Harassed by NYPD at HOPE Conference 2016

It’s been a bi-annual tradition for me and a few of my friends for the past 6+ years to attend the Hackers On Planet Earth (HOPE) conference over at the Hotel Pennsylvania in NYC. Well after yesterday (Saturday July 23, 2016) that tradition and excitement will now be associated with harassment, and lack of support from the conference organizers or security staff.

The events played out like this; I got stopped by three men (Undercover cops it appears) while grabbing a drink of water in one of the rooms. They ask if my name was “Mr Browne”, I answered no then they demanded to see my ID without first  identifying who they were, or why I was being stopped and questioned.

Naturally I said NO! They then proceeded to threaten me that I was going to be kicked out of the hotel, and prosecuted for trespassing, if I do not comply. I ask how is  that possible, I paid to be here; but they kept demanding my ID. I ask to see their badges, but wouldn’t show it and still wouldn’t say why I was being stopped. At this point the conference security team , and the three (potential officer) were surrounding me like I am a criminal.

I finally showed my ID because I didn’t want to get kicked out, or worst; I then had to go downstairs, leave the presentation and then I was finally showed one badge (Sergeant Thomas Lent -NYPD Intelligence Division-Brooklyn Army Terminal), who then told me “I got stopped  because I fit the description  of a Black man with a beard, who was a person of interest”. 

There is a right way and a wrong way of doing things, that was the wrong way!!! It would have been good to get some support from the conference security team, by informing them I do have the right to be there, and requesting they showed me their badges, or inform me why I was being questioned but that was not the case.

#UnnecessaryHarassment  #NYPD #HavingABeardIsNotACrime

First impression — 1U App

password_screen_caricaturePassword, password and more passwords. If you are like me then you are  tired of tokens, passwords, two factor authentication and all of the other mystical things out there that is trying to keep us safe in this crazy technological world that we are living in.

I recently attended Ohio Linux Fest 2014  and saw an interesting talk on password security by Dru Streicher a security analyst for Sherwin Williams, you can view the slides  here. He basically gave us an overview on some of the different attacks sounding passwords, then went into a really nice open forum chat about password best practices. Keeping all that in mind, if I knew about the 1U app then, I might have skipped his talk, and spent that time testing the app instead :).

Now just incase you are asking yourself why  should anyone care about password security, or newer technology to help with your authentication process, I would like to point you to an article over at Wallscheatsheet.com titled “How much does a data breach actually cost”. The number that was estimated  for the cost of an average data breach is $3.5 million.

The article then ended by making the following statement “So what’s the hold up? Experts say that banks and retailers have been at a bit of a standoff: Neither one wants to take the plunge to invest in new technology, and both are waiting for the other to overhaul the system. Meanwhile, consumers will just have to shop smart and keep a close eye on their transaction history.”

Luckily they are innovators like Hoyoslabs that wants to help change the landscape of this digital revolution. Before I jump into my experience with trying to setup and test the 1U  on my android Galaxy S4 mobile device I will begin by first explaining what 1U is.

Instead of trying to explain it in my own phones here is the official explanation “”1U™ (www.1Uapps.com) is an app component of the HoyosID® Identity Assertion platform, serving as a replacement for all usernames, passwords, PINs and tokens of any kind, making users’ digital lives more convenient and secure. Using your mobile device’s camera, various biometrics are acquired and upon recognition, the app grants access to you and only you so you can complete transactions and log into secure sites without fear of breach or the hassle of a forgotten password.”

After reading an explanation like that you can see why I was  excited to be apart of the test group and couldn’t wait to install the application and start testing. Unfortunately  like all good things they soon come to an end.

I downloaded the application from the beta server, did they initial setup however each time got to the final step of the configuration process it kept starting over. This appear to have been a bug, so I reported this to support as well as the person who contacted me to be apart of the test group. Support confirmed it and mentioned it will be fixed in the final version that will be released in the  Appstore and Google Play store.

Until such  time I will be waiting to complete my review once I have a bug free version of the application.

 

Read more: http://wallstcheatsheet.com/business/how-much-does-a-data-breach-actually-cost.html/?a=viewall#ixzz3JAZLTsyI

http://www.1uapps.com/

Learning your history is important

It is said that if you don’t know your history you are bound to repeat the past. They same holds true even in the world of Malware. The below Infographics helps with bringing you up to speed with what occurred over the last 28 years in the wonderful world of Malware.

A big thanks to the ESET team for creating and sharing this with the community. I would like to pride myself on know a bit more about Malware than the average user, but even so I learned quite a lot form this Infographics.

So sit back and enjoy the journey that begins with Pakistani Brain in 1986 and ends with Windigo 2014.

How Well Are You Protecting Yourself Online?

By Sandra Mills

How many passwords do you enter on a daily basis? With the prominence of the internet in the modern age, it’s probably quite a few. Most password-protected sites often contain extremely valuable personal information as well. Information many cyber criminals would love to obtain and abuse.

Since these passwords have become so intertwined with our personal and financial lives, shouldn’t we make it a goal to strengthen them? However, it seems that most people don’t see the issue, and are often complacent when creating new passwords. Some create weak passwords (such as “password”) without thinking much of what they’re really putting at risk.

With this in mind, we should all make a conscious effort to create high-quality, complex passwords to keep ourselves protected online. There is a lot of data that has been measured concerning this issue, such as what is most effective or most common, and with a few simple tips you too can help fight against weak internet security. Don’t put yourself at unnecessary risk any longer.

Below is a helpful infographic from Instant Checkmate, containing many tips and statistics that should be a good starting point for getting your personal security up to par in 2014. If you want to make sure that you really are protected online, this is the first step.

passwords-infographic

 A big thank you to Sandra for writing today’s blog entry, and what a timely posting since we are always seeing accounts being compromised daily because of weak passwords.

Security Management from an Enterprise Perspective

Security Management from an Enterprise Perspective

By: Karthik

An enterprise invests considerable amount of time in its day to day scanning and managing patched for the infrastructure. But, an enterprise psychological analysis shows us otherwise i.e. most of the enterprises shy away from scanning and patching their business critical infrastructure in a fear of interrupting their already established critical applications. Another side of the story shows that, the enterprise test, scan and manage patches up to the staging elevation but fail to re-asses the same when they go live on production environment. The major challenge here is to convince the stakeholders about the end user impact after running a thorough security scanning and management of patches. Metasploit which is a famous exploit development toolkit adds several exploits to its repository on a monthly basis there by hinting to us that the threat vectors are increasing day by day. In this article we shall understand how to balance the security management with business operations.

Stakeholders generally frown on scanning and patching the critical infrastructure. This is because security teams are considered as a pain to the day to day operations for the rest of the enterprise and also the fact that security management in its real vigor is never atop the priority list for stake holders. For decades we have witnessed that, only after a breach, an enterprise strengthens its security infrastructure. Otherwise the security implemented is pretty mediocre.

Securosis Patch Management Cycle

Securosis Patch Management cycle: securosis.com

In the above image, we see the securosis patch management cycle representing the activities across any technology platform. The importance towards implementing stringent security measures and infrastructure is gaining value in the current decade, as we have seen maximum number of Data breaches and exfiltration happening around the world. Instead of staying isolated, security teams must work closely with the operations team so that, they are no longer considered intrusive by the rest of the organization. Each cycle of vulnerability assessment for business critical applications should include a thorough analysis of its impact on the operations as well as the threat surface presented by the organization. Generally, internal security teams run a set of automated tools and end the story by patching the suggested patches by well-known tools like Nessus and Accunetix. Not all production environments of the enterprise are a plug-n-play environment for the patches. Each production environment undergoes its own share of customization before going live to the end user. A logical error might lead to vulnerability/Zero day which the general automated scanner cannot detect.

Vulnerability scanning and management of patches must be more than just a compliance check which enterprises go through. The difference between a vulnerability assessment and penetration testing matters in these scenarios. Organizations undergo vulnerability assessment to see the attack surface exposed to the hackers whereas a penetration test would determine which among the following vulnerabilities is exploitable. There must be a lot of interaction with the business stakeholders and the security teams for a successful security analysis of the business critical applications. Most of the time, stakeholders do not completely understand the process behind the approach of Security teams. Owing to these, the stakeholders shy away from completely trusting the end user impact after the inspection. The stakeholders should understand the core difference between application level security and infrastructural security. In the infrastructural security the knowledge required about the hosts and services is minimal compared to application level assessment. Automated tools fail to completely cover the customized APIs and applications. Passive scans have their own advantages of not actively probing the target, thereby not disturbing the operational state of the critical applications. On the other hand detecting XSRF, SQLi, XSS etc. are not covered under passive scans. Enterprises need to understand that attackers generally attack the application layer more compared to infrastructure. For a deeper look into enterprise security, check out the CISM training course offered by the InfoSec Institute.

Most security practitioners advocate the frequent scanning of patches to manage and mitigate undiscovered risks. Applying security scanning at all phases: development, QA, staging, production and maintaining a strict program to avoid any kind of unexpected data breach. Threat modeling can be implemented right from the development stages to combat the security bugs in early lifecycle. This makes sure that developers as well as QA would learn to develop and test products being security aware. It’s always advised to hire professional firms to find difficult to find bugs after the internal teams complete their rounds of security tests. This would make sure that production environment would go live with little or no major security flaws knows to the enterprise. Over the past decade, most of security breaches and data exfiltration attacks happened over the production environment and the reasons are discussed above in detail.

Experts suggest that mirroring production environment and running security tests without causing any dreadful impact to customers is the way to proceed in continual security assessments. Continual security assessment is needed because; an application with unknown vulnerability today might be explored tomorrow for a Zero Day. Vulnerabilities found in mirrored environments can be used to produce a daily dose patch and get validated on the production environment. Making the process granular is the key here. Bugs raised must not be forgotten and must be patched based on priority. The efforts of bug hunting are only fruitful when the bugs are patched in a timely manner. Handling the way a patch is deployed in a system can differ from system to system. Suppose a patch is being deployed for a web application, then a couple of changes in the code and uploading to the server does the trick. But in case of operating systems, they might require a reboot in order to be effective. Load balancers play a critical role in patching of systems which need 24/7 uptime.

Remedying vulnerabilities is a never ending process and not every security test would give you threatening bugs. The catch here is to understand the vulnerabilities that are exploitable and its impact on the business as well as the end users.

Domain Theft and the Possibilities for Recovery

Introduction

On October 24th 2012, Diigo, a social bookmarking website allowing signed-up users to bookmark and tag web pages, had its domain, diigo.com, stolen by a domain name thief. . As a result, Diigo’s more than 5 million registered users were not able to access the website.

Domain theft, also known as domain name hijacking, is not a new phenomenon. Back in 2005, the ICANN’s Security, Stability and Advisory Committee (SSAC) issued a Domain Hijacking report outlining several incidents of domain theft. The report defines domain name hijacking as “wrongful taking of control of a domain name from the rightful name holder.”

The present contribution describes the types of domain thefts (Section 2) and explains the possibilities for recovery of stolen domain names (Section 3). Finally, a conclusion is drawn (Section 4).

Types of domain theft

The Domain Hijacking report differentiates five basic types of domain theft, namely: impersonation of a domain name registrant in correspondence with a domain name registrar (Subsection 2.1); forgery of a registrant’s account information maintained by a registrar (Subsection 2.2), forgery of a transfer authorization communication from a registrant to a registrar (Subsection 2.3); impersonation or a fraudulent act that leads to the unauthorized transfer of a domain from a rightful name holder to another party (Subsection 2.4), and unauthorized DNS configuration changes that disrupt or damage services operated under a domain name (Subsection 2.5).

Impersonation of a domain name registrant in correspondence with a domain name registrar

This type of domain theft includes using forged fax or postal mail requests to modify registrant information. In some cases, stolen or copied company letterheads may be also used.

The www.hushmail.com incident is a typical example of impersonation of a domain name registrant. Hushmail was launched in 1999 by Hush Communications. In April 2005, a domain name thief convinced the support staff of Network Solutions, Inc. to modify the administrative email contact information in Hush Communications’ registration record. Then, the attacker used the administrative contact email to submit a password reset request for the Hush Communications account to Network Solutions, Inc. Afterwards, the attacker logged into the Hush Communications account, changed the password, and altered the DNS configuration to point the domain name to his own server. At the end, the thief posted a new home page demonstrating his achievement and embarrassing Hush Communications.

Forgery of a registrant’s account information maintained by a registrar

Domain name thieves may forge the account information associated with a domain name registration to conduct malicious activities, such as reselling the domain. For instance, the forged information may be used by a thief to deceive a buyer that the thief is the actual owner of the domain name.

Forgery of a transfer authorization communication from a registrant to a registrar

This type of domain theft includes acts where the domain name thief submits a fake transfer authorization communication to the registrar. The communication appears to be sent by the registrant, which would allow the thief to take control over the domain name.

For example, in the U.S. case Kremen v Cohen 2001, the California District Court found that the defendant fraudulently obtained the registration of the domain name sex.com by sending a forged letter to Network Solutions, Inc., the domain registrar. As a result, the court awarded $65 million for damages resulting from the fraud.
The court justified the award by stating that, in the five years the defendant operated the “sex.com” website, he reaped profits amounting to more than 40 million dollars. The damage award also included $25 million in punitive damages.

2.4 Impersonation or a fraudulent act that leads to the unauthorized transfer of a domain name from a rightful name holder to another party

This type of domain name theft includes actions that may or not may lead to changes in the DNS configuration. If the theft does not lead to changes in the DNS configuration, it could remain undetected for a considerable period of time. In this case, the motive of the thief is not to immediately disrupt the domain holder’s operation, but to acquire and resell the domain name.

An example of such a theft is the blogtemplate4u.com and dhetemplate.com incident. Both domain names were previously registered and managed by a U.S. company and registered through Go Daddy Operating Company, LLC. Suddenly, an unidentified and unauthorized person used the name and the password of the company manager to log into his account and transfer the Domain names to another Registrant and Registrar (OnlineNIC, Inc.). In this incident, no changes had been made to the DNS configuration, and the services of the two domain names had not been affected.

The manager of the company submitted a Uniform Domain Name Dispute Resolution Policy (UDRP) claim to the online ADR Center of the Czech Arbitration Court requesting the transfer of the domain names to his company. UDRP is an administrative procedure allowing trademark holders to submit complaints to ICANN-accredited dispute resolution providers for disputes involving domain names that have been registered by an ICANN-accredited registrar. On November 21, 2012, a panelist of the Czech Arbitration Court delivered a decision transferring the domain names to the manager of the company.

Unauthorized DNS configuration changes that disrupt or damage services operated under a domain name

Unauthorized DNS configuration changes can be a result of DNS spoofing attacks (also known as DNS cache poisoning). In this kind of attack, data is introduced into a Domain Name System (DNS) name server’s cache database that results in the domain name server returning an incorrect IP address, diverting traffic to another computer (often the computer of the domain name thief). A typical example of DNS spoofing occurred in 1997 when Eugene Kashpureff redirected users attempting to connect to the InterNIC website to his own website.

Possibilities for recovery of stolen domain names

At present, victims of domain name theft can re-take control of the stolen domain names through dispute resolution procedures (Subsection 3.1). In addition, ICANN also considers the use of an emergency action channel (Subsection 3.2) between registrars that will be used in cases where an urgent response is required.

Dispute Resolution Procedures

The Uniform Domain Name Dispute Resolution Policy (UDRP) and the Transfer Dispute Resolution Policy (TDRP) established by ICANN are designed to impartially assess the factual circumstances of the case with the aim of determining the appropriate outcome of a dispute.

The Uniform Domain Name Dispute Resolution Policy (UDRP)

The Uniform Domain Name Dispute Resolution Policy (UDRP) is an effective means for recovery of stolen domain names. The total cost of UDRP (including attorney’s expenses) may vary between $1,000 and $2,000. The procedure will take at least two months to reach a decision. In order to succeed in a UDRP proceeding, a complainant must establish three elements: (1) the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; (2) the registrant does not have any rights or legitimate interests in the domain name; and (3) the registrant registered the domain name and is using it in “bad faith.”
A party who lost the proceedings may file a lawsuit in a national court against the domain name registrant.

In order to establish whether a domain name has been registered in “bad faith,” the UDRP panel will examine several factors, such as (1) whether the registrant registered the domain name with the aim of selling the domain name registration to the complainant, (2) whether the registrant registered the domain name to prevent the owner of the trademark or service mark from using the mark corresponding to his name, (3) whether the registrant registered the domain name primarily to disrupt the business of a competitor, and (4) whether the registrant tried to attract visitors by creating a likelihood of confusion with the complainant’s mark.

The Transfer Dispute Resolution Policy (TDRP)

The Transfer Dispute Resolution Policy (TDRP) is used for resolving disputes between two registrars engaging in Inter-Registrar domain name transfers. A TDRP dispute can be brought to the registry for a decision, or to a third-party dispute resolution service provider. In case that a registry operator is chosen, the decision of this registry operator may be appealed by the registrars to an independent dispute resolution provider. A decision made by an independent dispute resolution provider may be appealed only before a court.

3.2 Emergency action channel

The emergency action channel will provide 24/ 7 access to registrar technical support staff who are authorized to assess the situation and establish the magnitude and immediacy of harm. They are also entitled to take measures to restore registration records and DNS configuration to “the last working configuration.”

The emergency action channel will be supported by a contact directory of parties who can be reached during non-business hours and weekends and a companion policy. The companion policy will identify evaluation criteria (including circumstances and evidence) that a registrant must provide in order to obtain an immediate recovery of the domain.

The following circumstances will be taken into account when distinguishing when an urgent recovery policy may be a more appropriate action than the TDRP: (1) immediacy of the harm, (2) the magnitude of the harm, and (3) escalating impact.

Conclusion

This article has shown that domain name theft is a serious issue that can lead to the loss of the domain name and the interruption of services operating under it. It has also shown that domain name theft is a broad term that encompasses several acts of wrongful takeover of a domain name. While domain name thefts that interrupt services will probably be immediately noticed by the legitimate domain name holders, those that do not lead to changes in the DNS configuration may remain unnoticed for a long period of time.

At present, the people/organizations whose domains were stolen may rely mainly on the dispute resolution procedures established by ICANN and on the use of litigation. The UDRP and TDRP procedures are relatively quick and cheap (compared to litigation). However, it should be noted that many victims of a domain name theft may not be able to pay the dispute resolution fees. This is especially true for people in developing countries for which a dispute resolution fee of $2,000 could be equal to their annual salary.

In order to prevent thefts of domain names, companies and individuals may take the following four preventive measures. First, they should not use Hotmail, Gmail, or other free email services as the contact email on the domains. Because free email services have many security vulnerabilities, thieves often hack them and authorize a transfer. Second, companies and individuals need to create as secure a password as possible at their registrar. The use of a completely random password containing upper and lower-case letters and numbers is desirable. Third, in order to ensure the best protection of their domain name, companies and individuals are advised to use a trusted registrar. The well-known registrars provide adequate security precautions. Lastly, when selling domain names, it is advisable to use escrow services. Using an escrow service is a good way to prevent fraud schemes.

Daniel Dimov is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people including popular CEH and CCNA certification courses.

Eight Handy Security Tools For a Novice

Here is a compilation of a few tools that we need to be aware of. The power, the performance and the capabilities of these tools are limited only to the creativity of the attacker. Let’s dig into the list.

1. Maltego:

Following the well-defined hacker cycle, let’s start off with reconnaissance tools. Maltego is a very well-known tool for information gathering. The tool comes with personal reconnaissance and infrastructure reconnaissance. With personal reconnaissance, a person is able to obtain another person’s profile from the email address, name, or phone number using the search engines. The Maltego framework comes in two versions – a commercial version and a community edition. Registration is mandatory for using this tool. Only the commercial version allows saving the output from the reconnaissance. With infrastructure reconnaissance a person can get information related to subdomains and servers of a network. This information is gathered using what we call transformations in Maltego. Various transformations give results depending on the way the results are manipulated, grepped, and translated into new search queries.

2. Metasploit:

Following this, we move on to the exploitation tools. The most used exploit development framework is the Metasploit framework by Rapid 7. Initially developed as a game, it has evolved into one of the most powerful exploit development frameworks. It allows using custom exploits by using something called “porting of exploits”.

Porting exploits involves taking a proof of concept exploit which just delivers some particular shellcode, commonly a calc.exe launcher or notepad launcher, and weaponizing it to be used in the framework with features. These features include things like custom payloads, encoders, and other benefits.

The Metasploit framework is not just an exploit delivery vehicle. It also contains some tools for exploit development.

It can also be used for generating offsets, writing exploits, and exploitation of different operating systems and architectures. It has various modules and exploits.

A third party extension that provides a GUI is Armitage. The commercial has its own GUI, which is not included in the community edition.

Backdooring executables can be carried out by a module named as msfpayload.

3. GHDB

GHDB stands for Google Hacking DataBase. Google is the most powerful tool for a user to perform attacks. Specially crafted words given as input to Google are named as Dorks or Google dorks. These dorks can be used to reveal vulnerable servers on the Internet. They can be used to use to gather sensitive data, files that are uploaded, sub domains, and more. GHDB can make it easier to find the right Google dorks for your needs.

Offensive Security maintains a collection of Google dorks under a section called GHDB.

4. Social Engineering Toolkit:

This tool is built into Backtrack. It presents the social engineering attacks in an automated fashion. Is it encoding of scripts, binding Trojans to legitimate files, creating fake pages, harvesting credentials? This tool is a one stop shop for all these requirements. It has the ability to use Metasploit based payloads in the attack, making the framework all the more lethal with all professional exploits from the Metasploit framework.

5. HULK – A web server DoS Tool

Brainchild of Barry Steinman, this tool distinguishes itself from many of the other tools out in the wild. According to its creator, the tool was the result of his conclusion that most tools out there produce repeated patterns which can easily be mitigated. The principle behind HULK is to introduce randomness to the requests to defeat cache-ing and host identification technologies. This is to increase the load on the servers as well as evade the IDS/IPS systems.

6. Fear The FOCA

The FOCA is a metadata harvesting tool. It can analyze meta data from various files like doc, pdf, ppt etc. From this data it can enumerate users, folders, emails, software used, operating system, and more. There are customization options available in the tool too. The crawl option allows you to search the related domain website for additional information. The meta data can be extracted from a single file or from multiple files. Thus FOCA is a great tool in the reconnaissance phase to extract information from the meta data.

7. W3af – Web application attack and audit framework

This project is a web application attack framework sponsored by the same company that makes Metasploit. W3af is used to exploit web applications. It presents information regarding the vulnerabilities and supports in the penetration testing process. It is mainly divided into two parts: core and plugins. Currently it’s partnered with Rapid7, the team that maintains the Metasploit framework. There is a plugin for saving reports to disk for later reference. The plugins can be custom written. Communication between plugins can be automated.

8. EXIF Data viewers

Smartphones and digital cameras use a standard to specify additional meta data for images and sounds that are recorded using them. This standard is called Exchangeable Image File Format. Various EXIF data viewers are available. The data recorded can include details about type of camera. More importantly, they can contain the geo-location information within them. In fact, by default all smartphones have the GPS setting switched ON. This can potentially leak your location when the image was taken. The accuracy is such that the latitude and longitude will be provided when extracting the EXIF data, thus leaking possibly private information.

Conclusion

These are a few handy tools that a beginner in info-sec needs to be aware of. Other tools and their capabilities will be followed in the continuing articles.

Shathabheesha is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people.