Thursday 14 June 2012

5 Lessons from the LinkedIn Breach!


The recent LinkedIn security breach wherein approximately 6.5M user accounts were breached is not something absolutely new. Such incidents are quite common place. The question is what have we really learnt from these incidents?

Though the exact cause of breach is not known we can definitely point out some obvious flaws like lack of sophisticated security control. In this entry I would like to provide what I believe are key learning from the LinkedIn incident. I am sure most would agree with my viewpoints and I welcome comments from those who do or don’t.
Learning #1: Have a robust encryption scheme
In the aftermath of the LinkedIn attack, it is observed that site used a very weak encryption system for the passwords which allowed the attackers to obtain the password hashes and decode them easily. LinkedIn should have used “salting” for better security. It is very important to design a robust security architecture and a strong encryption scheme. The best is to use tried and tested methods than creating your own innovations in this area.
Learning #2: Get a Security Incident Management Solution and use it!
LinkedIn was largely unaware of any security events leading up to the final breach. The fact that LinkedIn’s security event monitoring regime failed to detect the initial signs of the breach and the actual breach itself, leads us to believe that the security event monitoring and incident response framework has some serious shortcomings that must be identified, acknowledged internally, and ultimately fixed. It is not interesting to know that you are hacked through the media.
Learning #3: Respond to vulnerability disclosures seriously and hire a security team!
LinkedIn is making good money and getting a good security team is not a bad decision. I am not sure if LinkedIn has got the optimum team to respond to security vulnerabilities disclosed to them. From iViZ we sent them several notifications on vulnerabilities in their site but we got no response. Our experience with other companies like Microsoft had been just the opposite. As a part of responsible vulnerability disclosure we report vulnerabilities first to vendors and help them to fix it. LinkedIn needs to be more responsive.
Learning #4: Have an Emergency Response Team
Post the discovery of the security breach, the formal remarks and comments originating from senior staff at LinkedIn were unclear and ambiguous and did little in terms of alleviating the concerns of its users For example, LinkedIn was not able to state exactly how many user account passwords were decoded and published online, but categorized the quantum of the breach simply as being “small” (hardly useful in estimating the actual quantum of damage to its users!). Furthermore LinkedIn labeled some of its users as those “at greatest risk” and those “potentially affected”. It is critical to have an Emergency Response Process and a Team for organizations which need serious security.
Learning #5: Conduct Penetration Test on your Application during every release!
LinkedIn is a huge application and they must be having very frequent releases. It is critical to test the application during every release. At iViZ most of our customers conduct Penetration Testing during every release which means more than 12 tests in a year. We have seen that those who test their application during all the release are at least 10 times more secure than who do it once in a year.
PS: I am sure there are several other critical learning. But thought that 5 is probably a good number to stick to than trying to figure out all. Your thoughts are welcome!

Sunday 8 April 2012

Leadership...what we know but miss out often !

Getting your mind trained as a leader

·         You are the sole person responsible for your success or failure
·         There is no excuse for any failure. A failure is a failure. Accept it gracefully. Learn from your mistakes. It is real failure when you do not accept and learn from it OR you give up.
·         Commitment is everything. There cannot be any reason failing to intimate in advance regarding not being able to keep up to your commitment. Feel genuinely bad if you cannot commit. There cannot be any excuse for not being able to commit. Saying “sorry” and just “sorry” is the best. Excuses would make you look immature.
·         Timeliness is a way of living. Either you are punctual or you are not. You cannot be punctual only in your meetings. It is a part of you so practice it in your daily life.
·         A leader is a catalyst. He makes other successful. Doing things is not your job but getting things done is what you are meant for.
·         A leader inspires others through his actions and words. Actions are more important than words.
·         A leader coaches his team members. He is their mentor.
·         A leader hires a team better than him and brings the best out of them.


How to fail as a leader?

·         Let me do it myself. It would save time.
·         Not giving credit to team or giving credit superficially and not meaning it.
·         Not accepting your failures. Blaming others for your failure.
·         Ask for it but not do it. Talk about punctuality and not be punctual yourself.
·         Think that you could hide your wrongs. A leader is always exposed. Everybody knows what mistakes he is doing.
·         Having ego. If you have to prove your point and not accept if you are wrong then be ready to lose all your respect. You either can have your ego or have respect. 

7 Steps to stress free management


I am writing below a very actionable and minimalistic approach to stress free management. 
A few goals which I had in my mind while writing it down was as follows:
·         
      Simple and Easy to adopt
·         Minimalistic i.e. you cannot drop anything out of these steps to really manage your stress effectively
·         Something I follow and it works for me:  I did not try to put together teachings from experts which I did not try.

There are many other aspects of stress management. Stress is a psychological state of mind and can be addressed in many ways. This document is on how to handle work supper effectively so that you can stay away from stressful situations arising in your life.  I am not covering the ways of handling stress through psychological training of mind or other physical or non-physical activities.

What causes stress?
·         Not getting the feeling of success or progress
·         Mind being burdened with too many things to remember
·         Not having the control or sense of control over your work or life
·         Having tensions in your mind which does not have a clearly defined action/dates to resolve

What does not cause stress?
·         Working hard

What are the key principles for stress free management?
·         Keep nothing in mind and write it down
·         Write down everything to do in one single place dedicated for single purpose
·         Organize and prioritize your work effectively
·         Making your subconscious mind believe that your process of management is robust enough and the mind does not need to remember anything

7 Steps to stress free management

Step 1: Set up the management tools
·         Blackberry mail service
·         A single excel document to manage your work
·         A whiteboard or a diary to manage your daily work
·         Outlook or online web calendar

Step 2: Managing your calendar
·         You should be completely driven by a calendar in your blackberry which should have a reminder 10 mins before the work starts
·         Your outlook calendar or web calendar should be synced up with your blackberry. In case it is not then use your blackberry as the single calendar.
·         All meeting or work should be in calendar
·         Look at your calendar every morning and set up the work and also monitor it every few hours.

Step 3: Set a proper mail management process
·         Any mail you need to take an action on should be marked unread or flagged as “To Close”
·         If you check a mail in your blackberry and suppose you need to take an action, then mark it unread if the blackberry is synced with your mailbox.
·         When you check you mails in the inbox (outlook or webmail) you need to flag the mail as “To Close” or mark it unread
·         Once the work is done or you have replied to it, you may mark it read or remove it from the “To Close” folder
·         Monitor your mailbox so that you have zero unread mails or zero “To Close” mails.

Step 4: Get your mind free
·         Have a single place to write down whatever you need to do. You can maintain an excel sheet.
·         Anything you need to do or remember should be mailed instantaneously to your mail box or in a notepad in your blackberry. Nothing should be remembered.
·         Every time you see a self mail which you need to work on, you need to copy it to your excel sheet where you maintain your work list. Or you may copy from the notepad in your phone and delete it once it is transferred to your excel document
·         Every time you have a stress or problem you need to find an action for that and set up a date and owner. This is very critical and kills your stress.

Step 5: Organize your work
·         Check your list of work and put it into different categories as : “do it now”, “do it later”, “create a project”. If there is some work which is not critical and you need not do it then simply delete it.
·         “Do it now” category should be the ones which can be done very quickly, say 5 mins. This should be done asap and the work should be deleted once done.
·         “Do it later” list should be seen once in month to check if something needs to be re-looked with a new viewpoint.
·         “Create a project” list should have an owner with dates of completion. Follow through to make sure that the work is done. Remove the work from the list once it is done.
·         You should try to keep the three list (“do it now”, “do it later”, “create a project”) as empty as possible.

Step 6: Daily work management
·         Write in a white board or in a diary: “To mail”, “To call” or “To do”.
·         Every day before you start the day spend 15 mins to fill up the above.
·         Before you leave for work, strike out all the work that is done. Copy the work not done to next day’s work list. In case you are using a white board simply remove the work done and let the “not done” work stay there as it is.

Step 7: Prioritize your work
You need to do this every week or month or quarter or year for the planning of that time period.

Urgent
Non Urgent
Important
This needs to be empty. Doing more of this creates stress but you need to get this done.
You need to see how you devote more of time on this kind of work. This is less stressful
Non Important
If you do this you are going to be  stressed
If you do this you are going to be extremely stressed and also unsuccessful.

Saturday 7 April 2012

Encrypting your hard disk is no longer safe…


We use disk encryption software to secure our data. But is it really secure? iViZ Vulnerability Research team discovered a new class of vulnerability which bypassed the security of Microsoft Bitlocker, McAfee Safeboot and several others.


 
Very recently iViZ discovered and showed to the world how hard disk encryption can be rendered practically useless. Hard Disk encryption tools including the BIOS password authentication routines use interruptions for reading password from the user during boot time before the operating system is initialized. The vulnerability lies due to the fact that the data read from user is copied at a static location in memory and is never removed even after use by the authentication program.


iViZ discovered that it is possible to steal the password of the disk encryption tools by running an exploit locally. Once an attacker gets the password, the encryption is rendered useless.



Breaking Microsoft Bitlocker

Bitlocker is the disk encryption feature introduced in Microsoft Vista. It has the capability to authenticate users in several ways, including with a password (PIN), when configured to work with the TPM chip. The password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.

Bitlocker's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.

Breaking True Crypt

The password checking routine of TrueCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords. Truecrypt's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.

Breaking McAfee Safeboot

The password checking routine of SafeBoot Device Encryption fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.

SafeBoot's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copy the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.

Anti-Virus… or Door for a hacker?


Security Tools are supposed to prevent attacks. Can the same tool be a door for a hacker? iViZ Vulnerability Research Team discovers attack which uses Anti Virus as the Door !



With rising cases of security incidents, more and more people have started using security software like anti-virus, firewalls, anti-spyware etc. These are meant to protect the users from common security attacks and vulnerabilities. However, the rising popularity of such software has lured the attackers to target the security software itself as the means to break into. Imagine this situation: you are running a secure system with anti-virus and other necessary software running on it. You assume that you are safe from the latest threats. But what if the anti-virus itself is vulnerable? It means that when a hacker exploits the vulnerability in your security software, he has complete access to your system! This article describes iViZ’s original security research on how the security software itself could be targeted by a hacker.



Your shield can be the attacker’s arrow! Hackers are targeting the security software to break into user’s systems.



How iViZ team found “holes” in Anti-Virus?

iViZ has state-of- art security research lab where we conduct research on discovering new vulnerabilities and attack techniques. Our belief is that if we need to secure ourselves then we need to stay one step ahead of the hackers. iViZ team has discovered previously that several of the security tools themselves are vulnerable. While conducting our research, we discovered that some anti-virus software behaved in a way which is not normal. We informed the vendors about such anomalous behavior and probed deeper to do the reality check.

Antivirus Vulnerability Research is conducted using a variety of file fuzzing techniques. During our research on this topic, we identified that many of the antivirus software, both commercial and open source, many a times do not properly handle complex or unusual executable header data especially in case of executables packed with 3rd party packers like UPX, FSG etc. Under such condition, we were able to hit multiple bugs in Antivirus Software while process malformed packed executables. Some of these bugs are proved to be security vulnerabilities because of their nature.



Vendor: AVG
 
Version: 7.5.51 (current), possibly others.
 
Vulnerability Description:
 
Multiple vulnerabilities were discovered in AVG Antivirus when analyzing specially crafted UPX packed files. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 


Vendor: F-Secure F-Prot
 
Version: F-Prot version 4.6.8 for GNU/Linux
 
Vulnerability Description:
 
It is possible to protect an ELF binary against F-Prot by corrupting its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the file, letting the possible malware undetected. This might result in complete bypass of Antivirus Protection.
 
Impact:
 
Any malicious content/attachments will pass completely undetected. Believing the attachments are clean and safe, the victim is most likely to execute it leading to complete system compromise.
 




Vendor: Sophos
 
Version: Sophos SAVScan 4.33.0 for Linux, possibly others
 
Vulnerability Description: Multiple Vulnerabilities have been discovered in Sophos Antivirus Product in parsing of specially crafted packed files from multiple packers including Armadillo, ASProtect, ASProtectSKE etc. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact: An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability.


Vendor: ClamAV
 
Version: ClamAV 0.93.3 and prior
 
Vulnerability Description:
 
ClamAV uses external unpackers for unpacking files packed with a variety of compression and encoding algorithms. There is vulnerability in specially crafted LZH packed files in the unpacker used by ClamAV. This vulnerability can be exploited to execute arbitrary code on the vulnerable system or at least cause a Denial of Service condition by forcing ClamAV to scan a malicious LZH packed file.
 
The vendor has removed support for external packers in the product from ClamAV 0.94 onwards
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 

Vendor: Bitdefender
 
Version: v7 for Linux, possibly others
 
Vulnerability Description:
 
Multiple integer overflows were discovered in the GNU/Linux version of Bitdefender when analyzing specially crasted Portable Executable binaries packed with Neolite and ASProtect packers. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability.
 


Vendor: Avast
Version: Avast for Workstations v1.0.8
 
Vulnerability Description:
 
Multiple buffer overflow vulnerabilities were discovered in the GNU/Linux version of Avast when analyzing specially crafted ISO and RPM files. Initial analysis shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on the affected system with the privilege of the user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
 
These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server.
 
Impact:
An attacker can remotely break into a victim’s system by sending him a mail with a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause a Denial of Service condition using this vulnerability. 




How hackers can break into your system through anti-virus?
Step 1: Hacker does remote identification of antivirus - Some company Inc is running an antivirus in its mail server. The antivirus checks for every incoming mail for possible virus infection. If the mail is clean, the antivirus passes it and the mail is then forwarded to recipient. Else the mail gets dropped or rejected. The first step of an attacker is to identify the antivirus running in the server. He accomplishes this by using multiple techniques like services identification, open ports and vulnerability assessment or by checking a bounced mail.
Step 2: Hacker sends a mail with malicious attachment - Once the target antivirus is identified in the server gateway, the attacker crafts a mail targeted to a user registered on that mail server. At this time, he also attaches an executable that contains the malicious payload specifically meant for that antivirus. Incase the attackers objective isn't to attack the mail server antivirus software directly and he only wants to evade its detection he can use several techniques like Multiple  filename  or  boundary  fields  in  Content-Type,  Content-Disposition, skipped file name,CR without LF, Exploitation of poisoned NULL byte, Exploitation of unsafe fgets() problem etc. These techniques are useful when the intention of the attack is to get the attachment by the client systems.
Step 3: Anti Virus Scans the malicious mail attachment - Once the malicious email mail is received by the mail server software, the vulnerable AV software will try to scan the malicious executable. This may result either in antivirus software crash or execution of arbitrary code which results in complete security bypass.
Step 4: Attacker crashes the Antivirus and/or breaks into the system: If the attack is directly meant for the antivirus in the server gateway, it leads in full compromise of the server or else it results in client system compromise when the attachments are executed. In certain cases direct compromise can happen else only the anti-virus gets crashed.

iViZ Responsible Vulnerability Disclosure Practice
iViZ considers user security as the highest priority and thus follows strong responsible disclosure practice. We do not disclose any vulnerability details in public until we disclose it to the vendor. We closely work with the vendors and help them with all the details and at times in writing the patch. We disclose the vulnerability details in public only in close coordination with the vendors so that the user’s safety is always ensured. iViZ does not release the proof of concept exploits that demonstrate such real attacks in public. This is to ensure that iViZ research cannot be used by attackers with malicious intent.

Are we ready to be secure?

We deploy a security system to protect us. But it is also necessary to check whether the security system is itself secure. We hate the police system which themselves are party to crime. We hate a judicial system which is flawed.  But are we doing the same when it comes to building our security systems? We are living in the world of satisfaction with IDS/IPS and firewalls.. There is nothing in the world that can shake our confidence. The obvious question is “Did we configure the security tools properly so that they can do their job right?” But the non obvious yet very critical question is “Are the security tools themselves secure?”


We hate the police system which itself is party to crime. We hate the judicial system which itself is flawed.  But are we doing the same when it comes to building our security systems?



Compliance: The Good, Bad and Ugly...

Is “Compliance” and “Real Security” synonymous? Why organizations get compromised in spite of being compliant? What should we do to avoid that?

Compliance today is one of the most talked and debated topics. Compliance is the need of the day. However, many a times we miss out the real security in our pursuit of compliance. Numerous organizations got compromised in spite of being compliant.  Is compliance the real goal or is it “real security”? Theoretically, off course it is “real security” and that is the exact reason why the standards, guidelines and compliances have emerged. Today, in the race of time we hastily run for achieving certification and what we miss out at times could be the real goal - the “real security”.


The Good ...
The standardization and regulation of business practices have became very critical issues to many governments. The intent of such compliances is to protect the shareholders and the general public from the willful fraudulent practices in accounting, IT networks and business management. This varies from SOX, PCI DSS, ISO 27001 and HIPAA etc to suit specific industry and business types. A compliance framework provides structure and stability and implementation of a framework generally results in greater levels of process orientation within the organization and leads to many operational and security benefits. It also facilitates the systematic setup of a continuous improvement process accommodating changes in regulations and incorporating new regulations as they become applicable.


Why is compliance important?
·         Helps in establishing the baseline security processes.
·         Compliance is mandatory for certain businesses.
·         Helps in gaining customer trust.
·         Good start for managing security in a structured way.



The Bad ...
The truth is that it's possible to have excellent security and be non-compliant. It is possible to pass a compliance audit with flying colors and yet have poor security. The misconception that compliance equals security has led organizations to spend excessively on compliance, sometimes at the cost of security. Many regulated industries now spend a significant portion of security resources on compliance initiatives. This single-minded approach to compliance can put at risk some of the security initiatives within your business, even just to the point of shifting the internal priorities towards those initiatives involved with compliance.
Compliance creates a false sense of security. Being compliant may not mean that you are secure. The burden of compliance may lead to short term prioritization that may not be aligned with real security needs. It is commonly observed that to manage the compliance audit, the IT managers at times get hard pressed for time and hence overlooks several action items which are critical for security but may not be of immediate concerns for the audit. For example, an IT administrator may be forced to get focused on creating adequate documentation while missing out on applying a critical patch at the right time. Compliance can be a burden for smaller organizations or organizations with inadequate manpower. This can lead to working on too many things and not doing any of them perfectly.
Compliance is a journey and not a goal. However, many of us fail to realize or follow that. Once we achieve compliance, the fatigue and joy of achieving it makes us strive less hard at least for the time being.



What are the negative sides of compliance?
·         Being compliant and being secure is not necessarily the same.
·         Creates a false sense of security. Brings in complacency within the team.
·         Compliance may lead to short term prioritizations which are not aligned with real security needs.
·         Compliance can be a burden for organizations with resource crunch.
·         Guidelines are good but not always 100 percent complete. SANS Top 20 or OWASP Top 10 may be a good check but you may have vulnerabilities beyond that.

  
The Ugly ...
Although being verified by the compliance framework and best practices, some of the largest organizations have faced security breaches. It is pretty painful for an organization that has spent millions of dollars on compliance effort but still couldn't evade the grip of a deadly breach. The ugliest part of the story: have compliance only to get prepared for the next breach. This is particularly true as compliance makes an organization complacent to security risks and at times too slow to keep pace with the fast changing threat landscape.
The year of 2007 started with the most sensational “TJX data breach” when as many as 96 million customers credit card data was stolen. The organization was ISO27001 compliant and had implemented COSO framework as a best practice. Monster.com had also faced a similar situation last year where a trojan horse called “infostealer” had stolen more than 1.6 million records of job seekers and employers. Bank of India also faced a security incident in August 2007.
In November, the U.K. government arm of Revenue and Customs disclosed that it had lost records on 25 million juvenile benefit claimants. The department was compliant to UK data protection Act. World Bank Group network (one of largest data repositories of sensitive data) has been compromised by multiple people in early 2008.