Monday, 25 January 2021

A DMZ Lie


 

Today I'm attempting to demystify a thought process around DMZs (Demilitarized Zones).  

A DMZ is extremely useful method for providing network security.  It can be utilized in a variety of ways and vary greatly in complexity.  The writing in this post assumes you have a basic understanding of what a DMZ is.

The mystery I would like to pull the curtain back on in this post is home routers and built in DMZ capabilities.

In a previous post "Why are guest networks important?" I highlight the benefit of having A guest network. 

So, what is the difference between a guest network and a DMZ (home router)?  The difference is actually huge.

When we think about DMZ the first image that may come to mind is that it is an isolated area that is protecting data, that only approved admins can access.  While this can be true, it can also be totally different.  That's the glory of a DMZ I can isolate assets and restrict access, or I can have a DMZ facing the internet and in that DMZ I have a webserver.  However I want to built out my infrastructure there is a DMZ combination that can be implemented.

DMZs are nice because they provide that additional layer of security.  They can be locked down and make the work of an attacker that much more difficult.

The problem with DMZ capabilities on home routers is that it is using a word that is associated with security, and then doing the opposite.

It is giving people false hope.

When I select DMZ on my home router (the process is very similar for most appliances).  What I am doing is allowing a machine on my network direct access to the internet.  Potentially, if not definitely, skipping your firewall entirely.

Some internet resources have said that you can put gaming systems in this kind of configuration.  The justification is that it makes things "faster." This is silliness.

Put your xbox behind your firewall. Come on now.

A problem with giving a machine direct access to the internet is that the internet has direct access to it as well!  It gets compromised and now your you entire network is visible.

What's a better Alternative?

 You want a secure home network? At the very least set up a guest network and have all guests connect via this network. This way you have created some isolation.  

You want remote access to an asset in your own network(non-guest)?  Set up some virtual router(s) (pfsense is a great solution).  Configure these so that you can access the asset.  This is a much better way to do it as it leverages the DMZ methodology appropriately

Thanks!



Reference:

[1] https://weakwifisolutions.com/is-dmz-safe/

[2] picture: https://www.addictivetips.com/windows-tips/public-network-dangerous/

Tuesday, 19 January 2021

NSE:banner

A useful technique in reconnaissance is grabbing banners.  There are a few ways to achieve this goal.  Most often you will gain all the information you will need from a simple nmap or even a quick netcat or even hping3.

Banners provide us with information about the port we are investigating.  Here are some additional ways to retrieve information about specific ports that are similar to banner grabbing.

(nmap -sS -sV -p# [ip])

(nc -vn [ip][port])

(hping3 -S -p# [ip] -I [interface name])


Above you can see that I am choosing port 22.  I have turned off the ping probe part of the nmap process and select the banner NSE script with (-sV --script=banner) 

Below you will see the command I used. 

 #nmap -Pn -p22 -sV --script=banner [IP]

 Next steps: investigate to see how old dropbear_2016.74 is

Reference:

[1] https://nmap.org/nsedoc/scripts/banner.html

[2] https://www.studytonight.com/network-programming-in-python/banner-grabbing

Monday, 18 January 2021

When is it OK? Profiling Within your Organization

Firstly, I want to state clearly that this article is meant to be a discussion point.  The topic of profiling can be touchy.  I want to talk about aspects of this topic and how I believe there is space within cyber-security for profiling.

Thanks.

The more I study about cyber-security the more it intrigues me and spurs me on to want to learn more.  Again and again I find that as a cyber-security professional one has to toe-the-line on what is "good" and "bad".  If I learn about a tool where it's predominant purpose is too steal credentials is it wrong to learn about such a tool?

No.

If I use that knowledge maliciously on a network I have crossed the line though.

Cyber tools, like a hammer, can be used for good or ill.

Profiling can be a tool for protecting your organization.

The dictionary defines "Profiling" as such:

"The recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

As a society we are prone to use profiling in a negative way (racial profiling, gender profiling, etc.)  These are not acceptable. 

Let's look at the definition of profiling and pull it apart too see if there is any usable pieces as a security professional.

"analysis of psychological and behavrioural characteristics..."

Psychology would be how we handle the world around us.  When presented with a situation, what are we thinking and feeling at that moment?  Behavioural is our actions, when I have an experience I feel and think (psychology) and act on those feelings (behaviour).

I believe this to be a basic fact of humanity.  

This cause and effect relationship between feelings and acting plays out dramatically different between people.  How I respond to a news article about violence at the capitol may be drastically different then someone who grew up in an area where people sympathize with the rioters. 

and on

and on 

and on. 


...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

To assess or predict capabilities in a certain sphere.  The sphere of reference that we are talking about today revolves around cyber-security and your organization.  

Is it possible to determine who within your organization is a higher risk for allowing unintentional security breaches?...so as to assess or predict their capabilities in a certain sphere or to assist in identifying a particular subgroup of people."

I believe yes.

For anyone who has spent any amount of time in IT you will know what I mean when I refer to repeat offenders (users).  Those users who seem to always be patient zero for new malware in your network environment.

After seeing malware over and over again I began to noticing behaviour trends/patterns in users.

Here are some things to watch for with users that can (not guaranteed) make them a higher risk for malware/security breaches:

1. Age:  Being of a certain age does not necessarily mean that you are going to be the target of attack.  However I have noticed that for folks who have not grown up under the shadow of ever present technology they tend to be pretty trusting and surprised when the Nigerian prince asking for money isn't real.  I'm not trying to be ageist, in fact I have experience a lot of younger people fall victim to phishing scams.  

It's at this point that I think people will be most up in arms.  I am not saying that being "old" or being "young" is bad, by no means.  All I am saying is that the people who want to attack your company are thinking this way.  It is prudent to at least consider the attacker mindset.

2. Position: Specifically people who are higher up the ladder tend to be a high risk because their access to critical assets is greater.  Hence why spear phishing an organization goes better if you can spoof the bosses email.

I have also seen "lower" positions be prone to attack.  Sometimes people in ground level roles are less invested in an organization....sometimes...not always.  Their position maybe temporary.  The nature of their role means that assets they interact with on a daily basis are potentially not mission critical.  Sometimes this scenario can lead to people letting their guard down.  "I'm not very high on the food chain here, what damage could I do?"

3. Technical Aptitude: I have had many users confess to me that they are bad with computers.  This in itself means that these users are a higher probability of compromise.

---------

Notice that gender and race didn't enter the list (Age/Position/Tech Aptitude).  In my experience these are not consistent recurring factors that increase a user's probability for compromise.

The only caveat to the previous statement would be spear-phishing.  Perhaps an attacker has done their research on me (LinkedIn/Facebook/etc.) They know my gender and race and craft a very specific email. Then there is an increase risk, however that is the exception not the norm.

I believe you can take those three topics I listed and come up with subgroups with specific behaviour traits.  I've seen it all.

---The young guy who has a higher power job, thinks he's untouchable, a little cocky, minimal tech skills.

---The middle aged father, middle of the pack role at a company, absolutely no tech skills/awareness

---The ready to retire, CEO, could care care less if he/she ever sees let alone uses a computer, "My assistant does that work".  "What's this new thing called Social Media"

So What Now?

Well, as a security professional knowing this is half the battle.  It isn't wrong to suspect that someone is a higher risk for compromise.  If you treat them with a lack of respect that would be wrong.  

Treat them like every other user and accept that you cannot not change them.  What you can do though, is mitigate risk.

With these folks the best, I mean the absolute best thing you can do (on top of using security best practices that are associated with their industry and your own security best practices) is EDUCATION.

Honestly if you have these high risk repeat offenders attend an education session on the dangers of Ransomware and you show them some real facts about how bad it is it can be enough to scare some folks in to being more vigilant.

Conduct practice sessions where people try and determine phishing scams from real product offers.

You can't make people change, but if you can at least get one high risk repeat offender to independently hover over that shiny link and choose not to click it you should consider that a victory

In summary:

It's ok to think in your mind that someone might be a higher security risk.  Don't treat them any differently then other users.  Educate them on the hazards of the cyber world and this simple act will make a world of a difference.


Thanks for reading

Andrew Campbell









Friday, 15 January 2021

NSE: fcrdns


Forward-confirmed reverse DNS lookup

"...is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other"[2] 

 


Usage:

 #nmap -Pn -sn --script fcrdns <target>

In the command above we are skipping the ping(-Pn) and the port scanning(-sn) stages of the nmap scan.

Above we have two scans using fcrdns.

Both return the host name.  Scan two however would be an interesting one to probe further.  It starts with "ns....." which for some admins is a naming convention reserved for Name Servers.  Next step would be to check for zone transfers and see what "dig" comes up with


Reference:

[1] https://nmap.org/nsedoc/scripts/fcrdns.html

[2] https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS

Sunday, 10 January 2021

Significant Cyber Incidents Since 2006

 

Let me introduce you to the "Centre for Strategic and International Studies." 

On their website they describe themselves as such:

"The Center for Strategic and International Studies (CSIS) is a bipartisan, nonprofit policy research organization dedicated to advancing practical ideas to address the world’s greatest challenges."

It's an interesting group and I highly encourage you to check out the website located in references.

There is one section of their site that caught my eye that I will highlight today.

"Significant Cyber Incidents"  

CSIS "... records significant cyber incidents since 2006. We focus on cyber attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars." [1]

Their list is eye opening!  Content like this plays well into my thought process because I often ponder on the state of the cyber-world and the nation states that attack each other.  This site[CSIS] puts a little perspective on the situation.  

I do want to say that cyber-warfare is usually a two-way relationship.  CSIS highlights foreign (to America) efforts to circumvent American and other global assets, but I did not see any documentation around American efforts to circumvent foreign assets.  Obviously they will not list how America is attacking other countries in cyber-space.

The list goes on-and-on for 54 pages and is actually quite an interesting read.  The draw for me is realizing the kinds of things that were happening in history.  "What was I doing in 2012? Oh my goodness there was a massive data breach in July of that year"  that kind of thing. 

On the list search for this: SCADA

If you are not sure what SCADA is, here is a definition "Supervisory control and data acquisition is a control system architecture comprising computers, networked data communications and graphical user interfaces."

It's a dull definition, yes.  However the economic and political risks of this as a target for nations states is astronomical.

"September 2012. Chinese hackers infiltrated Telvent Canada, an industrial automation company, and stole data related to SCADA systems throughout North America"

Krebs on Security referenced the attack in his article in September 2012 [4].  He outlined the details really well.  I included this incident as an example of the plethora of SCADA attacks that have occured.

SCADA is our ability to automate infrastructure.  If this data were stolen, or compromised it would allow an attacker to do massive amounts of damage.  You dream it and it can be done.

Maybe reading lists like this is making me more paranoid.  I don't know if I care.  

Cyber-space is massive and there is so much happening all the time that we are not aware of.

CSIS is one resource for you stay on top of the cyber-relations of our world.

 

Stay tuned, I am working on an article geared towards the security risks specifically pointing at critical infrastructure.

 

Thanks,

Andrew Campbell

 

 

 

Reference:

[1] https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

[2] https://csis-website-prod.s3.amazonaws.com/s3fs-public/201218_Significant_Cyber_Events.pdf

[3] https://csis-website-prod.s3.amazonaws.com/s3fs-public/201222_Chinese_Espionage.pdf 

[4] https://krebsonsecurity.com/tag/telvent-canada-ltd/

Sunday, 3 January 2021

NSE: ftp-anon

 We all know that poor security for an FTP server would be to allow the anonymous/anonymous credentials to hang around. That being said, it is conceivable that an admin may specifically have chosen this condition and there are measures in place to prohibit lateral movement.

When doing a pentest there are a number of ways to check the FTP service of a target.  A quick port scan, a poke with netcat can tell you some valuable information.

Let's look at NSE and do some recon.




 Above is a successful running of the NSE script ftp-anon.  

It is run with: #nmap -sV -sC [target ip] -p21 

We are using versioning switch (-sV) and scripting switch (-sC)

Important to note that if the server allows anonymous logins it will also tell us the writable files of the root directory.

Let's take a look at a machine with an open port and FTP service running on it.


 Look at what happens between the first (netcat) and the third(NSE) scan.  Netcat returns with an "open" state.  If one were to do a regular nmap scan of this machine at this point it would return with an "open" state as well.  When reviewing the third scan with NSE it actually comes back with "filtered."  This tells us that the FTP service does not have anonymous/anonymous set.

This information gives you some valuable information for your pentest.  In the second image we know that the target is using marginally more security at least by having some sort of authentication in place.

Next steps would be capitalizing on some social engineering and brute forcing the password. ;)

Make sure you have been given permission to perform pentests. 

 

Reference:

[1] https://nmap.org/nsedoc/scripts/ftp-anon.html