that I can store my credentials and easily access them when I need to. Just remember people, lock your computer and securely store your passwords (in your head if possible). Happy browsing!


Written by
faye-frameFaye Brennan
Marketing Assistant
Corsaire

 

I Can Like to Hack

Posted: 13 August 2014 in Uncategorized

Hi DanHi Dan!
In the last few days a new article was posted to Ars Technica [1], allegedly detailing the approach taken by the hacker behind the Gamma Group International data leak. Now, before I go any further, I need to point out that all the normal disclaimers apply: things you read on the Internet may be closer than they appear.

The article itself is interesting, but what is more so is the link it provides to the hacker’s methodology [2]. Anyone reading the hacker’s document, who has any vague knowledge of the Internet and security, should be impressed with the meticulous approach taken by the attacker.  But more than this, it is painfully clear that there is No Magic Sauce ™. The methodology uses off-the-shelf tools, simple scripts, and a manual analysis approach to match them against the target environment.

This simply underlines the fact that acceptable security, for the most part, is all about getting the basics right consistently.

How could Gamma Group International have avoided ending up in this situation?

  • Understand the threat surface well
  • Remove any unused functionality
  • Configure the remaining functionality conservatively
  • Patch any flaws promptly

 

Now, being truly honest, how many of you can put your hand on your heart and say that you do this thoroughly and consistently?

[1] http://ars.to/1q1CxIA
[2] http://pastebin.com/raw.php?i=cRYvK4jb

 


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

Android Wildwest

Posted: 5 August 2014 in Uncategorized

Trojan software has been around for a long time but its effectiveness in targeting individuals and businesses has increased in parallel with the ever-improving usability of Internet connected devices. The smartphone and tablet era has brought millions of new users onto the Internet.Android_robot

Unfortunately, Internet use does not require a “driving license” and at the moment we are looking at an increasingly diverse horde of unlicensed, sometimes drunk, drivers who are being conned into lemming-like self-destruction.

It shouldn’t come as a big surprise that Norton last week reported a “Fake ID” vulnerability, distributed by Trojan apps, which could allow malicious apps to access legitimate applications and steal sensitive data such as passwords or financial information by falsifying built-in security certificates. The vulnerability could reportedly affect millions of users as the threat spans across Android version 2.1 up to 4.4.

The potential reach of the vulnerability is indeed a prospect but one which astute businesses and security teams should be well prepared for. If, however, you are feeling a little lost, here are a few tips to tackle the threat:

For the lemmings: Buy an iPhone and/or never install anything on your Android. Anti-virus would be a classic recommendation but even some of those are Trojanned, so you are best staying away unless you know what you are doing or can call upon someone who does.

For the businesses: Approach “Bring Your Own Device” schemes with great care. Consider introducing Mobile Device Management software to lockdown BYOD and internal devices. The details of what to lockdown are beyond the scope of this ranty little blog but at the very minimum look to: restrict installation of software; control carefully what data is accessible from Mobile devices; ensure you have corporate level anti-virus software installed; and use a principle of least privilege wherever possible.

 


Written by
Jan-FrameJan Fry
Security Consultant
Corsaire

 

Au revoir to Piracy?

Posted: 31 July 2014 in Uncategorized

NIGHT OF THE LIVING DEAD, 1968 Earlier this year the City of London Police and the Intellectual Property Office (IPO) established the Police Intellectual Property Crime Unit (PIPCU), which is a cool-sounding acronym, right?

The PIPCU will be working with HMRC, UK Border Agencies, Trading Standards, Europol and NCA to develop strategies to help prevent IP crime (both counterfeits and piracy) affecting physical and digital goods (with the exception of pharmaceutical).  As well as this, they will be informing and educating businesses and users about criminal activity on counterfeit and piracy sites.

Currently PIPCU have funding of £2.56 million pounds, and with this, they plan to police the Internet and respond to threats of online intellectual property crime.

One focus will be on copyright infringement by illegal sites, such as Pirate Bay. When someone visits a site that a complaint has been registered against, the PIPCU will dynamically replace any banner adverts on the site with the PIPCU’s very own anti-piracy equivalents.  As the revenue from this kind of advertising is one of the main reasons the pirate sites exist at all, this should hit the criminals right where it hurts the most: in their wallet.

So what does this mean for the public and for businesses? Well for businesses, it’s good both for advertisers that don’t want to be associated with pirate sites and also for companies who want to stop their IP being used illegally. However, for the public it may end up being a different story. The reality is that in the short-term, things are not going to change all that much; the pirate sites and their content will still be available, just with no advertising. However, in the long-term, if the pirates can no longer make any money from these sites, then the chances are that they will close them down and move on to easier pickings  – which may mark the beginning of the end of the illegal free-stuff Internet movement…


Written by
Gary Frame Gary Carvey
Business Consultant
Corsaire

 

Zombies_NightoftheLivingDeadSecurity consultants can tend to live a bit like nomads: wandering from office to office, plying their trade along the way. We get to see lots of different organisations, and a surprising variety of datacentres. Mostly these are full of shiny racks of new equipment, but every now-and-then we’ll see something out of the ordinary. Some form of legacy system: mysterious, ancient boxes, left to their own affairs in the darkest corner of the room.

Of course, whilst these systems are simply interesting museum-pieces to us, to the poor soul who is tasked with owning the risk, they are something much more ominous. Legacy systems that dramatically outlive their intended lifespan tend to do so for one glaring reason: they are important to the organisation, and both difficult and expensive to replace.

To add to this growing pile of legacy, this week Oracle announced the end of Java support for the Windows XP platform [1]. This isn’t that much of a surprise, considering that Microsoft had already dropped support for XP in recent months [2]. However, what is notable about this though is the dramatically different threat landscape. Almost no-one is interested in your old PDP-11 or Cray supercomputer, but Windows XP is quite a different kettle of fish.

Windows XP is the doyenne of the exploit writers. Not only does it lack the remote code execution protection that later version of Windows have built-in (making it easier to get an exploit working reliably) but it still has a large enough install-base to warrant the effort of writing one. On top of this, in recent months Java has been found to be riddled with flaws: the April patch bundle [3] contained no less than 37 discrete flaws, 4 of which were rated with the highest severity possible under the CVSS scheme.

So here you have a perfect storm: a critical system, relatively easy to exploit, with no patches available. Given that you can no longer patch these servers, our recommendation to you is to first have a nice cup of tea, then secondly apply some common sense:

  1. We know you would have already replaced these systems if you could have done so, but if there is any possibility of you rethinking this stance, now is a good time. The situation will not get better with time.
  2. Segregate all your legacy systems behind an internal firewall if possible. Keep them away from the general-use LAN segments and especially from desktops.
  3. Restrict remote access methods to essential users and enforce strong cryptography.
  4. Implement file-system fingerprinting to detect any unauthorised changes to the host.
  5. Make sure anti-malware and anti-virus applications are up-to-date.

 

Oh, and one last happy thought before you go: you are prepared for when Windows 2003 Server goes end-of-life next year, aren’t you?

  1. http://java.com/en/download/help/sysreq.xml
  2. http://windows.microsoft.com/en-gb/windows/end-support-help
  3. https://blogs.oracle.com/security/entry/april_2014_critical_patch_update
  4. http://support.microsoft.com/lifecycle/search/default.aspx?alpha=Windows+Server+2003+R2

written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

 

Call Me, Maybe?

Posted: 27 June 2014 in Uncategorized

800px-FeTAp613-1 copy

There’s one thing to be said for the world of Information Security, and it’s that it rarely stands still for a moment. New products and technologies are released with relentless regularity, each with its own particular set of security challenges to first understand, then protect. Never a quiet moment.

But as new technologies are introduced, old ones are often superseded; relegated to the “legacy” bucket. But just because they are no longer the latest hot topic, it doesn’t mean that they don’t still pose a significant risk to the organisation.

One such technology is the traditional telephone, or as it likes to be formally addressed, the Public Switched Telephone Network (PSTN). Back in the day, the media was awash with stories of hacking attacks that were launched over the telephone network. In fact, the high-profile hack that led to the drafting of the UK Computer Misuse Act (CMA) was itself delivered over the telephone, using a modem.

The Internet has changed all of this, though. As the greatest exposure to external threats for many organisations, in most cases it rightly takes the majority of the focus when it comes to security. But in this shift, a lot of organisations seem to have forgotten about the PSTN. This is a bit of a problem, as unfortunately the attackers haven’t!

The fact is that the legacy telephone system remains a rich target for an attacker. Dozens of critical devices are still installed with a remote administrative interface connected to an old-school telephone line; systems like the burglar alarm, door entry systems, the PBX itself, video conferencing, SANs, heavy machinery such as lifts, etc. Any of these could be available, and all that is often required is for an attacker to connect to the right telephone number, then enter the default credentials for the device.

There was a time when most organisations would regularly get their external telephone connectivity security tested as part of a “war dialling” exercise, but this seems to be a rarity these days. Maybe it’s time for you to get a bit more old-school?


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

The Wrath of Zeus

Posted: 3 June 2014 in Uncategorized

ZeusAt the moment there is a lot of fluster in the media about the GameOver Zeus malware, and how there are only two weeks to the impending destruction of mankind as we know it. Cue melodramatic music and peal of thunder.

Firstly, we don’t think that this is a panic-stations situation. This particular malware has been tracked in the wild for several years already, so it isn’t a new threat. Though obviously the way that it is packaged and deployed are updated regularly, so it may not be immediately detected by your antivirus systems.

Secondly, the malware itself is typically delivered through a leading email, which will encourage the recipient to either open an attachment, or visit a phishing site. The important part is that it requires human intervention to activate and install it.

The recommendations for coping with this are the normal advice that users and administrators should follow on a daily basis anyway:

  • For a corporate, block dangerous attachments (executables etc.) before they reach the desktop.
  • Ensure that your antivirus is installed, correctly configured and the signatures are up-to-date.
  • Do not open emails, attachments or click on links that look in any way suspicious.
  • If you think you have inadvertently installed any malware, don’t use your computer for anything sensitive, like online banking, until you can get it checked thoroughly and if necessary cleaned

Additional information about GameOver Zeus is available here: http://www.us-cert.gov/ncas/alerts/TA14-150A


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

When our clients approach us with a new application or a technology refresh project, we often see an initial reluctance for an external infrastructure vulnerability assessment to be performed along-side. This is often because the client feels safe that their infrastructure is protected by network level devices such as firewalls or intrusion detection systems, or that modern software and servers are secure out of the box. Well that’s not always the case…

Acme Corp CMS Assessment

Acme Corp approached Corsaire to conduct an application assessment on their new content management system and an external infrastructure assessment on 1 IP address. The application server would be located in the client’s DMZ and protected by a firewall only allowing HTTP and HTTPS. Corsaire was provided with the following URL which would be in scope for this project:

https:/ /cms.acmecorp.com/application/cms

Apart from some low hanging fruit the CMS application was found to be secure. Everyone is happy! Go team!

Is Infrastructure always Boring?

So I get given the infrastructure component of the assessment and my worst fears are soon realised; only 80 and 443 are exposed to the Internet. I quietly work through our external infrastructure methodology and only find low risk SSL issues and some default Apache pages. Default pages are always a good indicator of a lack of server hardening, so I decide to have a further poke around. I manage to find a default configuration file which has some information disclosure, but still nothing to shout home about. As always with any assessment, an understanding of the environment is essential. This involves reading any documentation you can find including installation, configuration and development guides from the supplier. The documentation included a typical configuration scenario which when compared with the findings from the application, was probably the configuration of this CMS system.

blog-fig-1


In this typical scenario the CMS application and API are hosted on the same server. This is never a good idea. Separation of services people! Anyway, this got me thinking about how the API is configured and how the CMS application interacts with it. Could I connect to this? Oh this is getting interesting!

Pew! Pew! Pew!

Trawling through the documentation, it was determined that the API could be configured as another virtual host served by the same Apache instance as the CMS application! Oh goody, if they have done this then all that is required is the correct domain name to send with the request to potentially start interacting with the API! The default setup from the documentation didn’t work, but by using the information revealed in the default configuration file I managed to get a hit! Bingo! I have direct access to the API using https:/ /cms-api.acmecorp.com bypassing any security provided by the CMS application. Oh dear, they are still using default credentials. Pew, Pew, Pew! I now have full control of the CMS and content.

blog-fig-2


While the application in scope was secure, the infrastructure and server configuration was still in a default state and had not been hardened. The API was assumed to be internally accessible only, so the default credentials were not changed. Without the infrastructure component of this assessment, access to the API would have potentially not been found.

Lessons to be learnt?

  • Never underestimate the importance of infrastructure assessments when deploying a new application
  • Always harden all servers irrespective of their network location
  • Always restrict access to any service unless explicitly required
  • Ensure separation of services to reduce exposure and risk
  • Understand the environment and RTFM!

 


Written by
Ant-frameAnthony Dickinson
Sercurity Consultant
Corsaire