Effectively testing APT defences

There is a need to test products that claim to detect and protect against advanced threats.

When incredible claims are made by security products so should we make strong efforts to challenge and possibly validate these claims.

Over the past year and a half I have discussed testing with a range of vendors, testers and potential customers of such products. These discussions have varied from very positive to extremely defensive and illogical on the part of some vendors.

To put it this way, we have some anti-APT kit in the lab ready for such a test but equipment from one or two important vendors is elusive, to say that least.

Such testing has also been a regular point of debate at the Anti-Malware Testing Standards Organization, of which I am currently the Chair, and so two AMTSO colleagues (Richard Ford, Florida Institute of Technology and Gabor Szappanos, Sophos) joined me to write a paper called Effectively testing APT defences.

Gabor and I presented this at the AVAR 2014 conference in Sydney, on the 12th - 14th November 2014.

The paper examines some of the problems that surround testing such technologies (real and merely perceived) and questions the definition of the term "APT" in a constructive way. It also walks the reader through an example of a targeted attack and notes where certain types of testing would be deficient when using such an attack as a test case.

In the presentation, but not the paper, I also demonstrated how a 'baseline' set of tests, using unmodified Metasploit-based attacks, made mincemeat of some well-known anti-malware products. One enterprise solution stopped four out of 25 threats. We were able to obtain reverse shells in 21 cases and, just as an experiment, migrated into the anti-malware agent's own process.

This basic test demonstrated that a range of tools, tactics and techniques could be used to test different levels of protection from actors ranging from 'zero' (almost no skill/resources) to 'Neo' (effectively unlimited skills/resources).

Not every tester is capable of 'Neo' testing and some may not wish to conduct 'zero' testing, but as long as the report explains what approaches were taken and why it's hard to understand why an anti-APT vendor would object to tests that could be considered "too easy."

While the paper does not provide a single, ultimate methodology for anti-APT testing I believe that the document does outline some valid approaches, none of which are, "do not test!"

Secure your home network for £10

This wireless broadband router cost
less than a tenner

If you want to share your internet connection safely, separating guests' computers from your own, here's a very simple and cheap way to do it.

Essentially it involves adding a second router to your existing network and using that to create two networks - a guest zone and a private zone. Both provide wired and wireless internet connections, but guests are unable to connect to the private PCs, tablets or whatever.

I've found it increasingly common for friends and visiting family to ask to use my wireless broadband - as if it's an essential resource such as running water or access to a toilet.

While wanting to accommodate their needs, I don't want to expose my home network to the security issues that come when allowing connections from other people's systems.

These computers could be infected with malware, which in turn could capture network traffic, attempt to spread malware to other systems on the network and so on.

One answer is to create a second, secure network that only you will use. Everyone else will be restricted to a 'guest' network that is locked away from your own systems but that provides wired and wireless internet access.

Here's how you can do this for around £10.

Essentially what we're going to do is create a classic DMZ using two firewalls. Each firewall will also have its own wireless network. Those systems connecting to the 'outer' firewall can only see each other and the internet. Those connecting to the 'inner' firewall are invisible to those on the outer one.

Thus we have a guest network running on the outer firewall and an extra-secure network running on the inner one. For a basic diagram that 'explains' this idea, see far below.

In addition to your existing network you will need:

1. A wireless broadband router.
2. An Ethernet cable.

I recently picked up a new Dynamode broadband cable router for less than £9 from Amazon.co.uk.

Ensure that your new router is *not* an ADSL model. You want the internet (WAN) port to be an RJ45 Ethernet socket and not the RJ11 type that you find on ADSL modems and routers.

Before you start, check the following details from your existing systems and router:

1. What is the router's (gateway) IP address? (e.g. 192.168.1.1)
2. What is the netmask? (e.g. 255.255.255.0)
3. What are the DNS settings? (e.g. 8.8.8.8 and 8.8.4.4)
4. If you use DHCP, what is the range of addresses in the pool? (e.g. 192.168.1.2 - 254)

Decide what IP address you want to allocate to your second, private network. Let's say we'll use 192.168.1.200. You should remove this address from the DHCP pool or face potential (but unlikely) problems later.

Allow your existing broadband router (cable or ADSL) to run as usual, leaving the wireless network active. However, unplug all computers, switches and other devices from the router. We'll call this router the 'original' router.

Turn on the 'new' router and connect its WAN port to any one of the available Ethernet ports on the original router. Plug a computer into the new router using an Ethernet cable and configure it, turning on and securing the wireless network. You'll want to check the following, at least:

1. Check the router's LAN IP address. It should be in a different range to that of your original router.

(e.g. if your original router's IP address is 192.168.1.1 you could set your new router to use 192.168.0.1. Then your secure network will use the 192.168.0.x range, while your guest network will use the 192.168.1.x range. It's important that they use different ranges to each other.)

2. Change the default password. Use a strong password.

3. Disable remote management, if enabled by default. This is optional but recommended.

4. Set the WAN IP address to be 'static' and use the value you excluded from the DHCP pool earlier (e.g. 192.168.1.200).

5. Set the ISP address to match your original router's IP address (e.g. 192.168.1.1).

6. Set the DNS settings either to the IP address of the original router (e.g. 192.168.1.1) or just re-use the ones you discovered above (e.g. 8.8.8.8 and 8.8.4.4).

7. Enable the wireless network and use a strong password. Ensure that the SSID is different to the one you are using on the guest network.

8. Check that the firewall is enabled.

Additionally you'll probably want to enable DHCP on your new router.

You should now have something that, conceptually at least, looks like this (yes, the internet looks like a small cloud with an 'i' on it):

The guest network is above the red line. Its systems cannot
connect to anything in the 'private' zone beneath the red line.

What that basic diagram is trying to show is that the guest systems can access the internet freely but cannot connect to the systems in the private network, which is below the red line. Systems on the private network can connect to anything that they like.

If you really want to treat your guests you could provide a networked printer. This would have to go onto the guest network. Your private systems would still be able to use it, though.

In this example we've protected an internet-connected Personal Video Recorder (PVR) on the private network. It's only a matter of time before these types of devices are targeted by attackers. And I for one could not tolerate my telly viewing being interrupted.

Jail breakers open cells via internet

Researchers have found a way to open prison doors remotely from the internet.

The discovery came hot on the heals of a strange event one Christmas eve, when all of the doors to a US prison's death row cells opened, apparently on their own.

An investigation into this potentially disastrous event found that the problem was due to an electrical fault. However, further checks revealed that the door locks could be tripped on purpose. Furthermore, while prison locking systems are not supposed to have any internet connectivity, in practice this seems not to be the case.

Sean McGurk, formerly of the US Department of Homeland Security, claims that when he inspected over 400 prison facilities, "in no case did we ever not find connections. They were always there."

The discovery that prison door locks can be hacked over the internet was made by ex-CIA officer John Strauchs. He claims that maximum security prisons use programmable logic controllers (PLCs) to handle automating door locking and unlocking. PLCs were hacked in the infamous Stuxnet attack on Iranian nuclear facilities.

The Stuxnet worm was able to reprogram the systems controlling centrifuges used to enrich Uranium. It did so in a way that would damage the equipment and, therefore, slow down the Iranian nuclear programme. Strauchs took a similar approach to his research and has demonstrated an internet attack on prison doors. It seems from his description as if he used a rootkit-type approach.

"You could open every cell door, and the system would be telling the control room they are all closed," he told The Washington Times.

In an interview with VentureBeat he also proposed another, possibly more sinister scenario than a mass jailbreak. He imagined the possibilities of an assassination in which, "if you are a [gang member], you prevent a door from opening, and you start a prison fire."

Strauchs presented his findings at the Halted Hacker conference in Miami on 26th October 2011.

Cash machine (ATM) cracking

A weakness in the way ATMs verify customers' personal ID numbers means that a corrupt bank worker could steal over £2m in one lunch hour.

In a paper entitled Decimalisation table attacks for PIN cracking, Mike Bond and Piotr Zielinski note that there is a vulnerability in the way offline ATMs verify PINs. This vulnerability allows an attacker to successfully guess a PIN in 24 or even 15 attempts.

The paper, which was published in 2003, suggests that the long term solution is to protect or remove decimalisation tables. A much more recent paper demonstrates the attack, while also including nice examples using the classic 70s game Mastermind.

Online banking security: Good for you or your bank?

When banks implement new online banking security measures they have a problem.

They have to persuade customers that the often inconvenient new ways of accessing their accounts is actually for their own benefit. They do that by claiming that the new ways of doing things makes your money safer, which is surely for your own good.

First let's look at chip authentication programmes, one of which is Barclays Bank's PINsentry (from 2007). Another is Nationwide's Card Reader (from 2008).

If you have an account with either of these banks you'll receive a device that looks a little bit like the reader you see in high street retail outlets. You put your card into the slot, type your PIN and the transaction is authenticated.

This makes complete sense when paying for goods in a supermarket because, with the best will in the world, the average till operator is not really qualified to compare your signature on a receipt with the one on the card, as used to happen in the 'old days'.

However, when banking customers have to use these devices to access their online bank account from home, it becomes an inconvenience. Instead of just booting up the laptop, you need to find your card and your reader. If you are travelling then you're probably going to be unable to access your account at all. 

But surely, if these readers make your money safer, they are a good thing? Firstly, your money is safe, in that the bank has to refund you any losses made (as long as you've not been really careless with your banking details).

Secondly, throwing extra levels of technology at the problem does not necessarily make it safer. Let's take the example of a regular traveller. They will have to take their card reader with them if they want to access their accounts online. So what's to stop a mugger grabbing this device, along with the wallet and laptop?

Card readers can even be used by muggers to prove if a victim is lying about their PIN, which is convenient for the bad guy but not so great for the bank's unfortunate customer.

Things get even darker, though, when we look deeper into the security provided by these card readers. There are weaknesses in the protocol that they use. There is a fascinating paper on the subject by Saar Drimer, Steven J. Murdoch, and Ross Anderson. It is available from The University of Cambridge's website.

Just to lighten the mood, when Barclays launched PINsentry I was asked to participate in a promotional video. To be clear, I received no payment for this and I even pointed out the problems with using card readers at the time. I can't imagine why they did not include my points in the advert below...

Anti-virus myths busted

Last week I gave the début presentation of my anti-virus myths talk at the London International Technology Show.

A few people have asked for access to the basic information that I used, so here it is. The talk lasted for around 40 minutes so this really is a bare-bones summary.

Myth #1: Anti-virus protects 100%

Real-world protection tests by Dennis Technology Labs (DTL) and other testers show that even well-known brands of security software can be compromised by malware.

Myth #2: Anti-virus slows PCs

In performance tests conducted by DTL, most popular anti-virus software makes virtually no impact on general system performance.

However, system startup (boot) times can be affected, as can shutdown times. These are important because they are very noticeable by users.

Myth #3: I don’t need it (I’ve never been infected)

Current threats tend not to make themselves known to the casual observer. Rootkits make it hard, even for experts. 

Myth #4: Viruses stay in the bad bits of the internet

While some areas of the internet are riskier than others, legitimate sites can be infected. We demonstrated a real, legitimate site infecting our test PC.

Myth #5: Protection costs a lot

Free products are OK, while commercial products often come with multiple licenses.

Myth #6: Avoid Internet Explorer

All popular browsers have security holes. Internet Explorer has fewer known issues than Opera and Firefox. Chrome and Safari are not immune*.

Myth #7: My ISP will save me

There is no business reason why it would, without raising subscription costs. We covered various options to reduce exposure to threats, including ISP-like techniques such as using special DNS services.

Myth #8: Salvation is a Mac, Linux or Android

Attackers go for popular systems. As Mac and Android users become more prevalent so will the threats to those systems. There are more known sets of vulnerabilities for OS X and Linux than there are for Windows*.

The following video clip was taken by one of the audience. Special thanks to PDTalkinTech for providing the photos and this video footage from part of the presentation:

* Data on software vulnerabilities was provided by Secunia.

Break phone encryption by watching its power consumption

It is possible to obtain secret keys to hardware-aided encryption by monitoring the power consumption of the device. The attack is called Differential Power Analysis (DPA).

A security firm called Cryptography Research has just licensed its anti-DPA technology to an as-yet undisclosed mobile phone manufacturer. The company's website hosts an interesting video that demonstrates the principles behind the type of attack that it claims to protect against. This video does not require you to be a cryptography expert to understand the basic idea.

To go straight to the relevant part visit the link above and then click on the menu item labelled 'Technology' and then 'DPA Process'.

The countermeasures include reducing the signal (so that changes are less obvious); using randomness; and a range of other less-easily understood (by me) methods.

Low-cost remote snooping with laser pens

It's the kind of gadget you'd expect to see in a movie featuring James Bond, Ethan Hunt (Mission Impossible) or the men from The Man From U.N.C.L.E. Researchers have built a miniature laser microphone using parts costing less than $80. This device can be used to 'read' the keys pressed on a personal computer 50-100m away.

The laser pen, developed by Inverse Path, has been used in a demonstration to show how it can detect keystrokes made by a PS/2 keyboard that is plugged into a PC.

According to Cnet, which was covering the CanSecWest security conference last month, "Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping that's typically used for speech recognition applications, to measure the similarity of signals."

Voodoo DoS hits Russian password crackers

Russian security company Elcomsoft has been hit with a set of technical problems. The company has announced that it experienced issues with its file storage server, internet router and a number of devices used to control desktop computers. It blames these occurrences on a new area of research that has had unforseen effects on its systems.

The company is known for taking a lateral approach to password cracking. In the past it has developed products that use distributed computing and even harnessed the power of graphics cards to speed up the lengthy process of recovering passwords. It has now abandoned its research into voodoo password recovery and has instead launched a new product that causes less disruption in the office. You can read about the Elcomsoft Password Recovery Tambourine here. It comes in standard, corporate and pocket versions.

The Complete Internet Security Handbook 2009

If you want to keep your family safe and your data private then The Complete Internet Security Handbook 2009 is the book for you. It includes the following:

What do you want to protect?
Learn how to manage risk and provide the best protection you can for the people and things you care about the most.

Cyber-criminals
Why do viruses, hackers, spam and fake bank websites exist? Discover the criminal underworld of the internet and find out how the scammers and conmen operate.

Chapter 1: Basic Desktop Protection
Take advantage of Windows' built-in security features and protect your computer for free.

Chapter 2: Viruses
Learn how to avoid viruses, recognise them when they appear and remove infections from your computer.

Chapter 3: Hackers, spies and other criminals
Prevent the bad guys on the internet from gaining control of your computer, internet connection and personal details.

Chapter 4: Spam and how to avoid it
Is your email inbox overwhelmed with annoying messages? We'll show you how to regain control and banish spam forever.

Chapter 5: Protect your child
The internet is a great educational resource, but threats abound. Ensure your kids stay safe online with our comprehensive guide.

Chapter 6: Lost and stolen
Reduce the chances of computer theft and encrypt your files to keep them private, even if they are stolen.

Chapter 7: Accidents and malfunctions
Discover the easiest way to keep your files safe and find out how to recover them if the worst happens.

Chapter 8: Personal privacy
Learn how to prevent your personal data falling into the wrong hands.

Chapter 9: Scams, fraud and hoaxes
Learn how to protect yourself against identity theft, email hoaxes and fake websites designed to steal your money.

BONUS CHAPTER: Wireless networking
They are convenient, but how safe are wireless networks? We show you how to build and bullet-proof your network.

The Complete Internet Security Handbook 2009 is available now from Borders and costs £7.99. It will also be available in WHSmiths from 27/11/2008. Amazon is currently selling it for £6.39 (as of 23/11/2008).

ISBN: 1-906372-18-7
Cover price: £7.99
Edited and (mostly) written by Simon Edwards.

How to destroy your personal data

I really, really want one of these...

This USB key will self-destruct in 10 login attempts

This USB key claims to be "the world's most secure USB flash drive" and who am I to argue? After all, it's the only one I've heard of that will self-destruct when someone tries to access the stored data. Sadly, and contrary to the 'demo' image (right), this destruction is not explosive. Instead, after ten failed password entries, the device wipes its data.

According to IronKey's website, this destruction uses a, "patent-pending 'flash-trash' methodology" to overwrite data. And if you're thinking, "well, I'd just prise the memory out of the unit and read that directly" think again - the IronKey is filled with an, "epoxy-based potting compound". The idea is that, once you've dug through the resin, you've probably damaged the physical memory in the process.

It's easy to get suspicious about a technical security product that uses "patent-pending" technology. But it's also hard to be unimpressed by IronKey's slick marketing. Personally, I'll continue to store my most personal secrets on something less easy to lose or have stolen. But for the paranoid geek in your life, this might be an ideal gift.

Miniature Security System

I have just had a look at a new type of security device that takes an interesting approach to securing desktop and laptop PCs. The Yoggie Pico is a small USB device that looks like a chunky flash drive but is, in fact, a full Linux system with its own 520MHz processor, RAM and applications.

It starts working when you plug it into a PC. It then starts intercepting network traffic, analysing it using a range of security tools including Kaspersky AntiVirus software; the popular and powerful Snort intrusion detection system; and a range of other programs.

The idea is that, because the tiny outboard computer does all the work, the main PC doesn't have to waste processor time and memory capacity handling resource-hungry desktop security packages.

The device has USB drivers that create a layer between the network drivers and the rest of the Windows operating system. This means that it can watch all of the data flowing between the PC and the internet and, when the gadget is removed, the computer loses its network connection.

This is a really interesting idea, although the network is only one way that viruses and other malware can enter a system. Such a device does provide home users with a similar security model to that used by some big companies, whereby a perimeter of systems includes anti-malware measures to prevent bad files from even reaching the user's computers.

Using layers of defense is much better than relying simply on desktop software, particularly as some programs are less effective than others. Using more than one is better in theory, but this can slow down a PC quite dramatically and may even cause instability. Not only that, but the people who write malware are increasingly adding 'features' that attack anti-virus programs. Running an anti-virus system externally to the PC takes the pressure off your computer and increases the chances of detecting malware.

Postscript:
During this meeting, Yoggie's founder and CEO Shlomo Touboul showed me his specially-unlocked version of the product, which allowed him to log into the device using SSH and to run standard Linux commands. Geeky and/but fun.