Protect yourself from phishing

Phishing is a form of electronic communication that masquerade as a trustworthy entity. The goals are to acquire sensitive information such as password or credit card details. It is a psychological attack used by criminals to trick you. At the beginning, they used emails to do so. But now, it has evolved to become message-based attack (e.g. instant messaging or social media post).

Before they spread attacks, they have prepared the system to receive response from victims. They craft a convincing-looking message using “good” grammar as if a good or reputable company send email to its customer. Then, they send to millions of people around the world. Actually, they do not know who will fall victim. They just wait whoever clicking on a malicious link or opening an infected attachment or responding it.

There is another kind of phishing. It is spear phishing. Actually, it is same as phishing, except that instead of sending to random recipients, criminals send it to selected recipients. In this case, they have done a research to whom they are targeting. If you want to know more about spear phishing, you can read this incident (0xHACKED: Brown University Accounts Distributing Phishing Emails) that happened recently.

Let’s say you have been targeted by them. Perhaps, you wonder from where they get your email address. The answer is very simple. It can from social media such as Facebook, Twitter, Instagram, LinkedIn, etc. Or, you may put it on-line through public blogs or forums. Please be aware that they have tool to craw this kind of information. In cyber security, we call it as Email scavenger. It is a type of web crawler program that searches the Internet and collects all email addresses it finds posted on web pages.

Now, the big question is how to stop it? Only YOU can do that. These are phishing indicator

Is the email being sent by someone you do not know or do not work with?
Check “FROM”, “To” and “CC” addresses. Are those personal accounts and using public email service (e.g. @gmail.com, @yahoo.com, etc) ?

Check greetings. Does it being sent to you? Or, does it use “Dear Customer”? If a trusted organization has a need to contact you, they should know your name, right?

Be suspicious of grammar or spelling mistakes.

Be suspicious of any email that requires an immediate action.

If you do not know the sender, DO NOT OPEN its attachment(s). DO NOT CLICK any link(s). For hyper links, hover your mouse over that link and you will see its destination.

Be suspicious of any message that sounds to good to be true. Remember.. there is no free lunch

 
Hope it helps you…. 🙂

How to design Logging feature

Logging is an important feature and must be available in the system. It will be useful for auditing purpose. Some applications I ever developed do not have an interface for user to configure this feature. So, team who maintains it has a responsibility to get the records directly from its storages (e.g. database or files).

There are may benefit to have logs. It captures all information about what the user is doing in the system, e.g. adding a new record, etc. It also captures all exceptions or errors thrown either from application itself or the system environment.

Please take note that hacker is able to manipulate the logs. He usually amends or remove some entries/record in the logs to hide his action after he exploit the system. In this case, we need to think thoroughly when designing logging feature in a system.

Let us see what is a minimum requirement for logging feature.

There is an interface to configure setting for logging. User should be able to configure these settings:
a. Turning on/off logging feature in which environment(s) (e.g. development, test, production, etc)
b. What kind of information that can be logged (e.g. application events, operating system events, error/exception, etc)
c. The verbosity of the logs (e.g. info, error, warning, etc)

Only authorized users have access to change the configuration setting for logging.

Logs are never overwritten and can only be appended to. If you have an issue with capacity, the logging verbosity needs to planned carefully.

There is no delete function to delete any entries/records in logs.

 
Now, the choice is yours regarding how you will implement your logging feature in your system.

Secret Key Management Framework

If your application manages sensitive data, the main challenging task during design phase is choosing cryptographic techniques. First, we must understand your business requirement regarding how the system should process with those data. We have to think through not just how to store it but I mean the whole processes. It can be when data are transferred from one point to another point or during processing in server memory.

In Cyber Security, we know this term, Code Breaking. Have you ever watched Tom Cruise breaks secret code in his Mission Impossible movies? Or, You may have a dream to be James Bond, where secret messages is uncovered through some clever techniques. Wait a minute.. do you think that it is so easy? Sorry, the answer is NO.

Cryptanalysis is a knowledge of finding vulnerabilities in cryptographic. That techniques are used by hacker to try break secret code. We can also use it with the intention to uncovering and addressing any weakness in our cryptographic. It is useful that we have and implement the knowledge of it during design phase. What should we consider?

It is critical to put work factor as our consideration when choosing a cryptographic techniques. Work factor is an effort (with available resources) to break protection mechanism. Please take note that work faction is exponentially dependent on the key size or key length. It is measured in bits or bytes. And it contains a sequence of symbols that we use for encryption and decryption processes. So, it means that we have to keep our key secretly.

To break secret code, a hacker need time and computational power. All cryptographic algorithms (by right) can be broken, except for one-time-pad. So, how do we make sure that our key is kept securely? This is Key Management Framework that is taken from Official (ISC)2 Guide To the CSSLP CBK.

To protect the secrecy of our key, we extremely need a good key management. From CSSLP guideline, we can see that key management life cycle starting from generation, exchange, storage, rotation, archiving and destruction. Key must be random during generation. That is a main criteria. Then, it must be protected when it is shared so that it not disclosed to anyone who are not eligible to have it. We also need to prepare properly a place where we store that key. It can be a hardware security module (HSM) such as the Trusted Platform Modules (TPM) chip.

We also need to do rotation or change our key regularly with a new one. The change is also need to be done immediately upon key disclosure. Before we discard old key, we need to decide whether we have to archive it in another secure place. We do this because there are some data in our system are using it as key during encryption and description. If we want to keep our data as it is, that means we need to archive that old key. Otherwise, we have to decrypt our data and encrypt again using new key. If the key is destroyed without being archived, the corresponding key to decrypt the existing data will be unavailable. It is leading to a denial of service (DoS) should there be a need to retrieve the data for forensics or disaster recovery purposes.

Put security in mind when designing a software

When you develop a software, it can meet all quality requirements but it does not guarantee that it is secure. However, if we put security in mind during design phase, it become an added value to increase the quality of your software. Let’s see what benefit we get if we do this.

We can say that design phase is starting phase to implement all requirements stated in requirement specification. A good software does not come from good and secure code only. It also comes from good design. If we always implement or practice to put security concept when designing our software, it becomes less prone to errors. Anyone who maintains this software will be very happy because it is easy to be maintained. Again, this condition improves the quality of your software, right?

The other benefit is that we are able to detect every business flaw early. For example, there is a requirement for password recovery. Previously (or it may still be practiced nowdays), we encounter that some sites are using question and answer model to recover user’s password. The drawback of this model is that hacker’s has an ability to guess the answer because the number of answers are limited. Questions about mother name or when user born are easy to get from Facebook. That is the power of social media. Hackers can use social engineering techniques to retrieve all personal information of his target from social engineering. Another question that is easy to be guessed is what color user likes. The answers are limited to common colors that we know. In this case, we need to find other solution for this so that it is difficult for hacker to guess.

At the end, we can have time and cost saving since there is minimal-to-no disruption to business operation.

The power of User-Agent

My good friend, Mike Wazowski, called and asked my help. He told me that he encountered something strange when he looked for a tour package at a travel agency website. His family had a plan to go to Europe. He and his wife searched some travel agency website. They browsed same site and got different prices for same tour. He asked me to investigate this issue.

First, I tried to do what he did and got same price as his wife got. Then, I asked him to show me how he did. Surprisingly, it was true that he got more expensive price for same one. I opened my BurpSuite and set it as a proxy to analyze HTTP traffics. Then, I did some hacking techniques against that travel agency website.

Finally, I found that it is because of HTTP Header User-Agent. That travel agency website filtered its customer based on value of User Agent. It charged more expensive to my friend because he use Apple laptop. I did an experiment to intercept his HTTP Request and change its User Agent.. and… I got normal price.

What is User-Agent? How do we manipulate it?

User-Agent is our representative in communication within a client-server system. Especially in HTTP, it identify the software we use to send our request. So, our browser populates this values automatically when we surf in the Internet.

Most Web browsers use a User-Agent with this format:
Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions]

For example, Safari on the iPad has used the following:

Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405

Usually, User-Agent is used for:

• To detect browser version so that application at server side can decide whether it support this particular browser and version.
• To detect client type (e.g. mobile, PC, wearable device, etc) so that application at server side can response a layout depends on its type.
• Advertise companies use it for statistic purpose.

In Mike’s case, the application at server side filters its customer based on his platform. Hahaha.. smart.

Let’s see from the other side… at Black Hat Hacker side 🙂

User-Agent is same as other input fields. It can be used to attack the application at server side. If User-Agent value is not validated and sanitized… a hacker can exploit the system.

What are those attacks can be done by a hacker?

a. Stored and Reflected Cross Site Scripting (XSS)

User-Agent is the only HTTP Request header as a prime candidate  for XSS. The hacker modifies User-Agent values to become like this

User-agent: Mozilla/5.0 alert(‘XSS’);<!–

Of course, it is not as simple as that… the hacker will write a more evil script.

 

b. SQL Injection

A large number of web analytic tools store User-Agent value in database. Imagine that User-Agent is not validated and a hacker inject with sql query. For example

User-­‐agent:       Mozilla/5.0       (iPad;       U;       CPU       OS       3_2       like       Mac       OS       X;       en-­‐us)       AppleWebKit/532.21.10       (KHTML,       like       Gecko)       Version/4.0.4       Mobile/7C445c    
Safari/531.21.102011-­‐10-­‐16       20:23:50’

Note the single quote at the end of value.

 

c. Denial of Service

It can be happen when a hacker fill User-Agent with characters whose length is more than 255 characters. For more detail, you can read CVE-2004-0169.

 

Now we can see that we can manipulate User-Agent easily. It can be from both client or server sides. You must stay vigilant. You can refer to this site, http://www.useragentstring.com/, if you want to analyze unusual User-Agent value.

What do you have to know about build process?

The build process here is a conversion process from source code to object code that the machine can understand. The integrity of this process can be assured by:

• Only authorized users have access to the system where source code is stored.
• Version control must be applied to make sure the right version deployed on Production environment.
• Sometimes, we are using a build script to automate the process. It is important that security controls are not circumvented.

The important thing about this process is important to ensure that there is no new vulnerabilities are introduced. The main kinds of build tools to get code ready for deployment are packagers and packers. Packagers are tools to build software (including its dependencies and resources). For examples The Red Had Package Manager, the Microsoft Installer and Java Packager Tool. Packers are tool to compress executable for distribution purpose.

Please take note that a hacker also uses packers to pack their malware. He uses the same process to transform executable appearance. It is done to avoid signature-based malware detection tools.

Are you sure that you are using secured third party libraries?

Are you sure that you are using secured third party libraries?

Hmm… another question… Does big name always bring secure product? I can answer.. maybe yes.. maybe no.

However, for sure, you must do your own research before putting third party libraries into your application. I give you one example. Your application processes sensitive information and put those in a database. You use third party libraries to retrieve data before doing some other processing in your logic. How do we make sure that those third party libraries are secured enough?
Remember, those libraries are transferring our sensitive information. It is quite risky if we do not find any information about it.

One way that you can do is searching in vulnerability databases and tracking systems. Now, there are many systems provide information about product vulnerabilities.

The National Vulnerability Database (NVD)

NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

US Computer Emergency Response Team (CERT) Vulnerability Notes Database

The CERT Knowledgebase is a collection of internet security information related to incidents and vulnerabilities.

Open Source Vulnerability Database

It is an independent and open-sourced database that provides accurate, detailed, current, and unbiased technical information on security vulnerabilities.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.

Common Weakness Enumeration

It is targeted to developers and security practitioners, the Common Weakness Enumeration (CWE) is a formal list of software weakness types created to:
a. Serve as a common language for describing software security weaknesses in architecture, design, or code.
b. Serve as a standard measuring stick for software security tools targeting these weaknesses.
c. Provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Default Ports

This is a list of default (and popular) ports. It will be useful when you are doing port scanning.

Port	Description
20, 21	File Transfer Protocol
22	SSH (Secured Shell)
23	Telnet
25	Simple Mail Transfer Protocol
53	Domain Name Service
69	Trivial File Transfer Protocol
70	Gopher
80	HTTP
88	Kerberos
110	Post Office Protocol 3
115	Secured FTP
119	Network News Transfer Protocol
137,138	NetBIOS Datagram Service (UDP)
139	NetBIOS Session Service (TCP)
143	Internet Message Access Protocol
160,161,162	Simple Network Management Protocol
389	LDAP Server (TCP/UDP)
443	HTTPS
636	Secure LDAP Server
1433	Microsoft SQL listening port
1701	Layer 2 Tunneling Protocol. Used to establish VPN connections
1723	Point-to-point Tunneling Protocol. Used to establish VPN connections
1433	Microsoft SQL listening port
3306	My SQL
3389	Remote Desktop Protocol
8080	Glassfish Java Application Server

Quality and Security

What is a distinction between quality and security?

In every software development, all software must go through a quality assurance (or testing) before being released or deployed. At this phase, all functionalities are validated and verified. There are two purposes:
a. All functions must work properly as designed
b. All functions must meet the requirements as specified in requirement specification

Some software also go to follow quality processes and certification (e.g. Six Sigma). It will prove that quality standard has been applied during development.

However, we must understand that those processes do not mean that the software is secure. A software product that is secure will add to the quality of that software but the inverse is not always necessarily true. It is also important to recognize that it does not guarantee that the software is secure when the software has security feature.

In order to develop hack-resilient software, it is important to incorporate security concepts in all software life cycle ( requirements, design, code, release and disposal phases).

Holistic Security

Secure software is characterized by the securing of application, hosts and network holistically.

Currently, there is no software deployed as a stand-alone business application. It is quite complex, running on host systems that are interconnected to several other system on a network. A weakness (vulnerability) in any one of the layers may affects other layers.

For example, there is a web application running on a machine. It is also accessing a database machine. If a hacker is able to exploit the application using SQL Injection technique, the impact to that network is in danger. It is because a hacker is able to compromise database server and launch attack to entire network.

So, secured software contributes to the security of entire computing ecosystem. What attributes makes insecure software?

a. Iron Triangle Constraints
During software development, there are three major constraints to be managed. Those are scope, budget and schedule. Adding security into the software is seen as having the need to do ‘more’ so it is the reason why security requirements are left out of the software.

b. Security as an Afterthought
Developers and management tend to think that security does not add any business value since it is not very easy to show a one-to-one return on security investment. Please take note that addressing vulnerabilities just before a product is released is very expensive.

c. Security versus Usability
Implementing secure features is viewed as rendering the software to become very complex, restrictive and unusable. Now, many banking applications implements two-factor authentication. It is an enhancement security feature compare to previous time when username and password were quite enough for authentication process. With this approach, either using token or receiving password through SMS on mobile phone, it increase inconvenience among customers. In this case, we need to factor in or implement the concept known as psycological acceptability. Software security must be balanced with usability and performance.