Wireless Security

One of the weakest points of personal home security is in Wi-FI. There also have not been any new security standards released since 2004’s 802.11i. Unfortunately, routers sold today still make available security settings that are dangerously antiquated even compared to that. As with all things in security, attacks only get better.

The article on Wi-Fi security standards above lists most of the standards and defenses. For simplicity’s sake, we will quickly go through those that should not be used at all.

  • WEP-based encryption is so easily broken that at this point it should be considered only marginally better than having no protection at all. Here is an example of how to break WEP-based security, for instance.
  • WPA, while offering substantial improvement over WEP, is also considered insecure due to the algorithms involved.
  • Hiding your SSID (the name of your wireless network) is sometimes used. I personally turned it on for a short time, but it is problematic for two reasons. First, your network is still broadcasting the name in many packets, as is the client. Second, it violates the 802.11 standard, and any time that happens with technology there can be interoperability concerns.
  • Filtering based on MAC also offers minimal help. This is because changing your wireless device’s MAC is trivially easy. Given that, attackers can just listen to packets to see who is authenticating successfully, and then copy that MAC.

With those dealt with, we can look at options that should be considered.

  • WPA2 Personal should be used minimally for the network.
  • If you are creating a business network, you should be using WPA2 Enterprise. It offers the ability to create keys for individuals and know which users are on what devices, and if any suspicious activity is detected have a place to investigate from. It also allows you to terminate that user’s certificate without changing the password on several routers.
  • Hardware tokens, smart cards, and other similar tools (such as RSA) can be used in some environments with extensive work to add rotating, per-user encryption. If your needs justify this, however, you should have full-time staff working to implement and administer the solution.

Additional layers can and should be added to whatever choice is made above. Options for doing so include encryption technologies such as SSH or VPN access. This way, it adds one more compromise in order for traffic to be deciphered.

While all of these help, it does not guarantee safety. There is at least one known attack against WPA2, known as Hole196. This allows users of the same network to gain access to what should be secure traffic or create a denial-of-service condition. There are also tools for gaining illicit access to a Wi-Fi network. Cracking a WPA2 Wi-Fi password can take several hours or more, but given that passwords may remain for years an attacker can stand to wait.

In the event that your paranoia has been justifiably turned on (for instance you are concerned about state-level actors or targeted penetration attacks)…why are you even enabling Wi-Fi? While you could use RF shielding paint or Faraday cages to contain your broadcasts to a certain physical area with some level of certainty, going to only wired connections with other security measures enabled is your best choice.

The Economics of Malware: Criminals

Note: This is the second of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Today we will look at the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Malware is created using vulnerabilities, either purchased through the markets described previously or self-researched. There are broad categories of malware, each of which has a different profit mechanism.

Account Credential Theft

Attacks in this category include any mechanism by which a user’s form of authentication is taken for uses outside of their control. This can include user and password combinations for financial institutions, games, websites, or IM/VoIP clients, or password and certificate combinations used for encryption (such as a GPG pair). These can be either be sold in black markets, or used in attacks described later in this article. Typically, it is done either by phishing (directing users to fake login pages and having them enter their credentials), or through keyloggers.

Bot Activity

While the previous attacks were somewhat passive, listening in or gathering information, those that cause bot activity take control over the compromised machine. Machines can be used in this way to send spam to continue to grow the botnet, or solve captchas, or launch DDOS attacks either to attack an enemy or as part of a ransom attack (see below). They can also be used for click fraud, either to drain the funds of a target or if they control the ad network in question to raise revenue. Finally, it can be used to anonymize any other attack described here, so that they look like they are only coming from another victim (this is a common objection to offensive security since you will not be responding to the initiator of the attack, just the attack itself).

E-Mail Attacks

Email attacks are those used once you have the credentials necessary to access them. Once accessed, a multitude of attacks are available, although the automation of these attacks varies widely. For instance, Stranded Abroad attacks (also used in social media reputation attacks) use the email account to contact associates with a call for monetary assistance due to some need overseas, and ask for money to be wired overseas to accounts under the attackers control. Emails can be sent containing malware to other people to gain other access. The accounts can also be mined to look for registration emails from websites, and used to reset the passwords on all of those sites and gain access to those to perform other attacks. Finally, the information in the emails itself can be of great value, if mined correctly or a precision attack is made.

Financial Credentials

The most obvious of value from malware is in financial institutions. Being able to log into an individuals bank, stock, 401k, or other similar account can immediately result in a windfall, depending on the security of the institution in question. In these cases, often smaller withdrawals are made to look for triggers that would cause questions to be raised. There are also attacks made on the financial institutions themselves, where money is either shifted into other accounts or simply created out of thin air.

Ransomware

Machines can be totally removed from the control of their owners. In those cases, the malware will either encrypt data on the machine, requiring that they pay the attacker in order to have it unlocked, or make it appear that such action is required. Sometimes this will be cloaked in the façade of the user having done something illegal and it being a fine (sometimes with hilarious results), other times it is just an open ransom request. With the system controlled, it will sometimes take advantage of an embedded webcam and take compromising pictures, and demand ransom for that.

Reputation Hijacking

That last example can also fall under the category of reputation hijacking. With reputation hijacking, typically social network accounts are used to post information that compromises the value of the target’s identity. Individuals may find their Facebook account posting incriminating photos or statements, Businesses may find their Yelp profiles dragged through the mud by competitors. In these cases, they are usually paid character assassinations.

Server Compromise

If a compromised machine has useful characteristics, it will be used for them. This is different from the normal bot behavior described above, in that they will often be used to host services for users other than the attackers. This includes sites that serve warez or child pornography, and do not want to use machines that can be traced back to an individual. They often can be used for phishing or other malware-related sites.

Virtual Good Theft

Finally, the machines compromised can include various information of worth. If license keys can be found in recoverable form they are easily resellable. Also with high value are gaming accounts and goods from those accounts. Gaining access to either Amazon or iTunes accounts can also grant value for the compromiser.

These methods are often used in tandem via malware packages. As of March 2013, thirty-eight percent of all malware was distributed by the Blacole or Cool kits, both created by the same person team, led by a user known as Paunch. Almost all of malware traffic comes from packages now. Interestingly, these packages are sold similar to other software-as-a-service. This includes data analytics, user targeting, upgrades, and more. The Blacole kit could be rented for approximately $700 a month, while Cool retailed for $10,000.

With all of these avenues for making money, perhaps the hardest part is actually gaining access to it. Organized crime who are the largest users of malware packages will retain money mules to gather the money. At times, this money never reaches its destination, either due to the mules being interceded by authorities or the attackers concerned about their ability to recover it.

The reason why that concern is justified is that these criminals are high value targets. You may notice that many of the articles I have linked to involve arrests. This is because every point on the chain of making and expatriating the money involved is a target. For instance Paunch and his team, mentioned above, were arrested earlier last week in Russia. Despite this, it is extremely lucrative for the time they operate.

Part three of this three part series will cover the last of the major users of retail vulnerabilities, governments and their agents.

Cryptolocker and Handling Malware Generally (This Means Backups!)

I received a request to discuss the cryptolocker family of malware, and will be talking about that today. If there are any other topics that are requested to be covered, please leave a comment below or contact me. This form of malware falls generally under the ransomware category, which installs itself and then demands money for one reason or another in exchange for removal. Sometimes it is because it claims you have violated the law, and it is a fine to remove it. In this case, it instead encrypts data off of your hard drive using a public-key cryptographic setup that appears to be well designed, and at least appears to legitimately offer a hope for decryption if it is paid.

Encryption is Hard™, and it is the mistakes in designing cryptographic software that is easier to break than the theory that is implemented. In this case, however, no obvious flaws have been found. This does not mean that I encourage payment of the ransom. Like all ransoms, you have no reason to trust whoever created the malware. Payment only encourages them to ask for more, and the key could be discarded as soon as the files are encrypted.

More realistically, if you see this malware appear on your system, you have two hopes. First, this is the “cheap” form, which will not actually encrypt your system but instead hide all your files and pretend to. Removing the malware will make your system function again. You can use your typical form of antivirus, or something like malwarebytes. Secondly, you of course have good backups, right? Many infestations come in large packages now, containing various malware to do different tasks such as keylogging or changing your DNS server to point you towards what they control for ad clicks or prevent you from obtaining software updates. When you discover malware on your system, at that point you do not know what else is wrong. A full system reinstall is the best solution, and the only way to guarantee things are fixed, assuming you also are sure your backups are clean as well.

Therefore, if you want to be sure about your security, be sure about your backups. For my system I use duplicity, and it ties in well with my previous instructions on personal encryption. I have it doing daily backups, which are incremental (so it only adds what is new from the previous day’s work), and then a full backup every week. My crontab and backup scripts are below:

# m h  dom mon dow   command
0 5 * * 2-7    /home/USER/.duplicity/duplicity_daily
0 5 * * 1    /home/USER/.duplicity/duplicity_weekly
#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/USER file:///data/backups/USER
#!/bin/sh
test -x $(which duplicity) || exit 0
$(which duplicity) full --encrypt-key GPG_KEY --exclude /home/USER/.gvfs /home/<USER> file:///data/backups/USER
$(which duplicity) remove-all-but-n-full 3 --force file:///data/backups/USER

For each of the above, you would replace “<USER>” with your username, and “<GPG_KEY>” with your encryption public key.

The Economics of Malware: Vulnerabilities

Note: This is the first of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

The quintessential problem of information security is how to address the technology involved. The architectures in question each have their own potential and known vulnerabilities. These can be discovered by multiple different players, and today’s article will be about why they each look for these vulnerabilities.

Over the years, an entire market has developed around the sale of vulnerabilities. This article will talk about the players involved in discovering and selling vulnerabilities. The market feeds the entire use environment, from criminals and their support organizations (which will be part 2 of this series) to governmental actors who use it for intelligence gathering (which will be part 3 of this series).

First, lets define what a vulnerability is. A vulnerability in this case is a method by which unplanned or unauthorized behavior is induced. This can include both within the target of the vulnerability itself or in the broader system it runs within. For instance, a vulnerability in a database software may give the attacker unauthorized access to data within it, or it may be used to gain access to system resources outside of the database.

Multiple players research vulnerabilities. Until recently, academics (warning: PDF) were the most common discoverer of vulnerabilities. One of the great historical battles over vulnerabilities was over the concept of “full disclosure“. Researchers would reveal discoveries to developers, and be promptly face legal threats. They then stopped revealing them to the developers, and just announcing all the details. This pushed developers into releasing patches finally, but was ugly. The middle ground that exists now over “responsible disclosure” involves telling the developer that the details will be revealed after a certain amount of time.

When malware was first identified in 1982, initial malware was designed by those who discovered the vulnerabilities exploited. People began trading information on vulnerabilities for prestige (warning: PDF) and knowledge they desired. A divergence began, however, when the search for vulnerabilities was not longer just academic.

It was bug bounty programs that offered rewards for those who disclosed vulnerabilities. The first was in 2004 and offered by Mozilla for discovered flaws in the Firefox web browser. Vulnerability research began to be big business around 2007. One of the major drivers in bounties from companies was that they were now competing against black market trading.

This influx of cash has driven many more people into the research arena, and feeds those looking for new tools to exploit. Both organized crime and governmental agents had deep pockets, and were willing to spend hundreds of thousands of dollars for zero-day vulnerabilities. Zero-days are vulnerabilities not known to either the developer of the vulnerable software in question nor anti-malware actors.

Part two of this three part series will cover how the organized crime drivers of the vulnerability marketplace use them.

Securing SSH

In the Linux world, SSH is the network protocol used for secure communication between machines. Through it, both remote access and individual commands can be sent. As a result, it is one of the most important parts of the infrastructure to secure.

For SSH, there are two system-wide configuration files. The first is in /etc/ssh/sshd_config, and handles the server, or incoming connections. The second is located at /etc/ssh/ssh_config and manages clients, or outgoing connections. Each of the following configuration settings are important to helping improve the security of a ssh server. This will be done by running the following command:

sudo vim /etc/ssh/sshd_config

First, we want to be sure we are only using version 2 of the ssh protocol. Version 1 has numerous known security problems and should be not used anywhere without very specific backwards compatibility needs, and even then only while working to migrate to version 2. To do so, you set the following settings in the configuration file.

Protocol 2

Second, you should disable root logins. This ensures that anyone connecting has to know a username to log in, and prevents anyone from having simple access to everything.

PermitRootLogin no

Third, we will increase the server key size. Generally, the more bits for the key the harder to compromise it later. This is done by changing the setting of

ServerKeyBits 758

to

ServerKeyBits 4096

Once that is complete, you will also need to run the following commands to regenerate the keys:

sudo rm /etc/ssh/ssh_host_*
sudo dpkg-reconfigure openssh-server

Fourth, you want to disable password-based login. You ONLY want to do this one you have set up and confirmed the functionality of your key-based login. Otherwise, you may find yourself unable to log in anymore. When you are ready to proceed, you will modify the following setting:

PasswordAuthentication no
ChallengeResponseAuthentication no

Fifth, unless you what sftp is, and plan to use it, you should disable it. You do so by finding and commenting out the line below.

#Subsystem sftp /usr/lib/openssh/sftp-server

Sixth, you will want to restrict which users can log in via SSH. You can list who is granted such ability either by username or by group. I personally go by the username option.

AllowUsers

Finally, you need to restart the SSH server in order for the configuration to be re-read. The method by which you do so varies from distribution to distribution, but on Debian you use the following command:

sudo service ssh restart

When all of those configurations are set, your configuration will look like this:

# What ports, IPs and protocols we listen for
Port 22
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 4096

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
ChallengeResponseAuthentication no

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
MaxStartups 10:30:60

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Uncomment following line to enable sftp server
#Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Lock down to only allow certain users
AllowUsers

In addition to the changes above in SSHD configuration, there are other possibilities you can use. Some people suggest moving the port that the SSH server listens on from 22, but that does not particularly add much. It protects against some brute force scanners, but when you are no longer using password authentication your protection does not rely on hiding the server.

Other tools can also be used to add protection. I highly encourage installing denyhosts as well, as it will prevent rapid attacks. You can also configure it to download lists of addresses that attacks are being detected from. The system firewall as well as TCP Wrappers can be used to only allow specific computers to be valid to use the SSH server.

With these modifications, a SSH server is much more secure against attack. The configuration above should be a bare-minimum, and additional protections should be added as specifics require.

Silk Road Shutdown and OPSEC

The infosec, legal, and drug worlds were shocked today with the Department of Justice’s indictment of Ross William Ulbricht as the accused Dread Pirate Roberts, the administrator of the Silk Road. The Silk Road was a tor-based black market making available drugs, forgeries, hacking tools, and more its clients worldwide. Since its opening, it has been the site for approximately a billion dollars in sales via bitcoin.

Given its importance, and the money involved, one would think that Ulbricht would have a strong set of OPSEC. Reading the indictment itself, however, indicates how wrong this assumption is, especially at the beginning of the Silk Road. It reads like a how-not-to, including crossing identities, having incriminating evidence sent to an address under his name, and more.

At this point, it is worth a digression to talk about Operational Security, or OPSEC. OPSEC is the process by which one determines how information can be assembled to be used against them. In the case of someone running a site such as the Silk Road, the threats the face are monumental. This includes nation-states, with extensive surveillance capability as well as pressure to use such tools in targeting such a black-market administrator. Given this, extensive preparation and discipline is necessary to avoid exposing any information about false identities created for protection (for more in-depth information on hacker OPSEC, see the grugq’s presentation).

During the first days of the Silk Road, someone under the username “altoid” began spreading information about it. The same apparent user, with the same username, appears on bitcointalk a few days later and later looks for development help, posting his email address. This email address is used by Ulbricht for his LinkedIn profile contact. His full name is used in March 2012 asking for assistance with implementing certain php code over tor. This username and gmail connection is changed later, but the original tie-ins had been recorded. Even worse, the replacement email he used (frosty@frosty.com) is later seen in the ssh key needed to log in as the Silk Road administrator.

You can also see some spillover on his YouTube profile, where he links to videos about “How to Get Away with Stealing” and “The Market for Security”. It also contains videos from the Mises Institute, which is also cited in the Dread Pirate Robert’s Silk Road signature. While not directly incriminating, these add philosophical correlation with an interview that the Dread Pirate Roberts gave to Forbes. This interview adds an additional wrinkle to the story, where he claims that he was not the first to use the name Dread Pirate Roberts, just as the character did in the Princess Bride. No other evidence supports this claim, however, and it appears to be misdirection.

Canadian mail has broad authority (warning: PDF) to search packages crossing their border. This information was most likely enough to ask Canadian law enforcement to search for packages being sent to Ulbricht, or alternately he was just very unlucky. Regardless, a search of a package being sent to Ulbricht’s residence in San Francisco from Canada revealed several fake documents, apparently intended to purchase additional server access for the Silk Road’s growing resource needs.

Combined, this information gave investigators enough information to locate the physical address of the Silk Road server. They made a forensic copy of it on July 23 2013, and were then able to access its code base. Within it they found evidence of the only IP address by which administrative access was available, and showed access from the VPN located there granted to an internet cafe approximately 500ft from where Ulbricht lived. This address was also recorded in Google logs to be where Ulbricht had logged into his gmail from.

On July 26 2013, agents from Homeland Security Investigations confronted Ulbricht at the mailing address for the false identification. He not only admitted they were his, but that such documentation could be purchased from the Silk Road. This further implicated him and showed direct knowledge of the site.

By that point his trail is so well known by the investigators that I’m not sure how much it hurt. Regardless, he should have known to not say anything and demand a lawyer. Without the foundational work setting up and perfecting a process to protect himself, however, this appears to have been the likely outcome. This became more true with the growth of his success.

Basic Technology Security

For many people, there are simple tricks that can dramatically improve their security posture. These either remove the common entry points for attackers, or add additional barriers against their attackers. Combined, they are the easiest technical methods available.

The first, and most basic of options, is to ALWAYS have the current version of all software you use installed. If you are on Windows, Microsoft has a  regular schedule for releasing updates. You should even have automatic updates enabled if possible. Adobe also follows this schedule, and Reader updates should be just as important as those Microsoft patches. Same goes for Apple and OSX updates, and the maintainers of various Linux distributions, although the tools to do these updates vary. Check in your system documentation.

Secondly, remove the software you do not use. If you cannot name the reason why you have Java installed, for instance, uninstall it. All it does is add a  major vector for attacks. This goes for any software. If you’re not using it, remove it.

Thirdly, be sure to install and configure a firewall. This is the last barrier against outside attackers, and you want to be sure you are only letting in what you intend to. Create as narrow of exceptions as possible, and look for configuration suggestions for your use case. Remember you don’t need to open ports to browse the internet, unless you are blocking inbound and outbound traffic.

Forth, have good antivirus installed. I honestly find this less important than the first three, just because reducing your exposed surface ends up being far more useful. While anti-malware software and firewalls definitely should be exposed, they can and will miss things. There are plenty of free options for antivirus, although I usually direct people to  AVG on Windows. Microsoft Security Essentials is also a decent choice. No matter your operating system, however, you need to have something installed. With cross-platform malware such as java or pdf-based exploits, and growing desire for mobile attacks, assume that there is something out there.

Fifth, have good password security. Use a strong password to log into your system. Do not use an account with administrative access for everyday activity, to prevent malware from gaining a strong foothold if it gets onto your system. I’ve talked about this previously, but also use a password manager. Generate unique passwords for every single site, it protects you if one of those sites are cracked. Remember if you use the same password everywhere, your bank security depends on the security of that crappy forum you joined.

Finally, where it is available use use two-factor authentication. This is far from foolproof, and there are ways around it, but it stops the cheap attacks used to gain access to your email, your bank, social networking, and more. It also typically protects against repeated incursion on those accounts.

The combination of all of these tools creates an multi-layer protection that is far better than most people have. If any of these are missing, it creates a hole that can be exploited. Together, you will find yourself avoiding many of the greatest pitfalls and be far ahead of others.