Security Fundamentals – How

Continuing the series, we get to the How they do it. There are too many examples to list, too many ways to perform the actions that gain them a foothold, or gain them the files they want or the result they seek, so here is a broad description based on common information

 

The How;

This is where the explanations become a bit more complex, but it generally boils down to one of two things and sometimes both at the same time;

  • Investment in security based controls and policies has been neglected
  • Realisation of the threat today is vastly underestimated

Many smaller businesses will generally start out with a few workstations, maybe a single server, an internet connection, some small network switch and a simple firewall and a Wi-Fi access point. At the beginning, setting it all up you would typically either do it yourself, call on a friend who knows a bit about computers or call in a small IT company to do it for you. This is all well and good at the beginning, and generally unless a hideous mistake has been made, you’re generally ok for about 6 months. Where the problems start is in the period directly after our first 6 months.

The bad guys are 80% ( in real world wide terms ) purely relying on getting lucky, that is to say, using booby trapped websites commonly known as drive by attacks or crafted emails using fake emails that drive you to click a link or open a document. Such attacks are usually sent in the millions and use lures of one kind or another to make you activate the trap.

As an example:

This is a payment confirmation e-mail for the ticket you ordered on Delta.com website.

 

This is a sample of an email that is typical.. but the link they want you to click doesn’t go to delta, it actually goes here :

http://randomname.kz/api/getn.php?id=c3VwcG9ydEBzdHJlYW13aXJlLmNvLnVr  ( randomname is fictitious and the real domain has been notified that they are being used for this attack method )

The link itself is running on a compromised Kazakhstan website that being used to deliver the malware, the website owner is probably unaware of this as is usual. The link wants to download a weaponised PDF file called “Delta_Ticket_Confirmation.pdf” which the unsuspecting target would open and IF their adobe reader is un patched or insecure, the PDF then calls down the payload to install in the background. Congratulations, your computer now has a new owner!

Another type of attack which has begun to gain traction recently is the CEO scam mail. This usually requires a little more effort on the part of the attacker as they have to do some recon work to identify who to send from and who to send to, but generally the content is the same as the example below shows;

 

This type of attack, or con is part social engineering and part technical abuse. The mechanics of this are quite simple.

  • The attackers finds a company that is small enough to not have too many accounting checks and stops in place, but large enough to offer a sizeable reward.
  • Next they test the target mail system to see if they can impersonate a mail without actually hacking into a mail box
  • Send a carefully crafted email at the right time ( simply calling the office and asking to speak to the CEO and framing words in a specific manner will often force the person at the other end to let slip that the CEO is not in the office )

Another variation to this is to send from a recently registered @outlook.com or Hotmail.com or Yahoo or Gmail address with the CEO’s name in the email address… make it look like a personal address and then mention in the email that the CEO wants to keep the content away from official company email server in case the deal goes wrong 😉 😉 wink wink.

This attack relies on two things;

  1. The financial persons acceptance of the order from the CEO, to do as instructed no questions asked
  2. The financial persons understanding that this needs to be kept under wraps and kept quiet.

From an early age, we are all taught to accept authority as absolute. Those of you with children will know what I’m talking about, you can get your child to do anything when you use the right tone of voice. It’s part of the growing pains that throughout our lives, early childhood, preschool, middle school, college and into university and then the work place, the reinforced notion of obedience to higher authority.

When you start work for the first time, you’re told what your duties are, and you do what you’re told. As you gain confidence and responsibility you start to learn how to interact with work colleagues and how to manage workloads etc. But here’s the facet the bad guys use in this socially engineered attack, they rely upon you doing as you are told! Your boss tells you to scan those files and send them to the accountant or fill out this form and zip it over to the warehouse and get it delivered pronto! Which is why so many of CEO scam mails actually work if they are careful about wording, grammar, time it’s sent and subjective content.

The bad ones that actually get caught are the ones where spelling is obviously wrong, or the grammar looks like English is not the first language, and it raises the level of uneasiness in the reader who gets suspicious enough to ask their boss, is this real?  Remember, the fact that they are asking shows they are concerned with the subject not being totally genuine and want to seek authentication.

Whichever method they use to gain a foot hold into your network or transfer money from your business accounts to their accounts, the single most common factor in every single victim case is that there were no monitoring, no checks, no controls, and no questioning the action if it came out of the blue.

Recently (January 23rd 2017), a payment manufacturer, VeriFone who makes card terminals that are used around the world suddenly announced they are investigating an internal breach. All of us at some time or another has used a VeriFone card terminal in a super market or coffee shop or petrol station to pay with contactless or with a 4 digit pin. Subsequent and ongoing investigations revealed that they had been penetrated and the bad guys had been active on their network since mid-2016!

That’s over 6 months of unfettered access inside the walls of a payment hardware manufacturer where the bad guys were roaming, testing, touching, sniffing, copying, intercepting and generally able to do as they pleased. I would suspect some heads are going to roll, as their security should have been by any stretch of imagination as strong as it gets. The bad guys probably managed to gain a lot of inside private knowledge on the software used to control the devices that allowed them to craft backdoors into the terminals directly. Which means in real terms, they could siphon off credit card and debit card details, intercept payment transfers, copy cards the whole works.

So how do attackers gain access to a large corporate network like VeriFone?

Exactly the same way they would gain access to yours! Crafted emails, directed links to booby trapped websites, convincing you to open a document containing macros, take advantage of poor security on webservers or socially engineer you into doing what they want.

The Recent WikiLeaks posts detailing the CIA Vault 7 tools used by the CIA is like pumping petrol into a burning house. The security threats are going to increase as these super-secret spook tools get wrapped into the existing toolset the bad guys have.

But wait! Don’t run for the hills just yet, there’s more.

Remember earlier in Why post we spoke about the Heat map that showed the highest threat today to all businesses? User social engineering.

It required, someone to click a link, to follow a link, to open a website, to download a file, to press ok on a popup. This is pretty much the 99% way any and every initial target gets infected.

Note I say initial target. When you get infected, you then become a risk to anyone connected to you. With VeriFone, anyone connected to them to simplify order processing, parts ordering etc, via a terminal, VPN link, whitelisted email scanner etc.. They all become vulnerable because the initial target or vector or if you will excuse the liberal use… Patient Zero goes un-noticed for a period of time.

Patient Zero is sometimes referred to as the Index Case, Wikipedia has a description that is very apt here;

The index case may indicate the source of the disease, the possible spread, and which reservoir holds the disease in between outbreaks. The index case is the first patient that indicates the existence of an outbreak. Earlier cases may be found and are labelled primary, secondary, tertiary, etc. The term primary case can only apply to infectious diseases that spread from human to human, and refers to the person who first brings a disease into a group of people.

A computer Virus/Trojan acts in the same manner as a biological virus.

Damage caused by being compromised has long reaching and long term effects. Sometimes they are immediately terminal, other times the pain is drawn out and eventually terminal. Other times you can recover from it. In every instance, reputation becomes a factor and your reputation in business can take a significant hit if you are found to be the cause of a customer or consumer infection. Do the bad guys care? No.

They got what they wanted, they siphoned your back account, raided your contacts list, copied your files, and then went on to infect others down stream of you and pretended to be your employees. Such rampages do happen.

Mostly they will attempt bribery or extortion or blackmail.

The following is a general description of some types of cyber-crime in those three areas that can and will happen to businesses up and down the country this year, this month, this week.

Bribery;

Gangs or groups of cyber criminals can approach a cleaner or similar low paid employee and attempt the bribe or coerce them into taking a usb drive into the work place and connecting it to any workstation they find. The usb drive, thumb drive, memory stick contains malware or a small Linux image that runs when powered and communicates back through the host computers link to the network and gives the attackers direct access in often bypassing firewalls. There are other angles to this, as in plugging in a dropbox (term for a small battery powered device that connected directly to an Ethernet port) and walking away. The drop box then tunnels out through the network to the command and control server and gives the attackers an in route to compromise the network.

Extortion;

The Cyber criminals obtain some piece of evidence or files or emails that you’d rather not have released to the public domain. Criminals would then contact you and provide a snippet of this information and tell you, that you have 24 hours to pay up or it gets released. Depending upon the materiel in question, this could be company secrets, personal communications, recordings, documents, pretty much anything.

Blackmail;

This one hits the news quite often. DDOS attacks generally target online retailers like gambling sites, gaming sites, retail sites and absolutely rely upon being up and available to sell their goods and services to paying customers. High traffic sites like gambling casino sites, online retailers especially at Christmas need to be available and the bad guys know this is the prime time to cash in.

The would target their website and send useless packets of junk to the webserver, millions a second, enough that the service slows down a little, then they contact the site owner and say something like… I just tried to use your site and it’s running really slowly… can you tell me why? The owners, or rather their help desk would do the investigation and realise they are under a low level but sustained attack, to which the attacker says… now watch this.

They then amplify the attack and take the site down.

Cyber criminals need to demonstrate their power in such a way that the victim suddenly and completely realises all defences they had put in place have just been made obsolete. The bad guys will then offer to cease the attack if they are paid a certain sum of money usually bitcoins or western union transfers. Investigators can usually determine the level of the bad guys by the terms and sums they demand, but sometimes it’s just someone who rented a botnet and wants to turn a fast buck.

(Remember earlier “your internet connected coffee machine“)

So how do they send so much traffic to the webserver… Well, answer is both simple and frightening at the same time. Across the world there are millions upon millions of home computers that are infected, that have been turned, in zombie parlance, they’ve been bitten by a virus and turned into packet dealing machines of death. Each of these machines, and the numbers are truly staggering.

What is a botnet?

A botnet is a network of internet connected devices that have been infected with malware, allowing an attacker to control them remotely without the permission or even awareness of the devices’ owners.

Compromised workstations / laptops coupled with compromised IOT (Internet of things) devices have produced two of the biggest botnets in recent history.

The biggest so far is the Mirai botnet, which is responsible for taking down Netflix and Twitter last year. This year, a new botnet is on the block, the Necurs botnet is predicted to have a higher effect as researcher have recently noted components that have been added to this botnet of over 1 million machines can now perform DDOS attacks. These types of attacks are likely to become more and more frequent as the years roll on. The devices especially IOT devices are CCTV cameras at home, Refrigerators, TV’s, Routers, DVR’s, Coffee Machines!