At the BSides San Francisco conference I presented with Lee Kushner on the techniques for finding a good job in information security and on hiring strong candidates for an infosec position. Anthony Freed from Infosec Island recorded this 6-minute video with me at the event.

Using ICMP Reverse Shell to Remotely Control a Host

Tightly restricting the traffic that leaves the protected network for the Internet is hard without breaking important applications. Among the protocols that are often allowed to cross the Internet boundary is ICMP, which helps ensure the reliable transmission of other network messages. Unfortunately, attackers can also use ICMP to remotely control a system compromised on the organization’s internal network.

ICMP is the protocol that allows the “ping” command to function when troubleshooting network connectivity. In this case, the “echo-request” message leaves the network when the administrator “pings” a host on the Internet. If the host is accessible by ICMP, it responds with an “echo-reply” message. Though it’s debatable whether the ability to use “ping” is necessary for many people, organizations often allow this tool’s traffic through the firewall.

The idea of encapsulating data and commands in ICMP traffic to create a stealthy remote control channel was first popularized by the tool Loki, which was described in Phrack Magazine in 1996. The Tribe Flood Network (TFN) botnet, analyzed by David Dittrich in 1999, used a similar ICMP-based scheme for remotely controlling infected systems. Among the more recent tools for implementing a simple ICMP-based backdoor is “icmpsh”, whose use I demonstrated in the video above.

In my demo, the Windows system plays the role of a compromised host to which the attacker on the Internet wants to maintain access. I used the icmpsh.exe program written by “nico” to have the Windows system issue ping-like messages to the designated system. The messages were directed by the Linux host in my lab, which played the role of the attacker’s system. On the Linux host I ran the icmpsh_m.py script by Bernardo Damele, which he described in an earlier blog posting.

The two components of the “icmpsh” tool allow the attacker to establish a reverse ICMP tunnel, remotely controlling the Windows host by having it issue ICMP “echo-request” messages and the Linux host sending “echo-reply” responses. This simple set up highlights the power that ICMP can offer the attacker in establishing a covert channel that can cross many network perimeter firewalls.

Do you allow ICMP traffic in and out of your network? If so, now might be a good time to lock it down.

Hand-picked related posts with videos:

• One-Click Windows Memory Acquisition with DumpIt
• The Dark Side of Remote Desktop

— Lenny Zeltser

The Dark Side of Remote Desktop

Organizations large and small often make use of Remote Desktop or Terminal Services to remotely connect to Windows computers over the Internet and internally. These tools use Microsoft’s RDP protocol to allow the user to operate the remote system almost as if sitting in front of it. Such capabilities are helpful for not only legitimate users, but also for attackers.

The Internet community saw a reminder of the dark side of RDP due to the emergence of the “Morto” worm. According to F-Secure, a system infected with the worm scans the local network for systems listening on TCP port 3389 and, when it does, attempts to login to them via RDP by guessing the Administrator password. The worm uses a list of common 30 passwords, which include favorites such as “password” and “12345678”.

The emergence of this worm correlates with the increased volumes of TCP port 3389 traffic, reported by SANS Internet Storm Center a few days prior to the F-Secure report:

The propagation approach employed by “Morto” is often used by penetration testers and human attackers alike: access the remote host by brute-forcing the password. One free tool that can automate this process is TSGrinder. You can see TSGrinder in action in the video I attached to this post. Note that TSGrinder is relatively slow, and requires that an older version of Remote Desktop client be installed on the attacking system.

A more modern (and faster) tool for remotely brute-forcing RDP credentials is Ncrack. Ncrack is a command-line tool that also supports a variety of other protocols, including SSH, VNC and FTP. In addition to being available in the source code form, Ncrack can be downloaded in a compiled form for Windows and OS X. (Update: For more on using Ncrack for RDP cracking, see Chris Gates’s post on the Carnal0wnage blog.)

Brute-forcing passwords on the internal network using tools such as TSGrinder and Ncrack is often quite effective. The approach also works over the Internet in many cases, because organizations often expose TCP port 3389 for remote access to workstations and servers over the Internet.

We can use the emergence of the “Morto” worm as a reminder to examine the use of Remote Desktop for remote access to systems over the Internet. Consider requiring an authenticated VPN connection before anyone has the ability to connect to this service. If you have to expose the service to the Internet without a VPN, don’t use the default port TCP 3389—instead pick a random high-numbered port. And, it goes without saying, use strong passwords and non-Administrator accounts. Lastly, consider configuring user accounts for auto-lockout after a number of unsuccessful logon attempts, while recognizing the potential for a denial of service attacks when the attacker could trigger such a condition remotely.

Hand-picked related items:

• We Still Suck at Protecting Logon Credentials
• Penetration Testing Beyond Front-Line Exploits (recorded webcast)
• Remote Password-Guessing - Follow-up

— Lenny Zeltser

One-Click Windows Memory Acquisition with DumpIt

Memory forensics is becoming an essential aspect of digital forensics and incident response. When a system is believed to have been compromised or infected, the investigator needs a convenient way to take a memory snapshot of the host. DumpIt, a new tool from MoonSols, makes this very easy, even if the person in front of the affected computer isn’t technical.

DumpIt is a fusion of two trusted tools, win32dd and win64dd, combined into one one executable. DumpIt is designed to be provided to a non-technical user using a removable USB drive. The person needs to simply double-click the DumpIt executable and allow the tool to run. DumpIt will then take the snapshot of the host’s physical memory and save it to the folder where the DumpIt executable was located.

The user can then provide the investigator with the USB key, which will contain the memory snapshot file. The administrator can use free memory forensics tools such as The Volatility Framework, Mandiant Redline and HB Gary Responder Community Edition to examine the memory file’s contents for malicious artifacts.

DumpIt provides an easy way of obtaining a memory image of a Windows system even if the investigator is not physically sitting in front of the target computer. It’s so easy to use, even a naive user can do it. It’s not appropriate for all scenarios, but it will definitely make memory acquisition easier in many situations.

To see DumpIt in action, watch the 1-minute video attached to this blog post.

Related:

• Analyze Memory of an Infected System With Mandiant’s Redline
• 3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics
• 3 Tools to Scan the File System With Custom Malware Signatures

— Lenny Zeltser

Clickjacking—the practice of deceptively directing a website visitor’s clicks to an undesired element of another site—is surprisingly effective. It’s been often used to propagate links to malicious websites on Facebook. More recently, similar techniques have been shown effective in de-anonymizing website visitors and even tricking them into granting attackers access to OAuth-secured data. Let’s see what such attacks entail.

Classic Clickjacking to Propagate Links on Facebook

In a classic clickjacking scenario, an attacker establishes a malicious website that invisibly embeds the Facebook “Like” or “Share” button in a transparent iframe. The iframe floats over a page element that the victim is likely to click on; alternatively, the invisible iframe follows the mouse cursor. When the victim clicks within the malicious site, the click is directed to the invisible “Like” or “Share” button. This approach isn’t limited to Facebook interactions, of course, as the attacker can embed elements from other sites in the iframe.

Consider a message below, which is typical of what you might see on Facebook if one of your connections was trapped by a clickjacking site:

Wondering why your friend might share a link with you, you click on it, only to find yourself on a site that seems to embed a YouTube video. However, you probably won’t see the Facebook “Like” buttons that I revealed when taking the screenshot below:

The “Like” buttons are floating over the two locations where the person is likely to click to play the video: in the middle of the supposed video player and in the bottom left corner. The actual victim wouldn’t see these buttons, because they would be invisible in a transparent iframe. By attempting to play this video, the person will actually press the “Like” button, increasing this site’s visibility on Facebook.

Newer Variations of Clickjacking Techniques

In a paper Clickjacking Attacks Unresolved, Lin-Shung Huang and Collin Jackson document more insidious variations of clickjacking attacks. For instance, they provide a proof-of-concept demonstration how an attacker can determine the identity of the visitor to the malicious website by asking Facebook for this information.

I captured this Facebook User De-anonymization demo in the video embedded in this blog post. The video shows the Facebook “Like” button following the victim’s mouse cursor; in a real attack, the button would be invisible. When the person inadvertently clicks the “Like” button, he becomes a fan of the attacker’s Facebook page. Then, according to the paper:

“The attacker’s web page is notified when the victim clicks on the Like button via FB.Event.subscribe(‘edge.create’, …), triggering the attacker’s server to pull the fan list from his Facebook page and identify the newly added fan. The attacker’s server queries the user’s public profile via Facebook Graph API, and then removes the user from the fan list.”

This allows the attacker to obtain to identifying information about the person, such as name, gender, local and Facebook ID. The paper’s authors demonstrate that a similar attack works using the Twitter “Follow” button:

Clickjacking and Timing Attacks

Huang and Jackson also describe a click-timing attack called double-clickjacking, which can be used to trick the victim into authorizing the attacker’s authorization request to third-party OAuth providers. This approach works even when websites implemented some of the common iframe-focused clickjacking defenses, such as X-Frame-Options. According to the paper,

“Although the attacker can no longer embed the approval page in an IFRAME, it is possible to load the [OAuth] approval page in a pop-under window. A pop-under window is a basically a popup window that is hidden behind the main browser window right after it was opened. Since modern browsers block popup windows unless triggered by user-initiated clicks, we require multiple clicks in this specific attack to bypass popup blockers.”

To see the proof-of-concept code of double-clickjacking in action, follow the link in the Clickjacking Attacks Unresolved paper.

What to Do About Clickjacking?

Clickjacking incidents affect many people, and are unlikely to subside. To date, most of these attacks have been used for distributing malicious links on Facebook. However, the same approaches can be used for more insidious scenarios, as Huang and Jackson have demonstrated. Their paper outlines some of the approaches that the developers of websites and browsers can use to mitigate clickjacking risks; however, these techniques are far from being comprehensive. Worst of all, it’s hard to come up with practical advice to end-users to avoid getting hit by this attack vector. Advising people not to click on web page elements isn’t really an option.

— Lenny Zeltser

Most of us have been tying our shoelaces incorrectly. We were taught the weaker form of the knot, probably because the stronger version is harder for children to master. As Terry Moore demonstrated in his 3-minute video, tying the stronger knot involves bringing the second loop of the shoelace around the other loop in the opposite direction from what we are used to.

There are two reasons I bring up the shoelace story on this security-focused blog.

Lesson #1: Best Practices

First, we should remember that just because we’ve been following certain “best practices” for a long time, we shouldn’t assume that our approaches are the most optimal for the tasks at hand. The reliance on “best practices” is one of the addictions of information security professionals.

What if the security advice we’ve been passing along to each other as tribal knowledge isn’t good? Are there assumptions that we don’t question that prevent us from achieving stronger security or making more practical risk management decisions? What if we rely too much on the common security frameworks? Much about “best practices” is unproven and can probably be improved upon.

Lesson #2: Return on Investment

The second point I want to make involves Return on Investment (ROI). If someone were to offer to teach you a better way of tying shoelaces, how much would you pay for the lesson? The stronger knot comes untied less often, saving you valuable time and mitigating the risk of shoelaces coming untied when you’re being chased by robbers or when you’re rushing to cross the street.

It’s easy to conceive a formula that will put value on the secret of a stronger knot based on the cost savings or risk avoidance… Yet I doubt many of us would pay to watch the video that began this post. This is why I suggest being cautious of using ROI to justify the purchase of security technologies. Avoiding a potential loss is different from generating income.

But, back to the better way of tying shoelaces. The stronger form of the knot really works. I cannot tell you how many car accidents and robberies I avoided by investing 3 minutes to learn how to tie it. The stronger knot has become my new best practice.

— Lenny Zeltser

Do you have the right personality to be in information security? Take Richard Wiseman’s world’s quickest personality test to find out by following instructions in his 1-minute video. If you see an image of a puppy, then you’ve probably got what it takes to be an information security professional. Congratulations!

Related:

• What is an Information Security Expert?
• Are Mistrustful People Better at Information Security?

— Lenny Zeltser

Information security architects use documented frameworks to codify key practices, technologies, objectives and other elements relevant to the organization’s security or risk management program. While there are clear benefits to creating and following such frameworks, we need to be mindful of the risks of adopting them without hesitation or customization.

Example: Marketing Strategy Frameworks

The notion of frameworks is present in many industries. For instance, among the marketing frameworks taught in business schools is one called Four P’s. Designed to assist in evaluating a marketing strategy for a product, it advises businesses to consider the following elements:

• Product: What is the product?
• Price: How is the product priced?
• Place: Where or how will the product be purchased?
• Promotion: How will the customer find out about the product?

Another framework speaks of four C’s—Commodity, Cost, Channel, Communication—as important elements of a marketing strategy. Yet another framework, called STP—Segment, Target and Position—advises how to focus the strategy on the appropriate parts of the market.

These, and many other frameworks sound insightful. Yet, it is unclear that a one person’s framework is more useful than another’s. Dan Ariely, a behavioral economist, discusses in the above video how he led a class of executive MBA students through a discussion that used two arbitrary frameworks that he made up without the students even questioning the frameworks’ wisdom.

The moral of Dan’s story is that it’s easy to force the world into some framework without understanding the nuances of the situation and without evaluating the framework’s usefulness.

Information Security Frameworks

We love frameworks in the world of information security, too. We have standards, such as ISO 27001/27002 and PCI DSS, regulations such as HIPAA and FISMA, as well as lots of designs, templates and guidelines often grouped under the heading of best practices. Too often, companies attempt to adhere to these frameworks without understanding their applicability and limitations.

For instance, PCI DSS is pretty prescriptive about its security requirements. Yet, organizations often misinterpret them in a way that suits their budgets and business practices. Some companies even attempt to adopt PCI DSS as an approach to securing non-PCI environments without considering the extent to which the threats and security practices might differ.

As another example, consider the numerous controls listed as part of ISO 27002. Companies, possibly earnest in their desire to build a information security program, attempt to implement all of them. They do this despite ISO 27001 advising that the controls’ applicability depends on the organization’s “needs and objectives, security requirements, the processes employed and the size and structure.”

A related concern is regarding our reliance on advice labeled best practices. These frameworks, according to The New School of Information Security, are “activities that are supposed to represent collective wisdom.” The book warns against relying on them blindly, in part because the groups codify them have vested interests in security decisions. The book also points out that best practices “typically don’t take into account differences between companies or, more importantly, between industries.”

Usefulness and Dangers of Frameworks

Frameworks aren’t magic. They are put together by individuals like you and I, who usually do our best to codify our experiences and relay advice to other practitioners. This can help by providing a structure for making risk decisions, achieving compliance and thinking about hard security problems. However, we must be mindful about the dangers of blindly following frameworks without considering how they apply to a given situation or customizing them to the specific needs of the organization.

— Lenny Zeltser

Feeling secure is different from being secure. Infosec professionals usually interpret this phrase as a reminder that we often merely pay lip service to security without actually taking measures to improve it. The inverse of the situation is also true: Being secure is often insufficient if the subject doesn’t feel secure.

Feeling Secure vs. Being Secure

In an essay In Praise of Security Theater, Bruce Schneier emphasized that “security is both a reality and a feeling.” He continued:

“The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. […] But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don’t feel secure, and you can feel secure even though you’re not really secure.”

Bruce brought up the example of RFID bracelets being placed on newborns to alert the hospital if the infant is abducted. The bracelets are used even though the chance of such incidents is very low. Yet, the “bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.” In this case, there’s a benefit to making people feelsecure even if the measure does not address a meaningful risk. (You can listen to Bruce discuss this concept in his TED video as well.)

The Importance of Feeling Secure

The feeling of security matters because humans sometimes make seemingly irrational decisions that have reasonable explanations, and also because sometimes emotions play a more significant role than logic. That’s what makes us human.

In the context of IT, even if you take actions that make the organization more secure, that might not be enough. You need to pay attention to making sure your actions also allow the relevant constituents to feel secure. The following examples where this can make a difference come to mind:

• A user of an anti-virus tool that is too quiet may assume that the tool is ineffective and switch to a competing product that makes the user feel more secure. If you have a great security tool, you need to find a way to make your that your users see the benefit.

• A corporation may have a CISO who is very effective at strengthening the company’s security posture and managing IT risks; however, the management may feel insecure unless the CISO captures the right metrics and offers meaningful reports.

• A client who commissioned an security assessment may have received competent service, but unless the deliverable offers a comprehensive review of the findings and methodology, the client may be feel unsatisfied with the engagement.

• A company may choose a service provider that they feel meets their security and compliance requirements based purely on polished sales interactions and marketing documents, regardless of the strength of the vendor’s actual security program.

Those are just a few examples that remind us not to underestimate the importance of not only being secure, but also feeling secure. These two concepts are distinct, yet interrelated. Both require your attention.

— Lenny Zeltser