Cyberspace and Cybersecurity: Archive Post 9

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Virtual Machine Security
Discuss one significant issue associated with virtual machine technology and identify appropriate countermeasures.
From March 23, 2012.

Virtual Machines are useful for security researchers because they enable malware analysis through multiple ways: easy reverting to a known (ideally known good) state via snapshots, ability to run malicious code (usually) without putting a physical system at risk, and easy kernel debugging. Unfortunately, malware authors have identified the existence of these advantages and have begun performing virtualization detection and executing alternative code paths when virtualized or even :escape the context of the virtual machine and attack the host system or at least glean information from it" (Vacca, 2009, pg 699).

Liston and Skoudis claim that the leading method of detecting VMware detection is by looking for the communications channel used to communicate between the guest and host operating systems. Since this is, they claim, the "most widely deployed means of detecting virtual machines" they have researched into thwarting it. (Liston & Skoudis, 2006) Their research had yielded, as of the writing in 2006, "essentially a high speed search-and-replace tool that is designed to find the fixed “VMXh” magic value used to access the VMware communication channel and change it to a user-specified alternate value" (Liston & Skoudis, 2006). Unfortunately, since VMware disk images are huge and a given DWORD is small, there are false positives such that modifying them is disastrous to successful execution. At the time of writing, "the best [they]’ve been able to do is to coax a VM into booting ... but with severely limited functionality (i.e. no keyboard, no mouse)" (Liston & Skoudis, 2006).

Overall, VM detection is easy and thwarting it reliably is hard. According to Vacca, some administrators have instead begun setting up flags on real systems to convince malware that the machine is a VM to prevent the ones that hide their behavior in VMs from attacking. (Vacca, 2009, pg 699)

---

Liston, T., Skoudis, E. (2006) On the Cutting Edge: Thwarting Virtual Machine Detection. Retrieved from http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

Think like a Hacker

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Think like a Hacker
Select an e-business. Thinking like a hacker, describe a hypothetical scenario on how you go about breaking into their system and acquire assets.
Next, describe how the attack could have been prevented.
From March 16, 2012.

I enjoy music, especially when I can get it cheap, like from iTunes or the Amazon Cloud.

First, I will select a busy area with free wi-fi, like a Starbucks at lunch time. (Starbucks, 2011) Next, use a tool like Arpspoof to establish a man-in-the-middle session with each user attached to the network by pretending to be the network gateway. (Arpspoof) I monitor traffic for email addresses, especially email addresses used as logins and the associated password. Any email addresses I get will be sent phishing emails with attached document exploits to install keyloggers that call back to a server I have set up. Any email, password pairs will be used to attempt to log into various services. I will use a script to test the pair against numerous social networking sites like Facebook, MySpace, Linkedin and others. Successful access will be used to spread my keyloggers. I will continue this pattern until I net an email, password pair that successfully log into either iTunes or the Amazon Cloud. Once successful, I will use the access to download all the purchased music on the account. If there is an outstanding balance on the account, I will buy digital goods with it and download that too. All direct access to the victim business will be performed through a proxy, probably one of the machines I am keylogging.

This type of attacker would be considered a "Script kiddy" as it requires little to no direct technical knowledge and can just use tools downloaded off the internet. (Vacca, 2009, p 296). It can easily be protected against by not utilizing unsecured wireless networks, especially public ones and by not reusing passwords. It can be protected against, somewhat, by the victim company by not using email addresses as the user name, which both Amazon and iTunes do. Anything further the company could do to protect against this will interfere with the ease of use of the site, which makes users less likely to choose their service.

---

Arpspoof retrieved from http://arpspoof.sourceforge.net/

Starbucks. (2011) Wi-Fi(United States) Retrieved from http://www.starbucks.com/coffeehouse/wireless-internet

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Think like an Industrial Spy

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic – Think like an Industrial Spy
Select a company. Thinking like a industrial spy, describe a hypothetical scenario on how you go about attacking their system and acquiring intellectual property.
Next, describe how the attack could have been prevented.
From March 15, 2012.

Wanting to steal intellectual property, I would search for a high gain, low effort target. Small businesses which do R&D seem like good targets to meet this criteria, since their business model relies on developing intellectual property yet they do not have the employees or likely the budget to perform extensive cybersecurity. To select my target, I read about the Small Business Innovation Research, SBIA, Program which provides grants from the Small Business Administration to companies that meet the following criteria: American-owned and independently operated, For-profit, Principal researcher employed by business, Company size limited to 500 employees. Their criteria for giving grants lines up perfectly with my criteria for targets, and their list of recipients is public record. (SBA)

I able to find a list of FY2011 recipients of the SBIR awards from the Environmental Protection Agency with a breakdown of recipients by environmental category of research. I decided to select a company whose category of research was Homeland Security and so I selected Operational Technologies Corporation of San Antonio, Texas. (EPA, 2012)

To collect intellectual property, I need access to their network. The first step after choosing the company is some minor reconnaissance that is checking over their website. There is a Contact Us page with direct email addresses and names for three employees as well as an information email. The direct person contacts will be the best for a well crafted phish, but the info email has the benefit of having a very small chance of being opened outside of the company network. (OTCorp, 2008)

To gain my actual access I will use Metasploit to craft malicious doc and pdf files containing Poison Ivy RAT payloads. (Vacca, 2009, p 55) Once the documents are opened on a vulnerable computer, the remote administration tool is dropped and executed and it calls back to the server I set up. Once that connection is established, I can browse the internal network at my leisure using the full control of the target system that the Poison Ivy gives me. (Codius, 2007)

This attack could have been prevented by intensive scanning of emailed documents and also by using hard to target workstations. The exploits I would be using are targeting Microsoft Office and Adobe Reader on Windows. If alternative software like FoxIt Reader and Openoffice were used then the exploits would fail to land. Likewise, Linux or Mac workstations would prevent the attack too.

---

Codius. (2007) Poison Ivy Remote Administration Tool Retrieved from http://www.poisonivy-rat.com/index.php?link=dev

EPA. (2012) Small Business Innovative Research:FY11 Awards: Full List Retrieved from http://cfpub.epa.gov/ncer_abstracts/index.cfm/fuseaction/outlinks.sbir/fullList/Yes/showYear/current

OTCorp. (2008) Contact Us Retrieved from http://www.otcorp.com/home/index.php?option=com_content&task=view&id=19&Itemid=34

SBA. Small Business Innovation Research Program Retrieved from http://www.sba.gov/content/small-business-innovation-research-program-sbir-0

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Thinking like a criminal...

Tonight I will be publishing two archive posts from my previous course: Think like an Industrial Spy and Think like a Hacker.

I am very proud of how these posts turned out, but they are well thought out briefs on engaging in cyber crime. A small part of me is leary of posting them publicly unredacted, but I will be. The bigger part of me keeps remembering that those likely to perform a crime like the ones I describe are also as likely to already know what I posted about.

The people that my posts will be most interesting to are the ignorant innocents whom are likely to be the targets. The table below will contain direct links to both posts. Enjoy!

Thinking like a criminal...
Think like an Industrial Spy
Think like a Hacker

Cyberspace and Cybersecurity: Archive Post 6

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Effective Security Awareness and Training Program
Discuss an important factor which would ensure an effective security awareness and training program.
From March 2, 2012

An important factor in ensuring an effective security awareness and training program is fostering an environment where users feel they have a stake in the security situation of the company. If lost productivity is the only risk then the average office worker will not see any danger to checking their webmail and file swapping on P2P sites while on work computers. These high risk activities pose significant security dangers, but that danger may be overlooked by everyone except for the system administrators. Vacca, on page 13, suggests that "perhaps the most direct way to gain employee support is to let employees know that the money needed to respond to attacks and fix problems initiated by users is money that is then not available for raises and promotions" (Vacca, 2009) A further suggestion is that presenting the computer security policies and advice in such a way that reminds employees that the advice and habits can be used to secure their home systems and information.

Mark Wilson and Joan Hash at the National Institute of Standards and Technology also remind that "an organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements" (Wilson and Hash) If the users see that the IT policies and training are becoming, or even just seeming, obsolete then they will put less effort in sticking to the advice and policies. The appearance of being lackadaisy about keeping up with technology suggests to the trainees that they don't need to take the training seriously either.

---

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

Wilson, M. and Hash, J. INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm

Cyberspace and Cybersecurity: Archive Post 5

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Encryption Algorithm
Describe one encryption algorithm.
From March 2, 2012.

Rivest Cipher 4

RC4 is a light weight encryption algorithm that can easily be implemented in all programming languages. It is a symmetric encryption, which means that the encryption and decryption functions are the same and utilize the same key. As a stream cipher, RC4 can be used to encrypt any length of plaintext without having to pad out to a block size and cipher text is created by bitwise adding the keystream and plaintext modulo two, commonly known as XOR. "It is a variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of a random permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100" (What is RC4)

RC4 was used as the first wireless networking encryption in the Wireless Equivalent Privacy standard by IEEE 802.11. (Vacca, 2009, pg 172) Despite the algorithm itself being fairly secure, the implementation used in WEP uses a fixed shared key, derived from the access point password, and an Initialization Vector (IV) to generate the keystream. Since all packets use the same shared key, the only difference seeding the keystream comes from the IV, which is only 24 bits. Borisov et al at Berkeley studied the security provided by WEP and summarized the weakness caused by the small IV well. " Such a small space of initialization vectors guarantees the reuse of the same key stream. A busy access point, which constantly sends 1500 byte packets at 11Mbps, will exhaust the space of IVs after 1500*8/(11*10^6)*2^24 = ~18000 seconds, or 5 hours" (Borisov et al)

---

Borisov, N., Goldberg, I., & Wagner, D. Security of the WEP algorithm. Retrieved from http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.

What is RC4? Retrieved from https://www.rsa.com/rsalabs/node.asp?id=2250

Cyberspace and Cybersecurity: Archive Post 4

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Access Control Models
For each access control model (RBAC, DAC and MAC), describe the environment in which that model would work best. Provide examples.
From February 24, 2012.

Discretionary access control is useful in a shared user environment like a Unix system to provide file permissions. “In DAC, generally the resource owner (a user) controls who has access to a resource. (IBM, 2012)” This allows each user to share files they wish to, but still keep private others.

Role based access control works well for situations where a system is shared amongst various groups, but individual users do not need personal privacy. A timekeeping and point of sale system at a restaurant is a good example of this, like the one used at the Big Boy I worked at in high school. Access to clock in and out was provided to all employs but the rest of the system was denied to the kitchen staff. Servers, hosts, and managers all had access to order submission; while only managers had access to remove orders and pull daily statistics.

Mandatory access control limits security definitions to a policy administrator. Security takes precedence over usability because the access-control model “attempt to prevent transfer of information that is not allowed by the rules” (Goodrich & Tamassia, 2011) Trade secrets or national security information are good targets for this type of access control because more harm can come from unauthorized access than from inconveniences in sharing between authorized parties.

---

Goodrich, M. T., & Tamassia R., (2011) Introduction to Computer Security. Boston, MA: Pearson

IBM (2012). Access control: MAC and DAC. Retrieved from http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fselinux%2Fliaaiselinuxmacdac.htm