Begin at the beginning

It is a common occurrence for me to be asked, “What is the best way to get started as a security consultant?”.

But before I give you my answer, I feel I should point out that everything I’m about to write is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect a different consultancy to have different things that they are looking for. L’acheteur se méfiera!

Every year I personally read hundreds of CVs and interview dozens of people that are looking to make a start in the security industry; an industry which is unusually demanding of its consultants, requiring both extreme breadth and depth of knowledge. Knowledge that is built up in layers, one upon another, each new layer intimately dependent on the previous one.

Many of the people I interview have incredibly polished and impressive CVs, complete with long lists of skills, credentials and training courses. However, once the interview starts it is common to find that there is no substance behind the polish. The skills lists are just an aspiration; no real knowledge underpins the claim.

For someone starting out, I would say the most important thing to do is to make sure you understand the basics really well, and if you don’t know it really well, leave it off your CV. There is no point learning about XSS if you don’t understand HTML. No point in learning HTML if you don’t know HTTP. No point in learning HTTP if you don’t know IP. No point in learning IP if you don’t understand basic maths and technology concepts like modulus, endian-ness, and non-decimal radix.

Don’t attempt to run before you have mastered walking. Begin at the beginning…


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

bad-appleWhile the hype of a new type of malware against widely-believed-immune Apple devices hasn’t died off yet, let me explain what the malware does and how you can avoid being a victim of this type of attack by applying a few simple security practices.

What it is:

‘WireLurker’, they call it; and the newly discovered malware can hop from infected Mac OS X systems to iPhones and iPads via USB. First signs of this malware have been seen in Chinese third-party app store Maiyadi which is where most infected applications reside for now.

What it does:

Although the intention of this malware is still unclear, it appears that WireLurker steals sensitive information such as AppleID and contact lists, but not bank details… phew! (Unless of course you have yours saved as a contact!). Oh, it also infects other apps on iOS devices and installs its own third-party apps without your permission.

What you should do:

Although Apple seems to have to nipped this one in the bud by revoking the certificate used to spread these baddies in the first place, our recommendation is that usual good security practices should be followed:

  • Only install apps from trusted sources, i.e. the Apple App Store.
  • Don’t connect your beloved devices to untrusted computers or accessories,
  • Use a decent antivirus on your OS and install the latest updates.
  • Don’t install applications that you haven’t requested or authorised.
  • Also delete that free game on your iPhone that you downloaded four months ago but haven’t opened once.

More specific to WireLurker, check your OSX computer and all the devices with which it has synced.

  • Look into the Profile section of your iOS device and ensure that no unauthorised enterprise provisioning has been created.
  • If you happen to have a jailbroken device (tut tut!), check to see if “/Library/MobileSubstrate/DynamicLibraries/sfbase.dylib” exists. If so, delete it through a terminal connection. Palo Alto Networks have released a handy script to detect this and similar files.

Until the next malware, stay safe.


Written by
Ash-frameAsh Dastmalchi
Security Consultant
Corsaire

 

bad usb

In the build-up to the recent DerbyCon conference, there was a lot of chatter in the infosec community about the release of some interesting USB firmware research. Then “Shellshock” happened and, at least for a few days, everyone was so busy scrambling around looking for vulnerable “Shellshock” end-points and trying to patch them up around that they almost forgot about the aforementioned USB research. However, once the dust of “Shellshock” settled, the so called ‘BadUSB’ research once again took center stage.

Thanks to the tireless efforts of IronGeek to record as many security conference videos as possible, the BadUSB presentation was online within a couple of hours of being presented at DerbyCon. The video has, at time of writing, amassed almost 98,000 views. Apparently the world is not yet fed up with the steady stream of vulnerabilities being released; a stream which seems to have turned into a flowing river this year, prompting Mitre to change its syntax to allow for 5-digit CVEs. But before I start rambling about that, let’s switch our focus back to BadUSB.

While it has been known for a few months that some USB drives could be infected with undetectable malware, until now the research has not been released to the general public. With Adam Caudill and Brandon Wilson’s talk at DerbyCon however, this has all changed. The exploit code is freely available on GitHub and, as mentioned above, the presentation detailing the research has also gone viral (pun intended).

So what exactly could someone do with this exploit code? It allows a user to modify the USB’s firmware to hide undetectable malicious code on the device which cannot be removed by simply wiping or formatting the infected device.

Great, so let’s just patch it, right? Well, unfortunately as well as being declared undetectable, many news outlets are also stating that the vulnerability is virtually “unpatchable” and that it could take some time to mitigate or resolve fully. For the tinfoil hat aficionados, there is also the cheery news that the NSA owns a USB device to “relay information and monitor computers”.

Realistically the issue will not be resolved by USB manufacturers any time soon, so what can organisations do to mitigate the threat in the mean time?

  • Use corporate endpoint software to lockdown USB ports and prevent devices from being mounted.
  • Log and monitor failed attempts by users to plug-in USB devices.
  • Use USB devices from trusted vendors only.
  • Provide guidelines for ways in which staff can securely share files without relying on USB.
  • Keep anti-virus and anti-malware solutions up to date to mitigate the potential for threats to spread.

Written by
Jan-FrameJan Fry
Security Consultant
Corsaire

 

image1
Yesterday an interesting snippet was placed on the Register about yet another SSL flaw that was tipped to be announced [1].

The details are now emerging from the Google researchers on the attack [2] & [3]; specifically that SSLv3 is seriously flawed, and that it is possible to force even TLS negotiated sessions back down to SSLv3, to aid in exploiting the issue.

Our opinion is that this is just another variant of the same kind of client-side attacks that have plagued SSL/TLS in recent years, not unlike BEAST. Contrary to the hype, this isn’t another Heartbleed or Shellshock event.

The broad recommendation is disabling SSLv3, but clearly there remain serious potential usability issues associated with dropping the protocol (some older browsers simply won’t support the protocols and cipher sets that remain).

Mitigating strategies include supporting TLS_FALLBACK_SCSV [4] to avoid the downgrade attack, so at least when both ends of the connection do support the more secure versions of TLS, they can’t be tricked into downgrading to the insecure ones.

 

[1] http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow
[2] http://googleonlinesecurity.blogspot.ca/2014/10/this-poodle-bites-exploiting-ssl-30.html
[3] https://www.openssl.org/~bodo/ssl-poodle.pdf
[4] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

 


Written by
Glyn-frameGlyn Geoghegan
Security Consultant
Corsaire

Coffee-is-bad-for-you‘MY TYPICAL VISIT TO A COFFEE SHOP’, BY VICTORIA

A few months ago I visited a bespoke coffee shop in London and ordered my normal skinny latte from the nice gentleman behind the counter. ‘Another new employee’, I thought, ‘I wonder how long it will take him to remember my order…’. Upon paying for my coffee, I was handed an invitation card to sign up for extra discounts at this and other coffee shops. ‘Nice, discounts for doing nothing! Just my cup of tea (well, coffee)’. Once I got home, I signed up to the discount website and was promised my discount card in the post. This is the last I thought of it.

Now let’s look at what really happened…

Victoria walked into the coffee shop one morning when it was quiet. ‘How can I help you Madam?’, the new employee asked. ‘Hi, can I have a large skinny latte please?’, ‘Of course, what’s your name?’, ‘Victoria’, she replied.

Victoria went to pay for her coffee using her debit card. The debit machine by the till was out of order, so the employee asked for her card, produced a new machine from behind the counter and passed it over to Victoria.

As you are already aware, Bob, the new employee is not a nice fella and as Victoria types her PIN into the machine, Bob is watching. The transaction goes through, Victoria removes her card and Bob passes her the receipt, along with an invitation card for extra discounts. Bob speaks highly of the discount scheme and convinces Victoria to sign up.

Victoria enjoys her coffee and heads home. She visits the website on the invitation card and fills in the registration form. The form has the usual details:

First Name
Surname
Address
Date of Birth
Email address
Telephone number
Password
Secret Question ‘Name of your first pet’

Victoria completes the form as she normally would; her real name, her real address, real date of birth, her only email address, her usual password and the real name of her first pet.

Of course, the discount scheme isn’t real; it’s a phishing website designed to capture information from soon-to-be victims

WHAT BOB KNOWS:

1. Her name is Victoria Wilson-Smith
2. He has skimmed her debit card using a modified card machine.
3. Her knows her PIN
4. Her knows her full postal address
5. Her date of birth
6. Her email address
7. Her telephone number
8. Her usual password
9. Her answer to the secret question

From here, it would be trivial for Bob to start building up a more complete history of Victoria’s life. Using her usual password or password reset questions, etc. he could gather information from:

  • Social media sites (Facebook, Twitter, etc.
  • Email

Searching information in the public domain, such as:

  • Electoral roles
  • Companies House
  • BMD (Births, Marriages and Deaths) Index
  • Telephone directories


WHAT CAN BOB DO?

Just about everything. Withdraw cash from her current account; obtain credit under her name; request copies of her birth certificate; attempt to obtain a passport, or driving license… The list goes on and on.

Of course, Bob didn’t stay in that job too long, but by the time he left he had skimmed cards and gathered personal details on 50 or so people.


WHAT DID VICTORIA DO WRONG?

Not much in the coffee shop; perhaps just allowing someone to see her entering her PIN, as the modified card machine would have been difficult to recognise.

The real problem for Victoria was entering all of those REAL details into a website and re-using the same password for multiple sites.


WHAT SHOULD VICTORIA HAVE DONE?

Unless it’s really official (HMRC, Banks, Government, etc.), never use your real details or your personal email address.

Create an online alias with different details (e.g. name, address, secret questions and answers etc). Set up a second email account and use this for all of those dodgy marketing, spam and discount sites. Never use the same password on multiple sites. This is an opportunity to be the person you always wanted to be!

For example, I’m Victor Parnevik, born 14th December 1978 in Solihull for websites – and just plain old ‘Bruce’ in coffee shops.

Remember, it’s easy to change email addresses or passwords if they are compromised, but very difficult to change who you really are…

So who will you be? Protect your real identity!

For more information about keeping yourself safe online see:
https://www.getsafeonline.org/protecting-yourself/privacy/


Written by
Ant-frameAnthony Dickinson
Security Consultant
Corsaire

Shellshocked!

Posted: 25 September 2014 in Uncategorized

Shellshocked 3

When a new vulnerability starts feverous discussions amongst security professionals, you make a note to keep an eye on it. However, when it is given a name, gets a logo and then the mass-scanning starts [1], you know to buckle-up for the ride!

For the second time in 2014, the world has been hit by a monstrous vulnerability. First there was the infamous Heartbleed and now … now there’s Shellshock – a vulnerability which some are arguing makes Heartbleed “look more like heartburn”.

So what is Shellshock, what’s vulnerable, how can you verify whether or not you are affected and what can you do about it?

What is it?
Shellshock is a vulnerability which affects the command interpreter Bash, which you’ll find underlying the majority of *NIX based platforms, like Linux and Mac: in fact just about anything that is not made by Microsoft!

The vulnerability itself is 22 years old and is a form of code injection in Bash’s handling of environment variables. In short, during assignment of a function to a variable, Bash will execute any ‘additional’ code in a specially crafted string.

There are already several good write-ups of the deeper technicalities [2].

Why it is bad?
Whilst it is a local shell vulnerability, the shell itself is used by many applications too, so it can be remotely exploitable. In particular, webservers running CGI scripts will be at risk as it is highly likely that they will be using Bash and environment variables in some way. This means a remote attacker, will be running commands on your server. Not a good thing, really.

 What’s vulnerable?
This is the kind of vulnerability that will rapidly spiral out of control as more and more obscure attack vectors are discovered.

For now though, the big ticket items are:

  • Web servers running on *NIX that execute CGI scripts which are either written in bash, or spawn subshells. Approximately 50% of all web servers on the Internet run Apache on *NIX and many will have CGI scripts enabled.
  • Locked down SSH environments that use the ForceCommand to limit command execution capabilities for remote users. This flaw can be used to bypass this and provide arbitrary command execution.
  • Any other application which is hooked onto a shell or runs a shell script using bash as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.


Are you vulnerable?
There is already an automated scanning tool available to remotely confirm if your host is vulnerable [4].

Nota bene: This kind of remote scanning is very simplistic and there may be a large risk of false-negatives: the tool may say your site is clear but the flaw will still exist.

There are also manual tests you can perform on the host which are much more representative [5].

What can you do?
First, as above, check if you are affected. If you are not, then you don’t need to do anything.

Secondly, at this stage we would normally say apply the patch and relax, however the initial patch that has been released apparently doesn’t do a very good job! [6]. We’d still recommend that you apply the patch, to protect against the initial wave of scripted attacks but then also monitor your vendor’s support pages to see when another patch is released, apply it and then relax!

Lastly, if you can change your shell from bash to one of the unaffected alternatives, then do so.

 

[1] http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

[2] http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

[3] https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

[4] https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability

[5] http://askubuntu.com/questions/528101/what-is-the-cve-2014-6271-bash-vulnerability-and-how-do-i-fix-it

[6] https://news.ycombinator.com/item?id=8365158

 


Written by
Jan-FrameJan Fry
Security Consultant
Corsaire

 

Isolate the Stupid

Posted: 18 September 2014 in Uncategorized

ISOLATE-THE-STUPIDEarlier today I wandered straight into the middle of a conversation between colleagues and overhead one of them say the wonderful phrase “isolate the stupid”. To be fair, I have taken it completely out of context of the original conversation, but I liked the phrase so much I thought I would use it for my own nefarious ends.

We are regularly called upon to provide help to organisations that have suffered a breach, and now need to quickly find out what happened so that they can bolt the door so no more horses escape.

A common contributing factor we see in this kind of situation is a huge, flat internal network structure – one that mixes together on the same logical wire: servers, desktops and peripherals, and horror-of-horrors, bring-your-own devices. All it takes is one stupid simple mistake, such as a user clicking on a misleading phishing email, and the attacker suddenly has unrestricted physical access to the whole internal network environment.

In security parlance, compartmentalisation is the concept of breaking environments into discrete, logical components, whereby a failure is contained from spreading. In almost all these situations, a modicum of compartmentalisation would have either prevented, or greatly reduced the impact of the breach.

Isolate the stupid.


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire

 

My Placement Year at Corsaire

Posted: 15 September 2014 in Uncategorized

Doors

At the start of my second year of University it was time to find a work placement for the following year. My tutor kept telling us how employers are increasingly looking for experienced graduates as well as those with academic achievements and that the right work placement will increase our chances of securing a good job. After hearing this, I told myself, “I’ll definitely find a good company and job for my placement year!”

After failing to secure one of the jobs listed on our University website I remembered that my tutor had said we could find our own placement, as long as it was related to our course. Whilst I was updating my profile on LinkedIn, I discovered that I could apply for jobs on the site, so I searched for IT Security positions. The first one I found was at Corsaire, for a Junior Security Consultant. I enjoyed reading the job description, it was the ideal job for me. Then I noticed it was not specifically asking for a graduate but I thought I’d give it a go.

I sent my CV and covering letter asking if I could do the job as a placement for University. After a couple of days, I received an email inviting me for a telephone interview which I gladly accepted and managed to pass. I was then invited for a face–to-face interview with the Managing Director, followed by another face-to-face interview with the Operations Manager and a Security Consultant. After a few days, I received a call from the Operations Manager offering me a job as their first ever Technical Intern!

Expectations
Through my placement year with Corsaire, I was looking to accomplish three things:

  • To put everything I have learnt so far at University into practice
  • To expand my knowledge and skills in security and other areas of IT
  • To use the experience I will gain as a gateway to future opportunities


What it was like
Everything I have experienced within Corsaire has exceeded my expectations. Taking into consideration that this is the first time they have had a student intern in their company, I have received great supervision and training from my supervisor as well as colleagues; I have been given regular feedback about my performance, as well as the chance to experience a range of learning opportunities and to demonstrate my skills and knowledge. Working in a team has allowed me to ask questions and mix with likeminded people who work within my chosen industry. It has also given me first-hand experience of what the job entails and what has been developing in the industry. Corsaire has provided me with all the necessary skills to successfully complete any task allocated to me.

What the people are like
Everyone at Corsaire is very friendly and they have all treated me as their professional equal despite me being a student. Whenever I am in the office, it feels like I am just home with family because they treat me like family even those people with the higher positions within the company.

Overall
Entering the professional world of work can certainly be daunting for anyone, regardless of your age, experience or knowledge but for me, it has been one of the best and most rewarding experiences of my life. My placement has been superbly aligned to my course and has made me more focused on what I want to achieve with my degree.  I feel very honoured and lucky to have been able to work with Corsaire and if I was given the chance to go back in time, I would definitely still apply to this company.

Now that I have finished my placement at Corsaire, there are a lot of things I am going to miss, like learning new things from my supervisor and other workmates, hanging out with everyone after work, listening to our Project Coordinator’s bagpipe music that everyone loves (NOT!) and of course most of all I’ll miss the bacon and sausages that our Managing Director cooks every morning.


Written byDarlene-frame

Darlene Concepcion
Technical Intern
Corsaire

Always Use Protection

Posted: 5 September 2014 in Uncategorized

EvilClippy

Since joining Corsaire in April my eyes have truly been opened to the world of Internet Security. I always knew it was a deep and dark place filled with secrets, unknown sources and even more secrets, but I always figured the statistics were in my favour and I would never be a victim.

Now I’m not saying that I ever sent money to that desperate lady emailing me from Bulgaria, or clicked on one of those ‘Leaked Nude Photos of *insert hot celebrity here*’ ads and I do know the difference between http and https. But I did think that avoiding such obvious scams would leave me safe in my Internet browsing. How wrong could I be?

During one of my first weeks working at Corsaire I made the mistake of leaving my computer unlocked. The number one rule in our office, as I’m sure in most offices, is ‘Do Not Leave Your Computer Unlocked’. My colleague took this opportunity to teach me a little lesson. Returning to my desk I found my browser open on the Gmail login page. Nothing suspicious there, until little Clippy popped up; you know, that annoying Office assistant always on hand to help circa 2008? It appeared that my colleague had full control of my browser window, setting up a fake Gmail login to steal my credentials, with the power to send me to any corner of the Internet they so wished.

This was scary in itself, but it also got me thinking about all of my passwords; I can be rather lazy when creating new ones. I like to have two or three on rotation, changing the odd number or adding in a capital letter to differentiate. If that wasn’t lazy enough already, I then save them to my browser’s password autofill function. You wouldn’t need to be a genius to crack the code and gain access to my saved payment methods, social media sites and personal details.

Needless to say I have updated my passwords to slightly more cryptic ones, deleted my browser’s password storage and removed my credit card details from all shopping sites. I have also learned the joys of the Password Safe, a pin-secured digital safe place that I can store my credentials and easily access them when I need to. Just remember people, lock your computer and securely store your passwords (in your head if possible). Happy browsing!


Written by
faye-frameFaye Brennan
Marketing Assistant
Corsaire

 

I Can Like to Hack

Posted: 13 August 2014 in Uncategorized

Hi DanHi Dan!
In the last few days a new article was posted to Ars Technica [1], allegedly detailing the approach taken by the hacker behind the Gamma Group International data leak. Now, before I go any further, I need to point out that all the normal disclaimers apply: things you read on the Internet may be closer than they appear.

The article itself is interesting, but what is more so is the link it provides to the hacker’s methodology [2]. Anyone reading the hacker’s document, who has any vague knowledge of the Internet and security, should be impressed with the meticulous approach taken by the attacker.  But more than this, it is painfully clear that there is No Magic Sauce ™. The methodology uses off-the-shelf tools, simple scripts, and a manual analysis approach to match them against the target environment.

This simply underlines the fact that acceptable security, for the most part, is all about getting the basics right consistently.

How could Gamma Group International have avoided ending up in this situation?

  • Understand the threat surface well
  • Remove any unused functionality
  • Configure the remaining functionality conservatively
  • Patch any flaws promptly

 

Now, being truly honest, how many of you can put your hand on your heart and say that you do this thoroughly and consistently?

[1] http://ars.to/1q1CxIA
[2] http://pastebin.com/raw.php?i=cRYvK4jb

 


Written by
Martin-frameMartin O’Neal
Managing Director
Corsaire