club-hack-magazine-42.pdf

8/12/2019 Club-Hack-Magazine-42.pdf

1/23

Issue2Mar2010| Pag


2/23

Issue2Mar2010| Page


3/23

Issue2Mar2010| Pag

APT1: One of Chinas

Cyber Espionage Units

In the Information Age it wont sound far-

fetched, if were told that an entity is

involved in Cyber Espionage at a Global

Scale. But its a whole other story if were

told that this Cyber Espionage is funded by

the government of an Emerging Economy.

Mandiant is a Security Company that

investigates Cyber Security Breaches around

the world. Much of these Security Breaches

are caused by Advanced Persistant Threats

(a term coined by the US Air Force in 2006),

meaning that these threat actors have

advanced capabilities and they are obstinate

in the face of Security.

In January 2010 Mandiant published an

interesting theory that these APTs may be

funded by the Chinese Government however

they did not have sufficient evidence to

prove it. In 2013, Mandiant published

another report on APT1 which primarily

blames the Chinese Government to be

involved in funding Cyber Espionage

activities around the Globe and contains the

supporting technical evidence.

Mandiants VP says Weve provided all the

evidence here. This is something our

industry needs to do more of, Mandiant is

proud to participate in this kind of

information sharing. We are not issuing a

one page baseless accusation; were

providing 60 pages of evidence and over

3000 technical indicators like IP Addresses,

domain names and encryption certificates.We welcome scrutiny and invite other

researchers to take a look at the evidence

and we are confident they will arrive to the

same conclusion.


4/23

Issue2Mar2010| Page

Gist of the Mandiant Report:

There are more than 20 APT Groupsin China, however the report focuses

on one of them (referred to as APT1)

which is the most prolific one. APT1 has direct Government support

and it is similar in its characteristics

as the PLAs Unit 61398 of the

Chinese Army and has the same

location.

This Unit 31698 is located at DatongRoad, Pudong New Area of

Shanghai.

This building which is estimated tobe inhabited by 1000s of People, is a

130,663 square foot facility and has

12 stories (see figure).

Figure 1: APT1 Building (Source: MandiantAPT1 Report)

Special fiber optic Communicationfacilities are provided for this unit in

the name of national defense.

Mandiant was able to locate a

scanned China Telecom memo over

the Internet which talked about

approval for providing the

requested channelsince this is

concerning defense construction.

The professionals inside thebuilding are trained in computer

Security (the APT1 Actors) and have

proficiency in the English language(these APT Actors need to carry out

Social Engineering attacks like

formulating a Spear Phishing Email

that requires clever use of the

English language since mostly

English Speaking countries are

targeted). This is a stable day job for

them.

Facts about the APT1:

APT1 establish min. of 937Command and Control (C2) servers

o hosted on 849 distinct IPaddresses in 13 countries.

o Majority were registered toorganizations in China (709)

o followed by the U.S. (109) In the last several years mandiant

have confirmed 2,551 FQDNs

attributed to APT1 Between January 2011 and January

2013 Mandiant confirmed

o 1,905 instances ofAPT1 actors using

their attack

infrastructure

o from 832 different IPaddresses


5/23

Issue2Mar2010| Pag

Figure 2: Noted APT1 Victims over the years (Source: Mandiant APT1 Report)

Figure 3: Industries compromised by APT1 (Source: Mandiant APT1 Report)


6/23

Issue2Mar2010| Page

Figure 4: Global Distribution of APT1 Servers (Source: MandiantAPT1 Report)

Figure 5APT1 Servers Distribution in China (Source: Mandiant APT1 Report)


7/23

Issue2Mar2010| Pag

APT1 Attack Methodology:

Typical APT1 Attack begins by sending a

Spear Phishing E-Mail to the victim. These

Emails seem to have official language and

themes (suggesting their authenticity) andcarry malicious attachment, For Example,

an APT1 backdoor that appears to have a

pdf extension and icon, which is actually 119

spaces after .pdf followed by an .exe.

When the unsuspecting victim opens the

attachment, the backdoor does its job and

gives control to the APT1 actor.

As the main purpose of APT1 actors is to

steal confidential documents, once access is

obtained to victims systems, documents are

gathered, zipped in a rar file and password-

protected. Then this rar archive is sent to

the APT1 Actor.

Captured attacker session Video

This video given by Mandiant shows an

active attackers session:

The Hacker makes an operationalEmail account on Gmail (named as

dota). First he tries to fake his

location and enters USA but then

notices that Google requires a

mobile verification before you can

create the account. So now he enters

his country as China and provides a

cell phone number that is located in

the Shanghai in China.

dota then logins to his Emailaccount, this Email account is usedfor Spear-phishing and generating

more Email Accounts.

Installing Command and Control

Server

dota checks a RAT called Ghost on

his own system in Shanghai. We can

see that this Ghost RAT has a GUI

with features like Keylogger, File

Manager, Screen Capture,

Webcam Capture Remote Shell

and Voice Chat.

Another APT Actor uses a web C2command and control server. This

has a command line interface. The

APT Actor uses this client to list the

incoming connection from a victimcomputer. And two victim

computers check in.

APT Actor can be seen using thestolen credentials to log into a mail

exchange server and lists the Inbox

contents which show the message

Figure 6: APT1 Attack Lifecycle (Source: Mandiant APT1 Report)


8/23

Issue2Mar2010| Page

numbers and the size of the

messages.

APT Actor goes to an FTP Server anddownloads lightbolt, then uses this

tool to steal files from the victim

machine. The lightbolt tool storesstolen files to password protected

rar archive which is then uploaded

to an FTP.

Case Study

China believed to have copied MQ-1

Predator Drone through Cyber

Hacking

QinetiQ North America (QQ) is a world

leading defense technology and Security

Company providing satellites, drones and

software services to the U.S. Special Forces

deployed in Afghanistan and Middle East.

In 2009, China had almost its complete

control over QinetiQ TSG's computers

stealing 1.3 million pages of documents and

3.3 million pages of Microsoft Excel

containing TSG's code and engineering data.These Documents were believed to be used

by chinese to build MQ-1 drone.

Is China really doing it? Are they

admitting it?

China says We have said repeatedly that

such attacks are transnational and

anonymous and determining their origins isextremely difficult. So they are firmly

denying the accusation.

The approach is indirect. First the hacker

would compromise a US server then use

that for further attacking. The security

people would visit that server and then sit

there and trace back the activity. After all

this evidence, theres no way for them to

deny that but they dare not admit the Cyber

Espionage. The thinking may be thatAmerica is doing that all the time, so let us

too.

The most damning evidence against China,

is the attackers infrastructure from which

they launch attacks, 98% of the times they

were logging in from that one block in

Shanghai and 97% of the times they were

using Chinese set of characters in their

systems.

News groups like CNN were stopped from

trying to take pictures of the building and

were chased by Chinese military guards.

Finally the footage was confiscated (see

Figure 8).

Figure 7: MQ-1 Predator Drone

Figure 8: Chinese Military Guards chasing the CNNNews Crew around the APT1 building


9/23

Issue2Mar2010| Pag

Skepticism around the Mandiant

report

Some Security Researchers are raising

eyebrows at this report mainly because

there are a lot of ways in which an attackerof this level of sophistication would hide

his/her location. So why did they not cover

up their tracks better? Some agree that the

attacks originated in China but are doubtful

of their connection with the Chinese

government. The attacker session video

released by Mandiant shows the attacker

use common attack tools like Ghost RAT

that are freely available over the Internet

which is in contradiction to the Advanced

Persistent threats that we are talking about.

Summary

Such attacks are targeted towards private

industries that are not equipped to deal with

threats from the cyber resources of a nation.

So this is government versus private

industries, which is not fair. US President

Obama says America must face the rapidly

growly threats from Cyber-attacks. Nowsuch attacks are focused on sabotaging our

power grids, our financial institutions and

our air traffic control systems. We cannot

look back years from now and wonder why

we did nothing in the face of real threats to

our security and economy.

We should all be glad that the Virginia

based security firm Mandiant decided to

expose one of the most prolific Cyber

Espionage activity group and make all therelating evidence public.

This bold activity may be initialized by the

PLA but theres definitely a government

approval. Now that the reports are public, if

the APT1 activity still continues then the

government is definitely involved, even the

top leaders. There seems to be a clear

strategic planning behind this. Chineses

government monitors and censors the

Internet. China is focusing on economic

espionage, stealing trade secrets andstructural property and negotiation

strategies and passing these off to their

companies to compete with other

companies worldwide. This is a Massive

Cyber Espionage campaign.

What are they trying to achieve? It may be

motivated by political reasons. It may be a

kind of security against what USA can do.

Chinese information gathering system has

been morphed into a new kind of mode thatwould that would make it very scary in

terms of its effect.

Today such attacks are inevitable but if the

government is alert and vigilant, suchattacks can be nipped in the bud, before a

serious security breach takes place.

However, a casual attitude towards such

advanced threats can have disastrous effects

on a country and its people.

We can boast all we want but the Bottom-

line is that India is seriously lagging in its

cyber defense capabilities and there are a

handful of actual motivated and driven

computer security professionals in India.

A reason for this can be that no formal

education is being provided to students

interested in security and these individuals

then turn towards certifications which are

either too theoretical and provide no


10/23

Issue2Mar2010| Page

hands-on knowledge or are too costly for

an average Indian student or require a prior

minimum years of experience in the security

domain. Some of these certifications in

India are started by individuals claiming to

be Hackers themselves which takecandidates more towards the glam of

Hacking Emails or Passwords rather than

developing a mature approach towards

security. India desperately needs state

sponsored programs that teach computer

security at masters level to deserving

students who clear a well-designed

competitive screening process. Cyber

espionage is a growing issue and it has to be

dealt head-on.

In India, a higher level of Information

Security Awareness is required. Hacking is

not just a bunch of kids randomly doing

thing for fun and profit. It is now a national

strategy. Important thing to note is that

while in countries like USA, hacking is

considered illegal and immoral, Chinese

government is considering it as a necessity.

What would Indian Industries do if they

face such attacks? Individual companies cannever fight with a nation. The Indian

governments support is indispensable

against such cyber activities. Such Cyber

Espionage is a violation of sovereignty. This

is not a minor issue and will continue to

grow more severe if nothing is done. This

isnt a group of Rogue Hackers, this is a unit

of PLA (Peoples Liberation Army of China).

We need to get smart with each breach.

From knowledge comes power.

On the Web

http://intelreport.mandiant.com/ Mandiant Intelligence Report

http://www.youtube.com/watch?v=3d2gyydHwmY CNN News Crew

being chased

http://www.youtube.com/watch?v=6p7FqSav6Ho - Video Showing an

Attacker Session

Pranshu [email protected]

Pranshu Bajpai is a Computer SecurityProfessional specialized in Systems,

Network and Web Penetration Testing.

He is completing his Masters in

Information Security from the Indian

Institute of Information Technology.

Currently he is also working as a

Freelance Penetration Tester on a

Counter-Hacking Project in a Security

Firm in Delhi, India, where his

responsibilities include 'VulnerabilityResearch', 'Exploit kit deployment',

'Maintaining Access' and 'Reporting. He

is an active speaker and author with a

passion for Information security.
http://intelreport.mandiant.com/http://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=6p7FqSav6Homailto:[email protected]:[email protected]:[email protected]://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=6p7FqSav6Hohttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://www.youtube.com/watch?v=3d2gyydHwmYhttp://intelreport.mandiant.com/


11/23

Issue2Mar2010| Pag

BYOD Policy -Are you

implementing itcorrectly?

Introduction

Bring your own device (BYOD) is the

business policy of letting employees bring

their own devices at workplace for doing

work. The concept has gained popularity inrecent years mainly due to the following

reasons:

Employees are more willing to spendon their devices as they have the

ownership of the device.

Maintenance and protection of thesedevices is taken better care of as the

employees only will be liable for the

losses if they happen to lose them. Allows employees to be more flexible

and add more productive hours at

workplace since they can contribute

more to the organization growth

from anywhere, anytime.

A correctly implemented BYODpolicy can foster a culture of

eagerness to work, producing

efficient and productive employees

as a result since as their needs are

directly addressed by the company. This makes the workplace a "fun"

place to work.

Reduces the burden of IT inventorymaintenance tasks such as

commissioning / decommissioning

corporate devices used for work.

Subsequently, new hardware

purchase costs are also lowered

down.

A start-up, small or medium sizecompany, can avoid high purchase

costs for laptops, smartphones, data

cards and tablets for their employees

since employees have the flexibility

to use their own devices at

workplace.

These smart devices often providebetter processing speed and power

for accomplishing the tasks better.

Substantial Savings are made oncarrier/ISP charges sinceorganization doesn't need to

maintain elaborate corporate data

plans but letting the employees use

their own data plans.


12/23

Issue2Mar2010| Page

However, it needs to be remembered that

the corporate data which is residing on

user's own device remains the property of

the company. Hence adequate protection

measures need to be in place for protecting

that sensitive corporate data.

Defining a Strong Business Case

for BYOD

The most common reason which causes the

failure of successful implementation of any

BYOD policy is that senior management and

end users routinely fail to grasp the

fundamental concept which drives the

BYOD policy; it's all about device

ownership. BYOD is fundamentally no

different from corporate-owned device

policy; but just that the device ownership

now resides with end-users instead of the

organization. However, the ownership of

corporate data will still remain with the

company.

There is one important caveat while going

for the BYOD policy. Going for the BYODpolicy is a discretionary judgement which

needs to be carefully made by senior

management with careful planning. Senior

management must not look from only one

facet of cost savings. It is an important

business decision which will directly affect

the growth of the organization. The senior

management should have a clearly defined

and quantifiable goal to achieve the benefits

offered by BYOD. Just by going by the

industry trend "Hey, everybody is doing it,let's implement this in our organization

attitude can spell disaster for organization's

growth if no advance planning measures are

taken place. For this, a strong business case

is needed to reap the benefits of BYOD

policy implementation.

Senior management must also accept the

risk that by implementing BYOD, more

avenues are opened for the data leakage

from employees devices. Many of these

devices can also share data in the cloud;

increasing the likelihood of data duplicationbetween cloud and apps. Hence, appropriate

solutions, tools and techniques to prevent

and contain this vital business information

from leaking outside must be implemented

as well.

Defining BYOD Policy rollout

For a successful BYOD policy rollout

generating maximum return on business(ROI), we must follow these steps:

1.Assess organization readiness and

define leadership:

A well-defined business case with clear cut

goals is a pre-requisite before developing

BYOD policy. Next, the control group

operating and overseeing the BYOD policy

needs to be defined and assigned

responsibilities. The policy needs to be

communicated in top-down order so that no

ambiguity remains in adoption. Penalty

clauses and security mechanisms must be

designed in BYOD policy for giving

adequate security to the devices.

2.Develop BYOD Charter:

A well-defined BYOD charter will ensure

that regular investments for the security ofBYOD devices are required from the

business managers. This helps to determine

a business justification in monitoring and

administration of the corporate data

residing on employee-owned devices.


13/23

Issue2Mar2010| Pag

3. Setting up BYOD governing body:

The governing body of BYOD would be

responsible to develop, implement, oversee

and maintain the BYOD program. The

governing body should include businessvertical heads along with HR, legal and

finance domain experts for smooth

implementation of the BYOD policy. The

governing body may start with the rough

checklist assigning BYOD tasks such as:

Which employees will qualify forBYOD? This should be defined as

per role basis

Written signed agreements withemployees for accepting risks

concerning the device usage

Which OS version will be supportedfor devices?

Policies regarding wiping ofpersonal/ corporate data in case of

device loss

Methods used for separation ofpersonal and corporate information

on devices

Actions to follow after a securityviolation.

All policies must comply with region specific

laws which will automatically be given first

priority while designing the BYOD policy. It

is important to update the policy document

and adjust with the ever-changing

landscape of evolving technology. It is better

that a BYOD program be implemented in a

phased approach. Initial success will

generate enough confidence in senior

management about its successful operation.

Likewise, it can then be applied to other

departments. The users from the initial

phase of BYOD deployment must emerge as

champions for BYOD usage to spread the

culture effectively and securely across the

length and breadth of the organization.

4. BYOD IT Process Group:

This IT processing control group will lookafter the required software upgrades, license

implications for mail access from employee-

owned devices.

5.Managing BYOD policy:

BYOD programs require strong security

solutions like network access control (NAC),

Wi-Fi routers, Mobile Device Management

(MDM) solutions for organization wide

personal devices management.

Containerization tools to separate corporate

data from personal data must be procured.

A technical way to separate the employee

and personal data is by having dual-persona

smartphones; i.e. having one interface for

personal use and another for business use.

High end smartphones such as Blackberry

Z10 currently support this.

6. Post Deployment Support:

High quality help desk support is a pre-

requisite for successful BYOD deployment.

It should provide assistance with

diagnostics tools for troubleshooting and

list of manufacturers support phone

numbers for quick reference.


14/23

Issue2Mar2010| Page

Common Pitfalls to Avoid During

Deployment of BYOD Policy

Though adopting BYOD strategy might

seem very attractive proposition at first

glance, it is advisable to exercise cautionand care during its implementation in your

company. Left unhandled, BYOD can act as

a constant fund drain for the organization.

This holds especially true when BYOD

policy is implemented across a large

organization spread across multiple

geographies.

For example, in a traditional setting of

following corporate-owned approach for alarge firm, the firm typically invests around

$200 for compatible smartphones and

$500- $1000 for notebooks/tablets along

with the high end corporate data plan for all

its employees. But here it gets interesting.

The corporate data plans allow these

companies to pool their voice minutes and

their data bucket. If any one employee goes

over his or her allotment limit, the company

can adjust this by taking unused voice or

data from another employees allotment tomake up the difference. That gets rid of

much of the average fees their employees

would otherwise end up charging back to

the company.

Needless to say, carriers offer better

discounts to corporate plans when

compared to an individual. National and

international roaming charges are also

offered at heavily subsidized rates in

corporate data plans. The savings made

from these fixed cheaper call rates

eventually work in favour of the company

which has its international footprint across

its international offices. Now, imagine if

BYOD would replace this system, each user

will typically shell out $1-per-minute voice

costs and $10 per 10MB that many

individual users pay for when abroad.

Multiply this with typical work force of

5000-10000 man-force of large

organization. This figure clearly pales in

comparison to the savings made while usingcorporate plans.

Conclusion

BYOD policy seems inevitable in coming

years as the technology advancement in

smart devices helps the employees to

achieve better productivity with flexibility at

the workplace. Instead of denying access

citing the security concerns, it would be bestin business interest to embrace this business

policy which allows people to be more

productive in longer run. No doubt, we do

need clearly defined rules and

accountability factors which should be

enforced via legal and technological means

for protecting the sensitive corporate data

residing on people devices. But as the

nature of doing business evolves with

technological advancement, it's in

everybody's best interest to accept BYOD

policy since it directly addresses the need to

collaborate and communicate at times when

it matters most. After all, when it comes to

business; time is money!


15/23

Issue2Mar2010| Pag

References:

1.InformationWeek - 8 steps CIOs should

take to maximize BYOD ROI

2.InfoWorld - Buckle up -- here comes the hardpart of mobile

3. COMPUTERWORLD - BYOD, or else.

Companies will soon require that workers use

their own smartphone on the job

4. NetworkWorld - Forrester Research calls

mobile-device management 'heavy-handed

approach'

5.InfoWorld - The right way to manage BYOD

6.InforWorld - The unintended consequences of

forced BYOD

7. InforWorld - Why almost everyone gets it

wrong about BYOD

8.InforWorld - How a trickle of BYOD costs can

turn into a deluge

9. InforWorld - Message to old guard: Acceptsocial business

10. CIO.IN - The Dark Side of Today's Hottest

Tech Trends

About the Author

Manasdeep

[email protected]

Manasdeep currently serves as a Security

Analyst in the Technical Assessment

team at NII Consulting, Mumbai. His

work focuses on conducting Security

Audits, Vulnerability Assessment and

Penetration Testing for NIIs premier

clients. He possesses strong analytical

skills and likes to keep himself involved

in learning new attack vectors, tools and

technologies. He has flair in technicalwriting and shares his thoughts on his

blog Experiencing Computing at

http://manasdeeps.blogspot.in. He has

also published information security

paper(s) in International Journal of

Computer Science and Information

Security (IJCSIS) along with various

seminar / conference proceedings.
http://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspxhttp://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspxhttp://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspxhttp://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspxhttp://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.infoworld.com/t/byod/the-right-way-manage-byod-219775http://www.infoworld.com/t/byod/the-right-way-manage-byod-219775http://www.infoworld.com/t/byod/the-right-way-manage-byod-219775http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/t/byod/why-almost-everyone-gets-it-wrong-about-byod-219241http://www.infoworld.com/t/byod/why-almost-everyone-gets-it-wrong-about-byod-219241http://www.infoworld.com/t/byod/why-almost-everyone-gets-it-wrong-about-byod-219241http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/d/microsoft-windows/message-old-guard-accept-social-business-219464http://www.infoworld.com/d/microsoft-windows/message-old-guard-accept-social-business-219464http://www.infoworld.com/d/microsoft-windows/message-old-guard-accept-social-business-219464http://www.cio.in/article/hidden-dark-side-todays-hottest-tech-trendshttp://www.cio.in/article/hidden-dark-side-todays-hottest-tech-trendshttp://www.cio.in/article/hidden-dark-side-todays-hottest-tech-trendsmailto:[email protected]:[email protected]:[email protected]://www.cio.in/article/hidden-dark-side-todays-hottest-tech-trendshttp://www.cio.in/article/hidden-dark-side-todays-hottest-tech-trendshttp://www.infoworld.com/d/microsoft-windows/message-old-guard-accept-social-business-219464http://www.infoworld.com/d/microsoft-windows/message-old-guard-accept-social-business-219464http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/t/byod/how-trickle-of-byod-costs-can-turn-deluge-215758http://www.infoworld.com/t/byod/why-almost-everyone-gets-it-wrong-about-byod-219241http://www.infoworld.com/t/byod/why-almost-everyone-gets-it-wrong-about-byod-219241http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/d/consumerization-of-it/the-unintended-consequences-of-forced-byod-217919http://www.infoworld.com/t/byod/the-right-way-manage-byod-219775http://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.networkworld.com/news/2013/032813-forrester-mobile-268206.htmlhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.computerworld.com/s/article/9238832/BYOD_or_else._Companies_will_soon_require_that_workers_use_their_own_smartphone_on_the_jobhttp://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.infoworld.com/d/mobile-technology/buckle-here-comes-the-hard-part-of-mobile-217506http://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspxhttp://www.informationweek.in/mobile/13-06-07/8_steps_cios_should_take_to_maximize_byod_roi.aspx


16/23

Issue2Mar2010| Page

Drupal Scanner

CMS - What's the Fuss all About?

A Content Management System makes your

life easy. It makes the online presence of

your business more accessible and hence the

probability of the success of your business

soars higher. Incredibly, if you are

unfamiliar with CMSes, the best part is, you

need not be a nerdy, high-tech web

developer to give this touch of virtuality to

your ideas and convert them to online

reality. You need not have your armour

flooding with all sorts of programming and

impressive and crisp UI design skills.

Neither do you need to have those 'super-

natural' scripting and back-end

management skills. So that's the power you

get when you use a CMS for you websites.

All that you need is some anciently basic

idea about creating websites and you are

absolutely ready to go and get it done.Andwhat more, you have different flavours to

choose from. So depending on your

requirements and taste you can go for any of

the three major CMSes out there, viz.

WordPress, Joomla or Drupal.

OK...Whats the Catch!

But, like all interesting stories, this one toohas a catch. "With great power comes great

responsibility". These CMSes have their own

guidelines for secure implementation to

safeguard the integrity, confidentiality and

availability of your websites. WordPress and

Joomla have their flaws and to deal with

them, they have their standard counter

attack tools in place. We have Wpscan and

Joomscan for WordPress and Joomla

respectively, that can be used to scan

websites built on these CMSes for securityissues and do the needful to reduce the risk

and diminish the impact of the threat.

As of people who find their taste satisfied by

Drupal, they might not be much in luck on

these lines, as there is no such tool out

there, (at least not one that you can find free

of cost, and accept it, everyone likes free

stuff) that can take care of your Drupal

powered websites as their WordPress and

Joomla counterparts do.


17/23

Issue2Mar2010| Pag

The Inception

Enter the idea of creating one such tiny little

tool that can be handy enough to just find

out that exact detail about your Drupal

powered websites tool that could be yourcompass to guide you to a more secure

version of your websites. And what better

than making use of an already freely

available web application security tool to

start off with this project. Thus it was

decided that IronWasp shall be the mother

for this Drupal security scanner, which for

now we will term as DrupScan to bein

phonetic sync with its counterparts. So

effectively, once the tool gets made and is

available, it can be easily accessed as yet

another module of IronWasp. So put yet

more simply, you download IronWasp and

you know how to access its different

modules, that's it. You know how to ensure

better security for your Drupal powered

websites.

For once, please be crapless!

DrupScan is based on a very obvious and

simple idea. The idea to identify the version

of a specific module installed on the Drupal

powered website and find thus if the website

is secure or not. The CVE ids database has a

comprehensive list of all the different

vulnerabilities present in the different

versions of the different modules that are

there for a Drupal site. So, if for example,

the website makes use of the 'views' module,

and the scanner identifies that the versionof the "view" module being used by the

website is say 'X.x' and not 'Y.y' Now the

CVE ids database holds the following details

about version "X.x" of the "views" module: -

"Vulnerable to XSS and SQLi" and the

following about the next version, "Y.y:- "No

vulnerabilities found". So now the scanner

just looks up for the details available for the

module and it's specific version in question

in the CVE ids database and thus decides if

the website in question is vulnerable or not.

Using this simple and obvious technique

saves a lot of time as the web applicationdoes not really need to be tested for security

vulnerabilities from the scratch. We simply

make use of the information that is already

readily available as the result of intensive

research. Thusefficiently delivering the

required solution.

The Technology and Progress so far

The scanner itself since is powered by

IronWasp, makes use of all the APIs madeavailable by IronWasp. It is majorly being

written in IronPython, again something that

has full-fledged interactive learning support

through the scripting engine of IronWasp.

So far a proof of concept is available for the

DrupScan which works on the same

principle as explained above. The exact

function names that do the respective jobs

are listed down. (For details the function

definitions please refer the script itself).

The processing starts from the main

function named runAsMain().

1. Simply takes up 2 versions of aspecific module, say ver1 and ver2.

2. It lists out all the files in these 2versions, finds the difference

between the 2 file listings.

Taken care by passDirPath(),

fileLookUp(), dictComp(),

createDic():-

passDirPath():- For the proof of

concept 2 instances of the same

Drupal site are installed on to the

localhost. On one of the instances an


18/23

Issue2Mar2010| Page

older and vulnerable version of a

specific module, say the "views"

module, is installed and on the other

instance a newer and patched

version of the same module is

installed. So correspondingly in therespective paths directories and files

are created accordingly. These two

paths are passed to the function

passDirPath().

fileLookUp():- is a recursive

function. It recursively checks all the

folders for any files present in it.

Each of the files are taken and their

hash is calculated. Now each of these

hashes along with theircorresponding fileis stored in a temp

file.

dictComp():- this function takes 2

text files as input. These 2 text files

contain the list of all the files present

in the 2 versions of the folder. IT

DOES NOT MATTER WHAT

ORDER IS THE CONTENT OF

THESE TWO FILES IN. As long as

the contents of these 2 text files is

in the format

"file_path/file_name \t

hash_key", it does not matter in

which order is the contents being

listed in the 2 text files. And finally it

finds out the difference between the

files and prints out the differences in

a text file called dicDiff.txt

createDic():- is a helping functionfor dictComp(). This function simply

creates a dictionary or list and

returns the same.

3. Then sees which of these files (thatwere found to be different) are

publicly accessible.

4. Stores these publicly accessible filesin a db.

Taken care by

publicAccessFiles() and

requestor():-

publicAccessFiles() :- Send re-

quests for these files present in

dicDiff.txt to the 2 instances, con-

taining the 2 versions of the module,

on the localhost. Depending on the

response code we decide if a partic-

ular file is publicly accessible or not.

And we populate the

PUBLIC_ACCESS database table

with the respective details. Later we

make use of this table to determine

what version of the module the live

site is running. The database used is

SQLite.

requestor():- is a helping function.

It simply frames and sends the re-

quired requests and returns the re-

sponse code in case the requestor

method is called with a third param-eter as "True", it would indicate that

the body of the reponse also needs to

be saved.

5. Say after all this the db contains 5files, viz, a,b,c, d and e with its

respective hash.

6. Now when doing a scan on a livesite, a request is sent for each of

these files to the live site.

7. If there is a success response, thehash of the received file is

calculatedand it is compared against

the hash in the db.

8. Depending on this the status of thesite is reported.


19/23

Issue2Mar2010| Pag

Taken care by

liveVersionScan().

liveVersionScan():- This function

now makes use of the database of the

publicly accessible files created bythe publicAccessFiles(), and sends a

request for same to the live site that

needs to be scanned for its version.

liveVersionScan() is aided by the

helping function requestor().

Thus the above are the major tasks that are

currently being taken care of by the proof of

concept scanner so far.

Ok. Thats Enough.Shut up! I'll

see if I am interested.

A lot more work still needs to be done.

Majorly incorporating support for as many

modules as possible is one of the major

parts that still needs to be completed. The

scanner as of now focuses only on Drupal

7.x. Later as the project matures other

Drupal versions may also be included. There

are a lot of interesting challenges that we

have at our hand to solve and that is where

community support is needed for people

with interest and expertise to contribute.

Final words

The scanner on completion can help pin

pointedly highlight the security issues with a

Drupal powered website and of course willbe a completing part in the group of similar

scanners :- WpScan, JoomScan and then

why not DrupScan.

Abhinav Chourasia

[email protected]


20/23

Issue2Mar2010| Page

Effective Log Analysis

Log analysis is a responsibility that a

security Analyst need fulfill with at most

conviction in all organizations. If our is

equipped with security devices like firewall,

AV,VPN which is crucial to the organization

and breach in any such devices affects the

reputation which indirectly or directly hurts

the business. Then by performing Log

analysis one can foresee many threats and

prevents early attacks. Log analysis helps to

find the traffic pattern that is occurring in

an organization if there is a deviation in thetrend of logs under observation from

standard trend then it can be considered as

a security Incident and investigation should

be done on such traffics. Log Analysis also

helps to comply some Regulatory standards

like PCI DSS, SOX, GLBA.

Log analysis also enhances and facilitates

the development of new security policies

and detection vulnerabilities. Storage and

management of logs is also very crucialwhen we need to do a forensic analysis and

incident management.

There are many tools available in market to

analyze the Logs. Open source tools

(http://www.logalyze.com/ and MindTree

tool).In todays world an SIEM is more

valuable to an organization rather than a

normal other log management

solutions.SIEM has features of correlation

that other solutions dont have. Some of the

SIEM tools that are commonly used are RSA

envision,Archsight,Event Tracker, Juniper

STRM,Splunk etc.SIEM service providers

collects logs based on EPS (the no of events

collected per second) i.e. higher the EPSvalue more the number of events it will

collect per second. The pricing of these

devices varies based on the number of

events collected per second or based on the

number of devices sending logs to the

collector or the entire appliance cost.

Storage of logs is also an important feature

that we need to consider while dealing with

log analysis. All the logs in a network device

need to be stored for at least 2years for anyinvestigation. It is not compulsory that all

the 2yrs data are available readily it is based

cost that can spend on infrastructure and

utility and criticality of device. Old logs can

be backed up in tape and is securely stored.

This type of storage is storage is called


21/23

Issue2Mar2010| Pag

offline storage. When we are

in need of the data we can

request the backup admin to

plugin those tapes for log

retrieval.But it should be

noted that logs should not betampered. Segregation of duty

control needs to be

implemented here. Whenever

a legal case happen to come to

our environment it is

compulsory to provide logs to

the court.

Talking about Compliance, out of the 12

requirement of PCI DSS, requirement 10

talk about logging and log management.Logs should be reviewed daily and the

integrity of the logs also should be

maintained. Here I would like to showcase

how we can do log analysis on firewall. Say

the firewall we consider is Checkpoint

firewall.

First thing we need to do is to monitor all

the drop communications in FW.You can

filter the SIEM based on Drop packets only.After that you need to see the destination

ports of all Dropped communications. When

you monitor internal FW you will find only

internal IPS as the source IPS.There are

some common ports which you will see

always while monitoring dropped logs

(53,445,161,80,123,389,3268)

Whenever we see many drops to a particular

Destination IP with same Destination port

we need to investigate why such droppedtraffic occurred, this could be some botnet

activity that has spread across our network.

I have recently come across such an incident

where one botnet was spread across 10

machines where our end point security was

not able to detect it.During the FW log

analysis enormous traffic to port 80 to a

single destination IP was dropped which we

felts as something suspicious. On detail

investigation of that end machines we wereable to identify a botnet which is connecting

to one C&C Servers.

Above is a sample setup that I have created

in lab.192.168.1.3 is the firewall that we are

monitoring using Event tracker (SIEM tool)

all the logs are pushed to a logging server

192.168.1.2 and from the logging servers

events are pushed to SIEM.So 192.168.1.2 is

the event source which we have integrated

to SIEM.192.168.1.1 is an users machine

infected with a malware which establishes

many http connections to a malicious

IP.You can check the rating of the websites

from (http://safeweb.norton.com/)In this

case if we are using an AV which doesnt

have signature for this particular malware,

then by analyzing the firewall logs we can

see some suspicious activity is happening on

the users machine.Once you find the users

machine then you can go ahead with thenormal static Malware analysis process to

find the exe file which is causing such

traffics. You can use various tools like

Regshot,processmonitor,wireshark,hijackthi

s,rootkit revealer to find the exe file.


22/23

Issue2Mar2010| Page

By default all firewalls will deny all source-

to-destination traffic unless a rule or access

list is given to permit traffic. So there is no

point in investigating accept logs. But in the

meanwhile when you do log analysis on allthe successful communication of a URL

filtering software you can come across many

Websites which your URL filter dare to filter

those contents. Your employee can create a

website that can be used to host contents

and can be used to transfer files from the

organization to the outside world.

In this dynamic world, Security threats are

changing daily from Phishing mails to a

website hack or by logging your managersaccount to apply resignation we must be

aware about all the incidents and need to

think about its preventive measures.

Ben [email protected]

Ben Abraham has more than 5 years ofexperience in the field of Information

Security and in implementing,auditing

and optimizing SIEM solutions to the

clients. He also has knowledge in reverse

engineering malware to find the

behaviour and has carried out ISO27001

audits, PCIDSS, firewall audits and IT

security policy development.

Ben has got opportunities to work in

companies like Mphasis, Infosys andErnst & Young. He wishes to learn more

about various Information Security

domain and conduct training in this

domain.
mailto:[email protected]:[email protected]:[email protected]


23/23

Issue2Mar2010| Pag