Thursday, November 3, 2011

Social Engineering : Always part of a full pentest

I've really been MIA with too much travel, and family obligations. I'm definitely going to be posting more frequently going forward.
As I process conversations had during an interview with my friends at, it got me thinking that I need to write a little blurb about SE, and its value in the grand scheme of security assessments.

We'll start with the basics; wiki defines social engineering as the art of making people give out their confidential information. "Social engineering" is more precisely: the act of psychological manipulation. So a little about the elements that SE is comprised of.

is all about like it sounds persuading the victim to willingly give you "the attacker" the information you are after. This can take many forms, however an easy example would be calling a victim and informing them that you are the new help desk temp and wanted to make sure that their computer was updated, they just have to provide you with the user name and password so you can check.

this is about cloning a legitimate authentication interface and making users enter credentials or other personal information you may be interested in, in the cloned page versus the legitimate. An example would be cloning the and getting a user to enter credentials assuming your clone is actually and thus providing you "the attacker" with a copy of the used credentials.
Apart from webpages, there is also phone, and email phishing attacks, commonly used in most multi-vector SE attacks.

Baiting: A baiting scenario can be where malicious auto run software is placed on thumb drives and lets say the attacker stands in front of a corporate building with a sign that says "employee appreciation please take 1." When the drives are plugged in they install or run malware such as a key logger with phone home capabilities.

Physical: Physical is the in person manipulation of the natural human tendency to trust. An example would be if there is a badge access only door to a building, and you show up during a busy time when people are frequently entering through that door, with a box of donuts, your brief case while on the phone, and getting someone in front of you to hold the door for your because "your hands are full"

These are a few of the most commonly used social engineering attacks and so with just that small glimpse into what doors social engineering can open, its astonishing that many organizations still conduct full security assessments and opt not to have the SE / Physical security tested.
Social engineering is an initial attack vector that can not only circumvent technological controls, but also be the initial phase in what may escalate into a full blown multi-vector attack.
If organizations are going to do complete or full penetration tests, and assessment there should be no reason to exclude SE and Physical. The value comes having a more holistic understanding of your security posture, threats, and associated mitigations. Funding spent on beefing up only technological security is money well spent of course, how ever it may be a wasted investment is an individual can walk into your facility unplug the device and just physically remove it from the premises.

I will be posting the podcast as soon as its available.

Tuesday, January 18, 2011

The Return of Koobface

Haven't blogged in a while, but as the nostalgia wears off and I settle into 2011 figured I would write up a quick post that alot of you might find benefit from. Some of you may have heard of KOOBFACE before and it looks like the infamous worm has made a return. The new campaign is spreading primarily on Facebook at this point but a jump to twitter is sure to follow in hours and days ahead. A change from it's predecessor, the new campaign is spreading via direct messages sent from compromised accounts rather than the wall posting of links as done before. Additionally this new variant uses alot of obfuscation in the links that are being sent, and they redirect the victim to a site that has the visitor install the payload via a "missing Flash plug-in"
For readers not familiar with KoobFace, some details about it as per the team at Symantec
Originally Discovered: August 3, 2008

W32.Koobface is a worm that spreads through social networking sites. W32.Koobface, an anagram of Facebook, is a worm that spreads primarily through social networking sites (hence the name) and uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements.

W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.

The popularity of social networking sites is the key to W32.Koobface's ability to spread. By targeting social networking sites, the worm uses social engineering techniques to spread. Users of social networking sites can often be tricked into thinking that a link that has supposedly been posted by a friend or acquaintance is safe. Users may have difficulty determining if a link was posted by a friend or the worm.

W32.Koobface builds a peer-to-peer botnet and it is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. Compromised computers contact other compromised computers to receive commands in a peer-to-peer fashion.

The worm is able to perform the following functions:
  • Spread through social networks
  • Steal confidential information
  • Inject advertising into web browsers
  • Redirect web browsing to malicious sites
  • Intercept Internet traffic
  • Block access to certain Internet sites
  • Start a web server to serve as a command and control server for other Koobface infections
  • Download additional files, such as updates to itself and other pay-per-install software that includes fake security products
  • Steal software license keys
  • Break CAPTCHAs
  • Determine if a link is blocked by Facebook
  • Create new Blogspot accounts and pages
  • Modify the Hosts file

Friday, August 20, 2010

PCI Changes – Why technology specific standards may not be the best direction

As I read the summary of changes and had a few different discussions regarding the newly unveiled PCI DSS changes that are expected to appear in the upcoming release of version 2.0 I figured I would throw something together to inspire some of my personal insight.

As industry experts we all agree that the new updates are much needed and I’m glad to see some much needed clarity presented in these new updates, some examples of these clarifications are for instance the inclusion of guidance around virtualization, finally encouraging a risk based approach for addressing vulnerabilities and centralized logging. My concern comes in the news around the exclusion of any specific references to emerging technologies to protect cardholder data, such as tokenization, chip-and-PIN and end to end encryption.

In my opinion as security professionals we need not lose sight of the fact that standards such as PCI DSS are set forth to help us in identify the scope and required minimum level of security to attain any such accreditation. This is why I think it is fully appropriate that specific emerging technologies be excluded from the payment security guidelines. As we all familiarly know emerging technologies and trends change as often as threat landscape itself and with this in mind the standards provide us with the scope and minimum required security; how this minimum level is attained is and should be left to the experts and their independent environments.

Wednesday, December 16, 2009

Adobe Acrobat 0-day Analysis

So as promised in my earlier post, I have started the analysis of the exploit, and here are some details thus far. The exploit is affecting Adobe Reader and Acrobat 9.2 and earlier.
When the malicious PDF file is opened in Adobe Acrobat/Reader it attempts to download an executable payload.
The payload I analyzed was downloaded from hxxp://
This server looks like it has been taken down a few times since about 6am EST this morning but is back up.
The executable, once downloaded searches for and encrypts certain files and then uploads them to another server. This server is online and its contents are publicly browsable.

Based on the number of files found on the upload server, it appears that this exploit is only targeting specific attacks at this time, however this may change at any point.

Adobe Patch schedule is quarterly, with security patches coming as needed on the same release and Microsoft patches, using this patching SOP it could be January 12th before Adobe pushes out a patch.

The exploit I detected as Exploit:W32/AdobeReader.Uz
The downloader files as Trojan-Dropper:W32/Agent.MRH
The Dropped files as Trojan:W32/Agent.MRI, Trojan:W32/Agent.MRJ, and Rootkit:W32/Agent.MRK

At this point I would recommend using altrenative PDF readers, or disabling the javascript option within Adobe products as a temporary remediation.

New Adobe Acrobat /Reader 0-day Exploits

This just came across my desk so I figured I would post a short informational piece for those of you who are using the mentioned Adobe products.
The 0-day has been active since about 2 weeks ago from some of the code samplings I have seen thus far and has now been brought to the attention of the vendor, so with that the we can expect to see a patch soon I would hope.
The Exploit allows an attacker to craft a malicious PDF and upon being opened on a vulnerable version of the Adobe software will allow the execution of arbitrary code. this may allow an attacker to take complete control of the affected system. No patch is currently available and A proof of concept module has been added to the Metasploit framework. I will be playing with this POC module in the days to come and have additional details at a more in depth technical level.
Happy Patching / Updating.

Tuesday, November 10, 2009

Facebook Phishing - Cant Trust your "FRIENDS"

As I start to write this I am as comfortable as one can be on an airline seat with laptop in front of me, I’ve been reflecting a little on another interesting week in information security and somewhat trying to settle into this blog writing gig. At the request of a very special reader that I was conversing with regarding this somewhat interesting but now common place finding on facebook, I decided to share the following.

As I was trolling facebook earlier this week I came across a posting on a friends page, that is pictured to the left. Upon seeing this posting I decided to do a little digging as the use of shortened url’s has become the norm thanks to twitter links. Upon clicking on the link users were redirected to what appeared to be a facebook login page at 1st glance, however upon looking at the browser URL the shortened link provided in the original posting directs users to a site named hxxp:// this site is hosted on a free and quick and easy to setup hosting site named

This image shows what the login page looks like and as you can see it’s a somewhat convincing page unless you look closer. Most user would type in their credentials without thinking twice, due to what I call blind faith in what appears to be something originating from a “friend”

This site is another example of just one of the attack vectors that are currently widely disbursed on all social networking sites, primarily myspace, facebook, youtube, and twitter. This vector here of course is a modified approach to your standard phishing attacks, phishing attacks usually come in the form of emails from your bank, your friend , etc and use the same tactic of harvesting user credentials via an authentic looking login page that in some instances will do nothing after you enter your creds, and in other cases will forward you on to the legitimate site.

In the case of upon entering any credentials the page would direct you to one of about 5 randomized seemingly legitimate facebook apps.

Consider this part one of this facebook analysis article specific to posted phishing attacks, I will be writing a followup article with more technical details as to my analysis.

Wednesday, November 4, 2009

Windows 7 Insecure OUT-OF-BOX

Microsoft, has been touting the improved security and updated features of UAC (User Access Control) in Windows 7 but resent findings show that Windows 7 is no different than its older siblings in the Microsoft Operating System family.
I just completed reading a report by security firm Sophos and the the report shows that out of the box with default configuration Windows 7 was vulnerable to 8 out of 10 viruses thrown at it by the testers at Sophos Labs.

User Access Control (UAC) is a technology introduced by Microsoft to its Operating Systems in Windows Vista. It is aimed to improve the security of the operating system by limiting applications from running background processes without interaction from the user. After its initial introduction in Vista it was largely criticized as annoying and in most cases turned of as a result by the users. The improvements made to UAC by Microsoft to make it "less chatty" may have accomplished the less chatty part, however has done nothing for security.

Microsoft does acknowledge and encourage users to install anti-virus software as they do say it is a required piece of software to aid in the securing of Windows workstations. In their report that was released Monday, the Microsoft security team reports that Vista fared better that all other Windows flavors including Windows 7 when it comes to security, Vista SP1 infection rates were 61.9% less than XP SP3.

In conclusion, anti-virus is a must, and with a multitude of freely available ones, that are legitimate its easy and strongly recommended. A recommended free AV for Windows 7 is Microsoft's own Security essentials which is freely available for download on their site.

*Image courtesy of SophosLabs