Author: Jaco

Top 7 Bangs For Your Security Bucks

~ Jaco ~ Leave a comment

Marcus J Carey and Jennifer Jin recently published Tribe of Hackers – Cybersecurity Advice from the Best Hackers in the World.

Inspired by Timothy Ferriss’ book Tribe of Mentors, Marcus compiled a list of the fourteen most common questions he gets asked about cybersecurity. These questions were then posed to seventy notable InfoSec practitioners, with their responses recorded across more than four hundred pages in Tribe of Hackers.

Question number two caught my eye:

What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

Assuming the 70 has seen some stuff over the years, I thought this would be good advice to follow for most companies. I was also interested to see if there would be any commonalities between the answers, so I read through the seventy responses and compiled a Top 7 list of common responses.

Again, go get the book, the proceeds are going to charity after all.

So, here we go:

The Top 7 Bang-For-Your-Buck Actions To Improve Your Security Posture.

For each of the Top 7 Bang-For-Your-Buck responses, I’ve quoted some comments from the answers. However, read the book for the full responses and more in-depth reasoning.

Number 7_ Conduct Risk and Threat Assessments (4 mentions)
“Once an organization identifies and quantifies risks and the assets associated with their key function(s), it becomes inherently easier to identify potential causes of a critically impactful incident.” – Lesley Carhart

Number 6_ Hire Good People (6 mentions)
“Hire good people. You will never spend money on something more effective within this domain than talented people.” – Ben Donnelly

Number 5_ Asset Management (7 mentions)
“You can’t protect it if you can’t find it” – Cheryl Biswas

Number 4_ Least Privilege | Limit Administrative Access (8 mentions)
“Get users out of the local administrators group” – Jake Williams

Number 3_ Do The Basics (9 mentions)
There’s a lot of talk about the basics. If the basics were easy, everybody would be doing them. But I think they’re still worth calling out, even though they are difficult.” – Wendy Nather

Number 2_ Security Culture (11 mentions)
“Culture change impacts behavior, incentive models, accountability, and transparency — and myriad other critical enablers that help to mature and improve cybersecurity programs. Until organizational culture — comprised of values and behaviors—is substantially reformed, cybersecurity
failures will continue to abound.” – Ben Tomhave

Number 1_ Security Awareness Training (14 mentions)
“I have gotten the best return on investment from security awareness training.” – Brad Schaufenbuel
“Invest in educating employees. Awareness goes a long way in a world where lying and “social engineering” are the key to most doors.” – Edward Prevost

And now you know.

Jakkals – Feb ’19 _Episode 1_

~ Jaco ~ Leave a comment

– InfoSec stories scavenged for you from across the internet –


Your three stories for this week are:

  1. How to Stuff a Chicken (Dailymotion Gets Attacked)
  2. Old Ladies Making Payments (Mikko on Payment System Segregation)
  3. Cyber Attacks In Real Life (Great Awareness Video from Hiscox)


1_ How To Stuff A Chicken

(Dailymotion suffers a credential stuffing attack)

If you are on the market for some roast chicken tips, here are a few great ones from Jamie: https://www.youtube.com/watch?v=bJeUb8ToRIw

Back to today’s actual program: Credential Stuffing Attacks.

The online video streaming site Dailymotion (which is a treasure trove for bootlegging MasterChef Australia episodes) was recently the target of a Credential Stuffing Attack. According to their website, Dailymotion attracts “300 million users from around the world, who watch 3.5 billion videos on its player each month.

Dailymotion published the following alert on January 25th 2019:

The attack consists in “guessing” the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.

Credential Stuffing attacks aren’t anything new. In October 2018, the American Cloud Services Provider, Akamai, published a report on Credential Stuffing attacks. They recorded around 8.35 billion credential stuffing attempts world wide between May and June 2018, with the US and Russia being the main attack sources.

The report further notes:

“These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods. They use lists of usernames and passwords gathered from the breaches you hear about nearly every day on the news. They’re also one of the main reasons you should be using a password manager to create unique and random strings for your passwords. Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle.”

There you go, don’t reuse passwords!


2_ Old Ladies and Payment Systems

(I’m not going to write too much about this one)

Mikko Hypponen from the Finnish Cyber Security company, F-Secure, did a keynote at BSides London in June 2018. During his talk ‘State of the Net’, he addressed the common issue of securing computer systems used for financial payments. However, he was not talking about securing servers and things making up advanced payment systems. He was rather talking referring to the laptops and desktops used by employees who make the actual payments that keep your business running.

And… he makes a very valid point:
Don’t use the same computer that you use for things like Facebook, Twitter, Email and Instagram for your business’ online banking system. Rather use a designated and segregated computer to load and process your payments. This simple step will go a long way in ensuring that the computers used for payments remain secure.

Have a look at the talk here:



3_ Cyber Attacks In Real Life

UK company Hiscox has made a clever video illustrating how a cyber attack would look if it happened in real life.

They show three attack scenarios:
• IP Theft: Robbing companies of their ideas and inventions.
• Phishing: Fraudulently pretending to be someone else.
• Denial of Service: Flooding the target with traffic triggering a crash.

I think this is quite effective in order to create awareness for espcially small businesses, without the usual FUD (Fear, Uncertainty and Doubt) used by lots of security vendors.

Have a look:

Jakkals – 2019_01_25

~ Jaco ~ Leave a comment

– InfoSec stories scavenged for you from across the internet –


Three stories this week (again):

  • DDoS-ing a Country (Guy who took Liberia offline is jailed)
  • Lazarus at the Waterhole (Company breached in nifty attack)
  • Incoming! (Hijacked camera sends false ‘Incoming Missile’ warning)


1_ DDoS-ing a Country

(Guy who used the Mirai botnet against Liberia gets jail time in the UK)

In 2016, researchers detected one of the largest publicly recorded Distributed Denial of Service attacks (DDoS). The attack made use of hijacked webcams part of the Mirai botnet and generated traffic up to 500 Gbps. This traffic was directed at the internet infrastructure of the West African nation of Liberia. See 2016 article from Threatpost detailing the attack.

Fast forward 3 years later and one Daniel Kaye has been sentenced to 32 months in the slammer for this DDoS attack. Turns out an employee of the Liberian telecoms company Cellcom (now rebranded as Orange Liberia) hired Mr Kaye to launch the attack on their competitor, Lonestar Cell MTN. Not only did it successfully disrupt Lonestar’s network, it also took down the entire country’s internet!

After the Liberian attacks, Mr Kaye attempted to take control of some of Deutchse Telekom’s routers for more attacks, but this ended up taking about 900,000 routers offline. A week later he again fumbled and inadvertently took down 100,000 UK based routers from three separate ISPs. In the end this was what got the fuzz to hunt him down.

Turns out your actions was not O-Kaye, Daniel.

Links:
https://www.zdnet.com/article/hacker-bestbuy-sentenced-to-prison-for-operating-mirai-ddos-botnet/
https://www.bbc.com/news/uk-46840461


2_ Finding Lazarus at the Watering Hole

(For a quirky video about a ‘actual’ watering hole, check this)

Attackers, allegedly linked to North Korea’s Lazarus group, have been fingered for an attack on a Chilean networking company. This company, Redbanc, is basically responsible for all of Chile’s ATM networks.

What makes this attack notable is the method in which Redbanc was compromised – a watering hole attack. Attackers put an advertisement up on LinkedIn, to which a Redbanc employee responded. This then led to a phony Skype interview with a Spanish speaking ‘recruiter’. During the ‘interview’ the employee was tricked into downloading what appeared to be an application form. The application form however turned out to be malware which subsequently infected his work computer.

Luckily the introduced malware was picked up by Redbanc before too much snooping could be done on their network…

Links:
https://nakedsecurity.sophos.com/2019/01/21/attackers-used-a-linkedin-job-ad-and-skype-call-to-breach-banks-defences/
https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/


3_ Incoming!

(Hijacked Nest camera sends false ‘Incoming Missile’ warnings)

Laura was cooking up a storm in her California kitchen, when the loud noise of an emergency broadcast interrupted the bubbling sounds from her simmering chicken broth:

You have three hours to evacuate! North Korea has launched a missile attack on the United States. Move!

Ok, she was probably not making a chicken broth, but you get the idea. Needless to say, panic ensued after the family heard the announcement, thinking it came from their television. It turned out that an attacker managed to hack into their internet connected (IoT) Nest Security Camera and play the fake alert. Luckily, sanity prevailed after an excruciating 30 minutes of trying to figure out which of your favorite cast iron frying pans to take along in the evacuation.

Reminds me of the saying: “The S in IoT stands for Security”.

Links:
https://www.csoonline.com/article/3335637/security/hijacked-nest-camera-blares-warning-about-north-korean-missiles-headed-to-us.html
https://nakedsecurity.sophos.com/2019/01/23/hijacked-nest-cam-broadcasts-bogus-warning-about-incoming-missiles/

Jakkals – 2019_01_20

~ Jaco ~ Leave a comment

– InfoSec stories scavenged for you from across the internet –


Three stories this week:

  • Hackwurst (The German Hack)
  • Un DoS Tres (Guy who dossed a Children’s Hospital sentenced)
  • Collection #1 (The Massive 773million record data breach)


1_ Hackwurst

(Hackwurst is a play on Bockwurst, which is what the Germans came up with to counter boerewors. You might also now be wondering what’s the difference between Bockwurst, Knockwurst and Bratwurst. The answer is waiting for you here: https://www.epicurious.com/archive/holidays/oktoberfest/germansausagesbruceaidells)

A 20-year-old German man managed to obtain and publish a bunch of personal information of, among others, the Chancellor of Germany, Angela Dorothea Merkel, as well as the German head of state.

If, at this point, you are confused that Merkel is not the German head of state, welcome to the party. Here’s a video of the inauguration of the German President, Frank-Walter Steinmeier: https://www.youtube.com/watch?v=6UsXzwke6OE.

But we digress…

The suspect, who still lives with his parents, claimed to have acted alone when police arrested him earlier this month. The reason for his actions was attributed to anger at “public statements made by politicians, journalists and public figures”. It is unclear how he obtained the leaked information, but it is said to include contact information, credit card details, banking and financial details as well as ID cards and private chats.

Links:
http://
https://


2_ Un DoS Tres

(Guy who dossed a Children’s Hospital sentenced)

First things first: If the title of this one made you think of the 1995 Ricky Martin song… here’s the music video for your pleasure: https://www.youtube.com/watch?v=vCEvCXuglqo (and the chap in this story’s name is Martin… Coincidence??)

In 2013, Martin Gottesfeld came to hear about the ‘medical’ child custody case of Justina Pelletier. She was being treated at Boston Children’s Hospital at the time. Taking her fight upon himself, Martin posted a video online claiming to be part of the Anonymous hacking group. He followed this by doxing personal information from people involved in her treatment and then launched a Distributed Denial of Service (DDoS) attack on the Boston Children’s Hospital. The DDoS knocked their internet facing systems offline for two weeks. Fearing arrest by the FBI, Martin and his wife bought a speedboat and fled for Cuba.

Unfortunately for the Gottesfelds, their boat broke down in rough seas and they were forced to send out a distress signal… only to be rescued by a Disney Cruise Liner of all things. In the end, he was arrested and sentenced to 10 years in prison for his efforts.

Links:

https://hotforsecurity.bitdefender.com/blog/the-ddos-attacker-rescued-by-a-disney-cruise-ship-is-sentenced-to-over-10-years-in-prison-20730.html
https://www.rollingstone.com/culture/culture-features/the-hacker-who-cared-too-much-196425


3_ Collection #1

(The massive 773million record data breach)

By this time, you would most probably have heard or read about this one, as it is widely reported on. But, before you start running down corridors screaming ‘the end is nigh!‘, read this first.

This isn’t a new single breach. To quote Troy Hunt, who runs Have I Been Pwnd: The leaked data set is “made up of many different individual data breaches from literally thousands of different sources.

Brian Krebs also notes that this is old data and offers the following advice relating to the ‘breach’:

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).”

Links:
http://
https://

DON’T CLICK THAT LINK (Unless it’s us)

~ Jaco ~ Leave a comment

Don’t do it!

A common piece of advice we often give to users is:

Do not click any links in unexpected emails.

Good advice. Let’s put it to the test:

The South African Revenue Service (SARS) brand is notorious for being used in Phishing attacks, trying to trick users into divulging banking or other personal information.

See some of the samples here: (Yes, I know it’s a link…) http://www.sars.gov.za/TargTaxCrime/Pages/Scams-and-Phishing.aspx?k=

SARS also shares warnings for things to look out regarding phishing mails:

  • “Members of the public are randomly emailed with false “spoofed” emails made to look as if these emails were sent from SARS, but are in fact fraudulent emails aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details.”
  • “Importantly, SARS will not send you any hyperlinks to other websites – even those of banks.”

Good advise, however, the following happened:

 

It is a Phish?

Yesterday, I received an email message with subject “Please rate your SARS experience“. Now, if you’re a law abiding citizen of the Republic, you’ll know that your online eFiling deadline was 31 October 2018. So emails like these could be expected, but could also be phishing:

In this instance, Gmail is kind enough to show us that the email did not originate from SARS, but came in via bounce.mkt2356[.]com:

South African Revenue Service (SARS) noreply@sars.gov.za via bounce.mkt2356.com 

And they are asking me to click on a link, which is bad. So let’s investigate further…

 

The Post Office

For this analogy, we’ll run with the idea that I have a letter that I’d like to send to the friendly people at Eskom to enquire about their power generating capability as we are having Stage2 load shedding today.

I decide to drop my well worded letter off at the big red metal post box at the Hatfield Post Office in Pretoria, South Africa.

Upon receiving my letter, the Post Office adds something called an email header to it. An email header keeps track of (among others) all those stamps added to your envelope as it travels past different post offices and mail sorting stations on its way to the friendly folks at Eskom.

 

Message IDs

One of the many fields contained in the email header is called the Message-ID. This field can help us in our quest to determine where the email originated from. This is in essence the name and serial number of the post box at Hatfield Post Office, as well as a uniquely created tracking number for my letter.

Our SARS email had the following Message-ID:

Message-ID: <1500063631.36076041543493254864.JavaMail.app@rbg13.atlis1>

Normally, you’d expect the portion after the “@” sign to denote a legitimate domain. For example, emails sent from Gmail will have something like this for a Message-ID:

Message-ID: <CAB-Uxrs+=TRDDCMHgtbGAwru+trd@mail.gmail.com>

However, in our case rbg13.atlis1 isn’t a valid domain, which is odd for an email received from SARS.

 

Received Fields

Next, lets look at the “Received” field. This field records all the email servers which handles an email on it’s way to it’s destination.

For our letter we sent to Eskom, the Received fields will look something like this (simplified, I know):

Received: by Hatfield Post Office from Some Guy; 29 Nov 2018 13:15

Received: by Tshwane Distribution Center  from Hatfield Post Office; 29 Nov 2018 16:00

Received: by Midrand Distribution Center from Tshwane Distribution Center; 30 Nov 2018 09:00

Received: by Midrand Post Office from Midrand Distribution Center; 30 Nov 2018 12:15

Received: by Eskom Offices from Midrand Post Office; 30 Nov 2018 16:15

In our case, the Received fields show the SARS email traveled the following path to my Gmail account:

1. mail6613.grapevine.mkt7212[.]com
2. mx.google.com

Yes, that shows a pretty short path. Basically one hop from the mkt7212[.]com server to Gmail’s server.

 

The Link

Next up is the link in the email (the reason I wrote this whole thing).

If you scroll up and look at the screenshot again, you’ll see that the email contains a “Survey Link” to click and complete.

This link in the email shows that it’s for:

http://links.mkt2356[.]com/servlet/MailView?ms=Masdfasdfasdf&r=Masdfasdfasdfj=MTasdfasdfasdfa&mt=1&rt=0

(I’ve changed the URL a bit as it’s most likely unique to each address the mail was sent to)

But mkt2356[.]com isn’t SARS. Let’s take a look where you’ll end up if you clicked it:

So, clicking that link for http://links.mkt2356[.]com would actually get you to the legitimate SARS website https://tools.sars[.]gov.za/SatisfactionSurvey/Surveys/Index/32

However, to make things worse, mkt2356[.]com has a Certificate Name Mismatch error, which will be cause lots of security products to warn you before visiting the site:

And here’s what it looks like when you eventually end at the actual SARS website:

So, it turns out that the MKTxxx domains are owned by IBM’s Watson Campaign Automation digital marketing solution.

So What??

Ok, so at this point you are asking the following: “Come on dude, it’s just SARS using a marketing company to send out emails with unique links so that they can track who actually clicks it after which it take you to the actual SARS page so no need for all this screenshots and stuff so get of your horse and enjoy your load shedding.

Well, my point is this:

This is not helpful.

We can’t be telling people “DON’T CLICK ON ANYTHING! JUST DON’T” and then send them crappy survey emails with links we want them to click. So the message becomes:

DON’T CLICK ON ANYTHING!*

*Unless we send you stuff via a third party, so then please go ahead and click it, even if it was set up crappy, don’t worry, it’s fine, trust us.

 

That my friend, is confusing.

Security Awareness – One Password To Rule ‘em All

~ Jaco ~ Leave a comment

This is part 2 of our look into the life of Frik and his daughter Marietjie. (Catch part 1 here)

During August 2018, Frik’s plumbing business went through a bit of a slump. Business was slow, the clients he had were increasingly difficult and drains didn’t clog as they used to.

In order to unclog Frik’s business (pardon the pun) Marietjie had an idea: “Why not up your social media presence?

At this stage, Marietjie was the family social media expert: Dishing out advice on creating WhatsApp stories, doing live video streaming via Facebook and even helping Gran with applying Snapchat stickers. Frik decided to give it a shot, after all, nothing to loose, right? Facebook, Instagram, Snapchat, WhatsApp, Youtube, you name it and Plumber Frik had a profile. Marietjie also convinced him to change his online profiles from ‘Plumber Frik’ to ‘Plombier Frik’.

It will appeal to a more sophisticated clientele” she said.

Pretty soon Plombier Frik was the most followed plumber on Social Media in all of the East Rand. Doing live Facebook broadcasts while unclogging shower traps, creating how-to videos on setting your geyser thermostat and Instagramming before and after photos when replacing burst galvanized pipes. However, keeping track of all his social media profiles were a bit of a mission. Luckily, he had developed a nifty approach…

One password to rule them all, One password to find them, One password to bring them all, and in the darkness bind them.

Ok, to be honest, Frik has only watched the first half of the first LOTR movie (never mind having read the books). So this quote is a bit out of place for Frik, but please, humor me:

One fateful evening, Frik went through his list of social media accounts. One by one he changed each password to GeeVirFriknDruk007. (The equivalent of “Give Frik a Hug 007” for our English speaking listeners). Each account Frik changed was like a step closer to Mordor. The password started to burn him, he just had to use it again. And again. And again. By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

“Lekker man, lekker” Frik said to himself.

As Frik’s social media following increased, so did the fan mail. Ladies from Prieska to Pretoria were sending him email, asking about his thick Afrikaans accent, where he grew up, what size wrench was his favorite and every now and again the odd question about re-enamelling old baths.

The fan mail started to take up a lot of Frik’s free time, but he wasn’t going to disappoint his newly acquired fan base. He still remembers the rejection he felt as a young man in 1996 when Neil Tovey didn’t respond to the letter he wrote him after Bafana Bafana’s African Cup of Nations victory. No, he’ll respond to each and every email. After a while, Frik established a nice rhythm. Monday to Thursday nights after dinner, he’ll settle into his favourite lazy chair in the living room, put on some sweet tunes from Albert Frost and respond.

Late one evening, just as Frik was wrapping up his last few fan mail responses, he received an email:

“Dear Frik,

We are importers of only the highest quality copper pipe bends.

For your perusal, we’ve attached our latest price list to this email.

Looking forward to doing business with you.

Kind regards,

Mr G Ollum.”

Ah, this should be interesting.” Frik thought to himself. “I wonder if they’ll beat the prices of Frodo’s Plumbing Supplies around the corner?

The email had a single attachment: ‘Price List.html

Clicking on the attachment opened Internet Explorer. Next loaded a Google Docs page.

Marietjie! Frik yelled.

Ja dad, whats wrong? She replied.

“What’s Google Docs?”

“It’s a thing from Google where you can create and edit documents in the cloud. Why?”

“A supplier send me a price list on Google Docs. Is it safe?”

“Yes, don’t worry.”

“Ok, it’s asking me to log in or register.”

“Just use your Gmail account to log in”

After Frik enters his Gmail username and password, the page seems to load, but only comes back to a Gmail login page.

Frik tries again, this time the page loads and redirects back to Google.

“Marietjie, it’s not working!”

“Ok dad, can I check tomorrow?”

“Ja, ok” Frik closes his laptop and stands up from his lazy chair. As the closing theme of tonight’s NCIS: Los Angeles episode plays in the background, he meanders off to bed.

The next morning, just before the crack of dawn, a strange thing started to happen. While Frik was happily snoring away, his social media accounts undergone an evolution of sorts.

In stead for being all about plumbing, it was now showing pictures advertising Ray Ban sunglasses at 90% discount!

Frik could not log in to any of his accounts anymore.

Amazing!” Frik thought to himself later in the day as he stared at a pair of Ray Ban Aviators for only R199 shown on his Instagram page. There was one issue however, Frik could not log in to any of his accounts anymore. Nothing wanted to work: Facebook, Instagram, Pinterest and Twitter. That’s odd, he thought. Alas, let’s reset the passwords for the lot.

As he went through the “Forgot my Password” option on each website, he waited with great anticipation for the familiar “ding” his phone makes when a new email arrives. However, this time Frik was only met with deafening silence. As he opened his Gmail app on his phone, he was greated with a login screen. “Odd” he thought. Entering his username and password however changed “Odd” to “Oh no“. He now could also not log into his email either.

What happened?

Frik got Phished. Properly phished. The email that he thought he received from a supplier was in fact a phishing email. An email from an attacker pretending to be a supplier. This message was specially crafted to convince Frik to open the attached Price List.html file. Once opened, it loaded a fake Google Docs page in stead of an actual price list. Again, this was just a rouge to trick him into entering his Google username and password. Once entered, his username and password was sent to that attacker without him realising.

This was just a rouge to trick him into entering his Google username and password.

Following a careful study of his email communications by the attacker, they were able to get access to his social media accounts. “How?” You might ask. Well, in this case they only had to use his email address and password, off course! Frik had the same username and password for each account. Basically the same key for every lock he had. As such, stealing one key provided access to all the locks.

 

Enter Two Factor Authentication (2FA)

Phishing is a problem, yes. However, two factor authentication (2FA) may have prevented this. 2FA is the tech that uses two ways of authenticating you when you sign on. Typically, this translates to you using a username and password combination to log in, as well as entering an additonal passcode sent to your mobile phone.

Had this been enabled, the attacker wouldn’t have had the ability to log in to any of Frik’s accounts, even though they had his user name and password. This is because the 2FA passcodes would have been sent to his mobile phone, leaving the attacker high and dry.

“But how do I enable this magic?” I hear you ask. Below is a list of common platforms with their how-to guides on enabling 2FA:

And lastly, password reuse is bad. Don’t do it, just don’t. Use a password manager that allows you to securely store passwords for your accounts. This will enable you to generate secure, unique passwords for each place you log on. A good free one you can have a look at is LastPass.

Security Awareness – Meet Frik and Marietjie.

~ Jaco ~ 4 Comments

October is National Cyber Security Awareness Month (NCSAM). Although NCSAM is United States initiative promoting Cyber Security Awareness during the month of October, the rest of the world usually jumps on the bandwagon as well. So, it’s becoming more like International Cyber Security Awareness Month.

During the month of October, large volumes of (usually) very valuable information are published regarding information security awareness. This month, I shall join the fray with a couple of stories promoting Security Awareness. Let’s go.

 

Frik and Marietjie:

Meet Frik. Or rather, allow me to be more descriptive, meet Frik the plumber. Frik is your typical East Rand plumber. A good guy at heart, not too fond of technology, unless you’re referring to Showmax (but he’s starting to adapt). In the last couple of years, Frik’s business has grown tremendously and he has had to enroll the services of his eldest daughter, Marietjie, to assist with the admin side of things. Frik is able to do miracles with copper pipe, a shifting spanner and some soldering wire, but generating invoices and keeping track of payments isn’t his strong suite. This brings us to Marietjie, who has always been the tech savvy one in the family. Some of her friends would call her a tech guru, due to her being one of a select few in their close circle with the ability to type with two hands. She uses a newly bought desktop to generate invoices, pay Frik’s suppliers and verify electronic payments made by his clients.

Marietjie is however easily distracted, disappearing down Instagram rabbit holes for hours at a time. When it’s not Instagram, she keeps up with happenings on Facebook, Twitter & News24. Don’t forget the daily musings of her personal diary on Evernote. This all done from her Android phone.

At this stage, everyone is probably asking: Marietjie, did you install an antivirus application on the desktop?

Answer: “Oh cool, a new season of Greys Anatomy. Still can’t believe they let McDreamy die… Oh, you asked about antivirus. Yes off course, the thing came pre-installed with some antivirus thing. Don’t worry.

Every now and again, Marietjie skims by an article on Twitter about some sort of hacker thing. “Hackers gonna hack” she ponders as she scrolls away. On Tuesday, midway between one of her regular afternoon Showmax binges, an email notification pops up on the desktop. With one eye on the computer screen and the other on the latest episode of Grey’s, she swiftly deduces it’s some supplier sending an invoice.

A new invoice has been generated, please click <<here>> to view.” the email reads.

Click goes the mouse.

Marietjie pauses abruptly. “What just happened? What’s going on?? Meredith just said the patient’s tumor is inoperable, and now the red head army ginger guy is pushing him to the theater for emergency life saving surgery?“.

Meanwhile on the computer: “Error 500 – The page you are looking for cannot be displayed”.

That’s odd she thinks, I thought Meredith knew how to interpret brain scans? How could she make such a mistake?

F5 (refresh), still the invoice isn’t loading. She taps F5 a couple more times. “Well, if they really want us to pay, they need to sort out their system. Anyway, I’ll deal with it later.” Whilst Marietjie starts to meaninglessly scroll through Pinterest posts about dog blanket ideas for her new Yorkshire Terrier puppy, the desktop’s processor begins churning away.

The ‘broken’ link she so ferociously clicked on in the email wasn’t broken. It was purposely showing her a fake error message, whilst in the background executing a browser exploit. Basically this malicious link she clicked, unknown to her, led to all sorts of nasty files being downloaded and executed on the system. This desktop Marietjie is using for invoicing, online banking and email communication with Frik’s clients, is now infected with a Remote Access Trojan, a RAT. As a new episode of Grey’s start, the RAT begins to secretly communicate back to it’s master via the internet. This includes daily updates of what Marietjie is doing on the computer, where she logs in and who she emails. It even takes screenshots of those Google searches for “does Yorkshire Terriers like perfume?” and “why did they call him Mc Dreamy?”.

But wait. Remember earlier when we asked Marietjie about antivirus and she so confidently replied between Mc Dreamy comments that it came with the computer? Taking a closer look reveals that there was indeed an antivirus application which came preinstalled with the desktop. What our dear Marietjie failed to notice was, that this was only a 30-day trial. After the initial 30 days passed, the protection stopped working. In essence, her antivirus last protected the desktop while Mc Dreamy was still alive and in love with Meredith.

This brief look into Marietjie’s life highlighted two important concepts:

  1. Be careful of what you click on. Bad guys make use of email messages to trick you into compromising your security. This can be in the form of an attachment, which masquerades itself as a document but in actual fact is packed full of bad things. Another method, as in Marietjie’s case, is a link included in an email message which when clicked, goes to a bad website to download more bad stuff to your computer. There are a lot more sly tricks attackers may use to compromise your system, but these examples will do for now.
  2. Install and check up on your antivirus application. Remember: “if it ain’t running it ain’t protectin’ “. You get the point. It also need to be regularly updated. Using an outdated antivirus is like a police officer looking for criminals in 2018, with a Most Wanted list from 1980.

#Cryptojacking – A ‘Not Too Technical’ Story

https://www.popularmechanics.com/culture/tv/a21899/nick-offerman-ron-swanson-woodworker/
~ Jaco ~ 1 Comment

Bitcoin, blockchain, bitcoin mining, mining bitcoin on the blockchain, using the blockchain to mine bitcoin in order to buy Ethereum so that you can in turn buy stuff on the dark web. Yeah, that doesn’t make a lot of sense. Now, add another word to the already confusing list of cryptocurrency terms: #Cryptojacking.

Side note: The term Cryptojacking is not to be confused with malware families like CryptoShuffler or ComboJack. These are geared towards stealing actual bitcoin.

Cryptojacking however is when a victim’s computing resources are hijacked and used to mine cryptocurrency. On a basic level, this means that the targeted computer’s processor and GPU are used by an attacker to process the complex algorithms as part of cryptocurrency transactions. The resulting reward (coins) from the mining is then received by the attacker.

Currently, there are two flavours of Cryptojacking:

  1. Via the browser. When a user visits a website that has a cryptomining script enabled, the processing power available from the user’s computer is used, via the browser, to mine cryptocurrency. Mining scripts are often added to compromised websites where mining takes place without a user’s knowledge or consent. The malicious mining seizes once the browser tab for the infected website is closed.
  2. Via malware infections. Cryptojacking malware running on an infected computer will allow for continuous mining. An example of this is the Powerghost miner.

Cryptojacking is in essence the digital equivalent of someone breaking into your tool shed at night and, instead of stealing your stuff, they use your tools:

Creating amazing wood furniture, those projects you see on Pinterest where a guy with a leather tool belt takes old wood pallets and creates the most amazing chest of drawers within 22minutes, flat.

Is Cryptojacking an issue that deserves priority?

This is a legitimate question, seeing that ‘no one is getting hurt‘.

Let’s continue with our tool shed analogy: You now suspect that someone is making use of your tools at night. Do you interrupt your hard earned sleep and hold a stake out to catch the bugger? Or should you rather focus on the real criminals that might actually steal your stuff?

Although our miscreant is bringing along his own upcycled pallets, he is still using your machinery. Say he does it once or twice a month, that ain’t bad you think. But, unfortunately, he does not have the woodworking finesse of Nick Offerman, and for all you know, he’s doing it every night. Using your electricity, breaking your drill bits, leaving the wood glue bottle open and not to mention the wear and tear of your machinery. Some nights he even let your mitre saw run for 8 hours straight, allowing it to overheat and damage the motor.

This guy is now pretty much spending 12 hours a night, 7 nights a week in your tool shed, which also gives him time to look around the yard. One night during a smoke break, he sees that kitchen window with the broken latch you’ve been meaning to fix for the last 4 Saturdays. Miscreant ponders to himself: “A cup of coffee would sure be nice…

As you wake up the next morning, you realise that our miscreant was in your kitchen and used your last batch of Legado Guatemalan Finca El Rincon single origin coffee beans to create the smoothest of cappuccinos in your newly Italian imported Rocket Espresso machine.

As you sip on a stale cup of instant coffee (which you think to yourself tastes more like a cardboard box than pure exhilarating caffeine), you decide that this was the last straw… It is time for action. That afternoon , you swing by the local hardware store and buy a new window latch and a proper hardened steel padlock for the shed. “That’ll keep ‘em out” you think to yourself as you lock the shed and smile at the newly fixed kitchen window latch.

The next morning, as you awake from a restful sleep, you stroll down to the kitchen, already planning an amazing breakfast for the missus (eggs benedict with a chili hollandaise sauce and streaky bacon).

“This is going to be the best…. WORST BREAKFAST EVER!!”.

It’s gone. Everything is gone. Your fridge with the eggs and streaky bacon, gone. Your vegetable rack with the fresh chilies, gone. Your Rocket Espresso machine… GONE. As the horror of what could only have happened during the night dawns upon you, your eye catches a glimpse of the open patch of lawn where your tool shed once stood. FREAKIN GONE. How the dangit did someone steal a tool shed and MY ENTIRE KITCHEN?

During the next few hours as policemen walk up and down the yard looking for clues, it dawns upon you. The woodworking miscreant had other skills as well. He wasn’t only a Pinterest level craftsmen, but also a master thief (he was able to carry away your entire kitchen without you waking up), a pretty decent truck driver (reversing a flatbed truck down your driveway and lifting your tool shed takes some work) and a meticulous planner. During the past week of night time craftsmanship, the miscreant cloned your house keys and your gate remotes. This allowed him to open front the gate with a remote, reverse the truck in and unlocked the kitchen door after loading the shed.

Fairly dramatic, yes, but the take home remains:

Cryptojackers aren’t just a nuisance. In the recent case of the Rakhni Miner, upon successful infection, the malware makes the decision if it wants to encrypt your data (Ransomware) or if it is going to use your resources to mine cryptocurrency.

If there are Cryptojackers running around in your environment, it should be a red flag that there are some definite weaknesses that needs to be addressed within your environment.

 

For further reading on cryptojacking, have a look at the following articles:

Detecting Time Changes with L2T (Ain’t Nobody Got Time For That)

~ Jaco ~ Leave a comment

Every good blog post about time issues in forensics needs a theme song.

Today’s theme song is Ain’t nobody got time for that from the local band Rubber Duc:

Having a theme song, and more importantly, embedding the Youtube video for said theme song in your blog post, serves the following two purposes:

  1. It keeps the reader here for 3minutes and 18seconds (when viewing it embedded on this page), which will make me and my post analytics think that they actually spent time reading through the entire article.
  2. Gets a song stuck the reader’s head, ideal for when you go back to writing that report you’ve been putting off all week.

Now that we got that out of the way, lets get down to the business of the day:

Identifying Time changes in Windows Event Logs with L2t:

As you’d recall from my previous post,  the aim of this series is to play around with quick things you can do at the beginning of an investigation, while for example, waiting for processing to complete. Specifically, those ‘nice to know’ things that takes only a couple of minutes to check…

Time changes on a system can make a simple investigation quite complex very quickly. Sample case is often where a user backdates a system before deleting / creating files.

The following steps should be enough to give you a quick view of user initiated time changes on a system. Remember, this is only to get a high level view, just enough to let you know you need to dig deeper.

Let’s start:

Step 1

First off, we start with processing only the Security and System event logs with Log2Timeline, followed by psort-ing it using the l2tcsv output format. The reason for having a look at the Security and System event logs is that Time change events are recorded in both. Often, the Security event log is quite busy, so chances are that historical events will get overwritten a lot quicker than those in the System event log. My current Security event log has 30,000 entries, with System only sitting at 10,000.

Step 2

Now that we have an output file (in my case SecSysEvt.l2t.csv) which contains the L2T output from the Security.evtx and System.evtx, we can start Grepping.

We’ll do this in two sections:

  1. Dealing with time change events in the Security Event log (this post).
  2. Dealing with time change events from the System event log (next post)

Security Event log

When a time change occurs on a Windows 7 and later system, Event Id 4616 fires. See more about this event at Ultimate Windows Security.

So let’s get grepping:

grep Security\.evtx SecSysEvt.l2t.csv

This will gives us events in our L2T output which came from our Security.evtx file (ignoring events from the System.evtx for now). In my case I have 27,884 Security.evtx events.

Next, we want to narrow it down to only Event ID 4616. The following should do the trick:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616"

After this, we clear out some unwanted 4616 events. In this case we are excluding events that were not caused by user action. Remember, we want to know if a user was messing around with the system time.

To accomplish this, we exclude events containing LOCAL SERVICE as well as S-1-5-18:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18"

Our output is now ready for us to only extract the columns we want. To do this we make use of awk. First up, we output only the xml section of the L2T output:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}'

This gives us something like:

L2T xml Output

We now use awk to only give us the columns we are currently interested. For this scenario, I’m only looking for the following columns:

  • Event ID
  • User SID Responsible for the change
  • User Profile Name
  • Computer Name
  • The process responsible for the change
grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}' | awk -F'[<,>]' '{print $9 "\t" $57 "\t" $61 "\t" $65 "\t" $85 }'

Using this, we get the following output:

Awk Columns

All that’s left now is some sorting and unique-ing:

grep Security\.evtx SysSec.l2t.csv | grep "EventID>4616" |grep -v "SubjectUserName\">LOCAL SERVICE\|S-1-5-18" | awk -F"xml_string: " '{print $2}' | awk -F'[<,>]' '{print $9 "\t" $57 "\t" $61 "\t" $65 "\t" $85 }'| sort | uniq -c | sort -n -r

Output

This gives us the following:

For this event log, there were 8 time changes, resulting from user actions. 6 by SystemSettingsAdminFlows.exe and 2 by dllhost.exe.

From what I can see on my Win10 test system, SystemSettingsAdminFlows.exe is responsible for making system time changes when a user made use of the “Adjust Date\Time” option from the taskbar. I’m doing some more testing with regards to when dllhost.exe fires on Windows 10. So far I haven’t been able to replicate it…

Remember, this is just a pointer or a flag that gets raised to let you know that it might be useful to have a deeper look at time change events on a system.

Lastly, this grep should work on Windows 7 Security event logs as well (Haven’t tested it on Win8). I ran it on a couple of test Win7 systems, and it was good enough to show a specific application installed by a user was making regular time adjustments across these systems.

Next time, we’ll look at time change events in the System event log.

Finding Failed Logon Attempts With Log2Timeline While You’re Searching For Your FTK Dongle

~ Jaco ~ 1 Comment

I have recently been thinking through ideas for some quick and dirty initial processes one can do at the start of an investigation.

This would typically be whilst you’re doing one of the following:

  1. Waiting on full disk (including VSS) log2timeline processing to complete.
  2. Waiting on Axiom to run the ‘build connections’ module because you forgot to enable the option prior to the initial processing phase.
  3. Waiting on EnCase 8.07 to finish processing, although it’s been sitting at 100% for the last 2 hours.
  4. Trying to figure out where you last saw your FTK dongle.

This brings us to a New Blog Series:

The aim of this post (and hopefully this series) is to play around with things you can do at the beginning of an investigation, while for example, waiting for processing to complete. Specifically things that could be of value to know at the beginning of an investigation.

 

And, that brings us to today’s post:

Finding failed logon events.

Identifying failed logon events in the Security event log of a system could mean a couple of things:

  1. Someone is attempting to brute force an account.
  2. <add a list of more possible reasons here>

The above extensive list provides good reason why it could be of value to have a quick squiz through a system’s Security Event logs for failed logon attempts.

As such, I wanted to know the following relating to failed logon events:

  • How many (if any) failed logon attempts were recorded in the system’s security event log.
  • Which accounts were attempted to log on with the most, as well as the logon types.
  • What were the top failed source IP addresses recorded.
  • What date(s) did the most failed logon attempts occur on.

Side note: The sample data I used for this post came from the image provided by Dave and Matt (The Forensic Lunch) as part of the MUS CTF. More about the MUS CTF and the image, check here.

To answer these questions, here’s one quick and dirty way:

Step 1:

Process the Security event log with Log2Timeline (this took just over a minute to process 33,000 events from Security.evtx) :

$ log2timeline.py mus.sec.evtx.l2t securityevt/

Log2Timeline Output

 

Step 2:

Run psort across the output using the l2tcsv  format (this took 30 seconds to run):

$ psort.py -o l2tcsv -w mus.sec.evtx.csv mus.sec.evtx.l2t

Psort Output

 

Step 3: Grep & Awk

This is where the fun starts. Because it is expected that the output from running log2timeline / psort on a Security event log should provide the same output structure each time, the same commands should work. (I tested this with Security Event logs from Server 2012, Windows 7 and Windows 10 and seems to work on all the different outputs).

This may appear ugly, but it works.

Grep & Awk Output

Total Failed Logons: grep “EventID>4625” mus.sec.evtx.csv | wc -l

Top Failed Accounts: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”TargetUserName\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Failed Logon Accounts: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”LogonType\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Failed IP Address Origins:
grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”IpAddress\”>” ‘{print $2}’ | awk -F”<” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

Top Dates With Failed Logons: grep “EventID>4625″ mus.sec.evtx.csv | awk -F”xml_string: ” ‘{print $2}’ | awk -F”TimeCreated SystemTime=\”” ‘{print $2}’ | awk -F”T” ‘{print $1}’ | sort | uniq -c | sort -n -r | head

 

And the end result:

Success.

We can now see that there were 612 failed Type 3 logon attempts, all on May 5th 2018. It also shows us that the Administrator account was most often attempted to log in with, as well as the top IP addresses where the logon attempts came from.

All this in less that 5 minutes.