Practical password reuse

July 22nd, 2014

The standard security party line is “never reuse passwords”

The logic behind this is simple. When logging in to any site, service or application – in most cases 2 pieces of information are needed. A username and a password. The username is commonly an email or other publicly displayed piece of information. The username is generally not intended to be kept secret – the password however is. Should a site be compromised, and your username and password be leaked, how many other services of yours is an attacker going to be able to gain access to with the same password?

So – don’t reuse passwords. Use a unique password for each service

At the same time, passwords can’t be easily guessable. You can’t be expected to audit or know each service’s password and brute force defences, so we select complex passwords. The advice used to be – pick a non dictionary word. Then the advice was to include mixed case, alphanumeric and special symbols. Now it’s sometimes 10 or 12 characters that are suggested. Additionally, services are increasingly forcing their users to comply with strong password policies.

So – long, non dictionary, mixed case, alphanumeric and special symbols.

Of course – you never write passwords down.

Seriously?

Let’s look at it from a more practical approach.

Option #1 – use ‘KeePass’ or some other password management application. Depending on whether these are online or offline, you have different risks and benefits. Of course there’s now a single point of attack concern here also – if that password management database is compromised – all your credentials are bust. Do you keep your key in one location and risk loss? What about the password complexity on that offline key? Do you spread your key through multiple locations and increase the risk compromise?

At the same time, being tied to password management software, secure keys and backup concerns doesn’t sound very appealing for home user Joe.

Option #2 – Reuse your passwords! But.. be smart about it. Look at the risks to you of each service being compromised and having that password leaked. In my case I use 6 passwords – one for finance/banking (along with two factor authentication), one for my private key, one for Google, one for my email accounts hosted on my own mail server, one for social media services and any reputable online services that I care about, and one for any account I sign up for that I’m not bothered about the compromise of. Am I happy with the risk that if my Twitter password gets compromised, the attacker has my Facebook password? Yes. Can I sleep at night knowing that if an attacker gains access to my multiple passwords for my Mastercard account, he can gain access to my American Express account? Yes.

This is my method of managing my personal passwords. In business, I’m forced to maintain password databases and policies for various Clients servers and services. Password management software and services absolutely have a place, but not in user Joe’s personal life.

Enumerating the Network with Cisco Discovery Protocol (CDP)

July 21st, 2014

Cisco devices run a great protocol called CDP – Cisco Discovery Protocol. CDP is a Layer 2 protocol – router’s won’t pass it and therefore you’ll only be able to work with devices within your current broadcast domain. CDP runs on most Cisco devices by default, although can be disabled for security. Linux doesn’t support CDP by default, so you’ll need to grab cdp-tools from http://gpl.internetconnection.net/files/cdp-tools.tar.gz. Untar cdp-tools.tar.gz and then build with ‘make’. If you get compile errors, you’re probably missing build-essential or libnet0-dev, both of which are required packages. CDP tools offer you two types of functionality.

Passive Listener

CDP tools can passively listen for CDP broadcasts sent to the broadcast MAC address 01-00-0c-cc-cc-cc

Run ./cdp-listen eth0 where eth0 is the interface you wish to listen on (duh)

./cdp-listen eth0

Shortly after, your connected Cisco device should appear:

# Interface: 	eth0
# Hostname: 	cisco-test
# Address: 	192.168.1.2
# 	 
# TimeToLive: 	180
# Capabilities: 	L2SW(switch) IGRP
# 	 
# Networks: 	 

Configured networks on the device will appear, as do it’s IP and capabilities. Instead of cdp-listen, Wireshark also parses CDP packets. What more could you ask for from passive enumeration?

Sender

cdp-send on the other hand is capable of forging CDP packets in order to send to Cisco devices. Just run ./cdp-send with no parameters for the options.

./cdp-send eth0 -n "my-cisco" -m 12345 -p "Fas 0/0" -c l3r 

In production, it is usually recommended to DISABLE CDP on your Cisco devices unless strictly required. CDP discloses network information and increases network traffic. CDP is great for debugging and management.

Careful typing in phone unlock passwords

July 19th, 2014

Short article with a simple message. Be careful when punching in your phone unlock code. We do it all through the day, and very rarely are we mindful of who is around us at the time. Are you comfortable leaking your phone access password to people all day? Aside from your simple phone access password, are there any other security measures to stop a thief or hacker gaining full access to your contacts, emails and other private information. As an experiment, I actively attempted to snoop on anyone typing in their phone unlock code, whilst I travelled to in to central London and back today. I lost count eventually but the result was well over 40 just on the journey there. It was also harrowing to see that almost everyone (perhaps over 90%) on the underground took out a phone or tablet at least once on the train journey.

Avoid exposing your IP on Instant Messengers

July 18th, 2014

If the privacy of your IP address is a concern, then stay alert when using instant messengers. Using Skype as an example, it is trivial to obtain your peer’s IP address. Once you initiate a call with your peer, there will be ongoing data moving back and forth. Either with netstat or using wireshark (easier) – simply capture on the interface and look for a busy UDP connection. Then look at source/destination IPs – one will be yours and one will be that of your peer. Current connections can be reviewed using the native tool – netstat, however as you can’t see the data moving back and forth in real time, it will be challenging to identify which open connection is to your Skype peer.

Another option in gaining your peer’s address is simply through social engineering. “Here’s the page: http://www.adampalmer.me/iodigitalsec/test-page” – now I need to just tail my web logs until ‘test-page’ gets hit, and I retrieve the peer’s IP address from my logs.

Accessing your messenger through a proxy may still leak information and you are relying on the unaudited 3rd party software to maintain your privacy through the proxy you specify. Best, is to use a secure VPN solution to route all traffic through a VPN server. There will be added latency and delay, and whether it’s worth it for you, depends on how much you value your anonymity.

I once heard a story about a remote IT contractor that was on a call with the team and was realising that he had completely failed to prepare for the call or complete the work being discussed to a high enough standard. Using wireshark whilst on the call, he was able to quickly identify the IP addresses of his peers, and launch denial of service attacks (in this case, UDP floods) against them, rendering the Skype call impossible. The other parties just kept dropping off one at a time until the call was abandoned. The IT contractor was then able to buy himself a couple of hours in order to put things right.

p.s. I don’t recommend you do this 🙂

 

Handling offshore projects

July 17th, 2014

Offshore projects can be a nightmare with the wrong offshore team and mismatched expectations. By “offshoring”, I’m talking about getting small business projects completed through sites such as oDesk or Freelancer – not corporate offshore team management. There’s an assumption that “offshoring is cheaper” – it often is, but not always. Let’s look at some of the things that can go wrong in offshore projects –

  • Communication problems and language barriers
  • Project takes significantly longer than expected
  • Offshore contractor disappears mid-project
  • Offshore contractor misrepresents himself – claims are often harder to verify with regards to education and past experience.

If you want to offshore without all the hassle, have a look at our web development services.

Before deciding to offshore, ask whether it’s appropriate for this particular project, or whether you’re just expecting it to be cheap. Does your project have a time sensitive deadline? What happens if the project isn’t completed on time or at all? Is that something you can live with or will that cause unacceptable loss?

When working with contractors, assess their level of communication, ability to understand and follow through on instructions, and ability to complete a short trial. I’m not usually interested in degrees, courses or awards that the contractor claims. They are often too hard to validate, and don’t really provide any assurance that my job is going to get done well, which is ultimately all I’m concerned with. There are plenty of institutions online offering degrees, MBAs and diplomas and unfortunately, cheating in online exams is rife – sitting exams for other people, googling answers or phoning friends mid exam.

  • Set up small stages and hold the contractor accountable at each stage. Don’t let the project derail further and further by allowing deadlines to slip and by accepting substandard work.
  • Get advice! If you’re hiring a programmer, and you’re not a programmer yourself, perhaps consider an independent programming manager. You don’t want to get stuck with either poor work that doesn’t function, or worse, poor work that does function. You’re just delaying a full rebuild in the future, and you’re now sitting on a liability.
  • Monitor regularly! Don’t micromanage but keep a close eye. Is the contractor completing your work the person you hired, or has it been subcontracted out further at an even cheaper rate? Is the contractor working in the way you’ve specified or in his own way?

Offshore contracting can be cheap and can be efficient. It can also be an expensive disaster. Assess your project, and assess a range of outsourcing options before going down the offshore route simply because it seems cheaper!

Staying safe on unknown networks

July 16th, 2014

Staying safe on unknown networks isn’t too difficult, as long as you keep security in mind. I often hear hoteliers advising “secure WiFi”. I even took some IT training with a Company (who shall remain nameless) some years back advising using their “secure WPA2 network” for sensitive transmission. The statement is ambiguous in any case, but there is little security to the user in being connected to an encrypted wireless network, where the network operator and the other network users are untrusted. Let’s look at some risks:

Regular Ethernet Cabled Network Risks:

  1. Interception of your data in transmission through a tap/RF emissions
  2. Interception of your data through network manipulation by malicious user on the network (DHCP spoofing, ARP spoofing, etc)
  3. Interception of your data at the router controlled by the local system admin, or any other router along the way between any number of admins along the route to your destination.

The risks of open WiFi and WEP secured WiFi are the same as above, save that no tap is needed. The medium is the air, and anyone with access to the medium can intercept and manipulate traffic.

WPA/WPA2 is a slightly more interesting case. Passive sniffing is out – the access point negotiates different keys per connected client. Therefore one client sniffing the network will observe encrypted data only. That said, network attacks such as DHCP spoofing and ARP spoofing work just fine.
Read the rest of this entry »

My 5 step offshore interviewing process

July 15th, 2014

Often being called on to assemble and manage teams of designers or coders in particular through projects, I’ve developed a few tips and tricks in 12+ years of off-shoring which I wanted to share. They may be obvious to some. With experience, I’ve found that most off shore contractors are hard working and keen to grow but can sometimes be challenging or even impossible to work with.

  • Can a job applicant read?

Usually, the job description will contain the old test, “please include the word ‘blah’ at the top of your reply to prove you’ve read this description”. This makes sure that the applicant has read the description rather than just posted a cut and paste canned application to multiple jobs. Sometimes, applicants respond to questions that they prepare rather than actually reading and understanding your questions. I was hiring someone to work on some Google AdWords campaigns. I asked, “can you let me have some stats/supporting evidence/case study on any recent previous job – click through rates, impressions, conversions and metrics.” What I’m asking is, what did you do, and what were the results? The applicant on the other hand, seemed to answer the question, “can you tell me anything y0u can think of about some of your past work?” As an applicant, if you can’t read my requirements and queries accurately, how can I work with you?

If you want to save yourself the hassle, have a look at our php programmer services.
Read the rest of this entry »

Open relay mail server fail

July 14th, 2014

After my near fail with a potential phone malware infection, the only thing that could top my week was an actual fail! I managed it in style by managing to publicly expose an open mail relay – talk about basics 101! I’ve been traveling pretty extensively over the last 6 months and frequently find myself on connections where port 25 outbound (SMTP) is blocked.

So I’m sitting in an internet cafe in south Peru, on a connection sporting something like 64kbit down and 5kbit up. I’ve just beaten my worst latency record with a ping time of about 5 seconds to 8.8.8.8. I have 4 items sitting in my outbox and I’m wondering if they’re not going because the port is blocked, there’s an issue with my mail server, or whether they’re about to go at any minute but just can’t make it past the huge connection latency. (In case you were wondering, I’m just setting up my excuses!)

Eventually some debugging with netcat and tcpdump lead me to confirm that port 25 is blocked. No problem, it’s my personal mail server after all, I’ll just set up a proxy listener on port 2525. With a one liner to execute simpleproxy, my mails start leaving and all is good. I daemonize simpleproxy for later and go and do something else.

Read the rest of this entry »

Phone Malware Scare

July 12th, 2014

Earlier this week, I had a bit of a scare with phone malware that fortunately turned out to be nothing, but made me stop for thought. I’ve just come back from a period travelling, with a mobile phone bill to match. The unbilled usage was slightly higher than I expected so I started checking for calls and numbers. I noticed that there were a number of calls showing on the unbilled usage to numbers that I didn’t recognise dialling and that weren’t in my phone’s call history. The numbers were only dialled for a few seconds at a time and additionally, the first 8 digits of the numbers dialled remained constant with only the last 3 changing each time. I then thought to how only 3 months ago my battery would last between 36 and 48 hours usually but now can lose 50% in 8 hours.

It hit me that I must surely have malware running on my phone. Some malicious software that was running through blocks of numbers, automatically dialling at random until it found a victim, possibly logging the fact that the number was either assigned or that the call was answered.

I ran and installed some free popular anti virus software and begun auditing installed applications, battery and processor usage. Fortunately in this case, my paranoia had run away with me. A quick call to the network provider confirmed that the numbers showing up were network numbers and that these entries would automatically be corrected or quantified as data usage on my final bill. Of course, my draining battery most likely down to me using it more than when I’m travelling. A thorough audit followed and showed no sign of any malware.

It did get me thinking though.. my phone contains some of my most personal and sensitive data – logins for all my email accounts, the majority of my contact list, my personal banking application and GPS functionality that knows where I am all of the time. Why then, would I be so liberal with the software that I install on this device, even if it is from trusted sources. Why wouldn’t I be more concerned with the ridiculous permissions that some of these applications request, such a Spanish to English dictionary needing phone access.

The incident was a bit of a wakeup call to spend more time practising what I preach. If I’d found Company directors or staff with this level of business data on a phone with such sloppy application and permission management processes, I would be highlighting it as beyond critical. Fortunately, I avoided a major fail that time. It turns out that it took a scare before I took the risk seriously.

Exim, DKIM and Debian Configuration

July 11th, 2014

DKIM is a system for cryptographically signing messages and confirming they were sent from a sending server authorized at domain level. A private and public key pair is generated. The private key is used to sign the messages, and the public key is published as a DNS TXT record for the domain name. This allows recipients to electronically verify that mail claiming to be from domain was actually sent by a server authorized to send mail on behalf of that domain. Implementing DKIM into a mail system increases trust and deliverability.

Setting up Exim to sign outgoing mail under DKIM (Domain Keys Identified Mail) is a reasonably quick and simple task. Assuming you’re using an up to date version of Debian with Exim4, the process is even easier.
Read the rest of this entry »

Seeing through FUD

July 10th, 2014

FUD or Fear, Uncertainty and Doubt is an often used marketing tactic, and not only within the information security industry. Exaggerating risks, presenting risks without substantiating factors and citing flaky supporting evidence are three of the most common tactics used. By spreading FUD, users often believe they need to buy something now to prevent imminent risks. FUD also paints a distorted pictures of threats and scenarios. How are we able to make an accurate assessment of a perceived risk such as an emerging threat?

Critical thinking. Imagine the following simple example, “Senior analysts reported a year on year increase of up to 30% on attempted security breaches.”

1. WHICH and HOW MANY senior analysts, analysing WHAT data and working for WHOM?
2. HOW is “year on year” measured? January to December? A Company’s accounting or reporting year?
3. “Up to 30%” is a largely meaningless statistic which can be rewritten to be, “Somewhere between 0 and 30%”
4. WHAT is an “attempted security breach”? Who qualifies it? Who measures it? Who reports it and to whom?
5. WHAT type of “attempted security breach” was covered? Do these types apply to me?

FUD appears to be so rife in infosec – I’m not sure though. I believe that infosec types are naturally curious, critical thinkers and so the FUD stands out more. Our FUD is no more special than anyone else’s FUD found across global industries and marketing practices.

Why pen test?

July 9th, 2014

Let’s first separate the differences between a pen test/penetration test and a vulnerability assessment.

A pen test is exactly that – testing to see if the systems can be penetrated by an attacker. Remaining within the agreed scope, a pen test is done with a hacker’s mind set. Different tools and methods may be used, different services may be attacked and combination attacks may be leveraged in order to penetrate the target systems.

A vulnerability assessment on the other hand involves testing a systems or services for known vulnerabilities alone. It is often achieved partially or wholly through an automated software scan using a tool such as Nessus. A vulnerability scan will typically check for enabled software features or specific running versions of software that are known to be vulnerable. Vulnerability assessments can also be used as part of a larger pen test.

So a pen test is better right? Not necessarily – it depends on the aims of the test and the business requirements. Vulnerability assessments are often used as a pre-cursor to a pen test, but also where specific risks need to be assessed. They won’t however provide an accurate picture of security posture vs an external hacker. Hackers often won’t just run vulnerability assessment tools against a target but will attempt to leverage coding, policy and all manner of trust weaknesses in order to gain access to a target.

Read the rest of this entry »