Nov 13 2012
Leave a comment
Gamification

Gamification

NetWars logo used with permission from SANSUser engagement, return on investment and learning. Those are key benefits of gamification. Gamification might be a new term but it has been used on specific industries since years. One example is the militaries that have been using games, challenges and simulations to resolve problems and engage audiences.  NATO is considering gamification using the Internet. The Office of Naval Research a department from the US Navy recently ran a Massive Multiplayer Online Wargame Leveraging the Internet. Deloitte call it the engagement economy.

Gabe Zichermann and Christopher Cunningham on the preface of their latest book wrote that “Simulation and gaming is a promising, and rapidly-expanding, field of study. This new methodology is being adopted in a wide variety of disciplines. Complicated computer models have helped inform everything from finance to engineering, a new wave of “serious games” have begun to change the way we think about gaming as a told for learning, and true-to-life simulations have changed the way professionals train for intensive, on the job-skills.”

Then, how can we use and apply gamification to information security? Well, learning information security skills through gamification is what this post is about. And is where NetWars comes in. NetWars is a product from SANS and it illustrates how gamification can be used to help you increasing your information security skills. The concept is not new and there are others. Similar is the Overthewire and Smasthestack challenges, which are also known as capture the flag or wargames. However, NetWars was made by Ed Skoudis. That alone is already a differentiator. Last year at London, SANS hosted the first EMEA Netwars tournament session. It consisted of 5 levels, where each one consists of several challenges that will give you points from 1 to 15 based on its difficulty. To be able to pass to the next level you need to reach a certain threshold. The levels are designed to help participants develop skills areas such as Vulnerability Assessments, System Hardening, Malware Analysis, Digital Forensics, Incident Response, Packet Analysis and Penetration Testing.

Should business leaders invest in this type of simulations to train their employees? Absolutely, the marriage between pedagogy and technology is a fact. In addition from a pure return on investment, employee training might be the best business expense.  According to Professor Bartel, who is the Director of Columbia Business School’s Workforce Transformation Initiative and an expert in the field of labor economics and human resource management. The estimated return on employee training range from 7% to 50% per dollar spent and on two specific case studies it can grow with returns of 100% to 200% on investment. Further details on her paper “Measuring Employer Return on Investments in Training”.

To give you an example on how gamification can be used to engage people and learn. You might remember, back in 90s, there was a famous video game called Where in the World is Carmen Sandiego?. The game challenges player to track the thief who is hiding out in one of 30 cities using a world almanac as investigative tool (for example, “What country uses keroner as its currency?  Check your connections to find out which cities the thief might have fled to). The game basically teaches you knowledge of world geography and cultures.

But back to NetWars and his director, Ed Skoudis, check his presentation on “Using InfoSec Challenges to build your skills and career”. Among others the presentation describes the benefits of gamification information security challenges. The presentation also provides guidelines on how to develop your own challenges and simulations.

Teaching and training systems like NetWars are designed to mimic real life situations. In this case it represents real-world security issues with their respective flaws and resolutions on an  interactive and hands-on laboratory environment. Historically books contain theories and examples. But with simulations, challenges and games, the dynamic and a temporal element can be added. It will also allow difficult concepts to be vibrantly illustrated.

References:
Zichermann, Gabe; Cunningham, Christopher (2011) : Gamification by Design : O’Reilly
Information Resources Management Associations (2011) :Gaming and Simulations : IGI Global

Tagged , , , , , ,
Nov 12 2012
Leave a comment
Intrusion Analysis

Evader

Evader is a tool produced by Stonesoft which provides a ready-made test lab to test IP evasion techniques. Stonesoft claims that this tool should be used to test your network security solutions effectiveness against the protection and detection of threats. Other than marketing and hype, Stonesoft as always provided innovative solutions in the network security market. You might remember the old days of Stonebeat Full cluster software that was used by vendors like Checkpoint to create high availability and load sharing scenarios.

The evader tool has the ability to test IP evasion techniques against two vulnerabilities: CVE-2004-1315 and CVE-2008-4250. For the first one, the tool has available 24 evasion methods which 9 are at application layer, 2 at network layer and 13 at the transport layer. The test lab cover CVE-2004-1315 and it can be easily downloaded and deployed using VMware. The documentation is clear and provides step-by-step guidance.

Essentially, the virtual machine contains an installed Linux, Apache, MySQL, Php and as deployed the PHP Bulletin Board version 2.0.10. This application is vulnerable to CVE-2004-1315. The Santy worm back in 2004 used this vulnerability to abuse and deface websites.

In the tested version of evader the available evasion technques are:

http_header_lws – HTTP header linear whitespace
http_known_user_agent – HTTP known user agent
http_request_line_separator – HTTP request line separator
http_request_method – HTTP request method
http_request_pipelined – HTTP request pipelined
http_url_absolute – HTTP URL absolute
http_url_dummypath – HTTP dummy paths
http_url_encoding – HTTP URL encoding
http_version – HTTP request version
ipv4_frag – IPv4 fragmentation
ipv4_opt – IPv4 options
tcp_chaff – TCP Chaff
tcp_initialseq – TCP initial sequence number
tcp_inittsopt – TCP timestamp option settings
tcp_nocwnd – Disable TCP congestion avoidance
tcp_nofastretrans – Disable TCP fast retransmit
tcp_order – TCP segment order
tcp_overlap – TCP segment overlap
tcp_paws – TCP PAWS elimination
tcp_recv_window – TCP receive window
tcp_seg – TCP segmentation
tcp_timewait – TCP TIME-WAIT decoys
tcp_tsoptreply – TCP timestamp echo reply modifications
tcp_urgent – TCP urgent data

I decided to take a deeper look and downloaded the evader version 0.9.8.557. After that created a small lab to test the tool against the Checkpoint product with Firewall and IPS blade enable. Mainly, I created an account on Checkpoint User Center and requested a trial license of 15 days and downloaded the ISO image of Checkpoint R75.40 with software blades. Installed the system as Security Gateway and Security Management Server. Configured IP addressing, rules and routing to suit test scenario. The lab setup wouldn’t take long if you are familiar with Vmware and Checkpoint.

Interesting is that, either default or recommended IPS profile from Checkpoint R75.40 does not catch the attack used against CVE-2004-1315. I used evader and metasploit. Looking deeper at signatures from Checkpoint Web Intelligence – Malicious codes – General HTTP worm catchers, the signature that eventually should catch this attack is called Sanity.A Worm. However, the regular expression available for this attack needs to be adjusted.  After that the attack is successful detected and/or prevented. From the moment that the security solution detects  the attack we can start using the evasion techniques to test its effectiveness. In this case, after having the signature configured properly on the Checkpoint IPS the evasion techniques I tried (time limitation was a factor) were all detected/prevented. With an overall protection score of 98.3% on the NSS labs report that would be the expected result.

Understanding threats, identify their causes and implement effective countermeasures takes time but will help you reducing risk and exposure. With this I mean that its generally worth doing your assessment and use this kind of tools against the security products that protect you assets to have a better understanding of the technical advantages and drawbacks. Security companies want to make you think you are as secure as possible and that eventually provides you a false sense of security.

If you are interested in intrusion analysis and/or configuring IDS/IPS systems. If you would like to have a peek behind the scenes on how the packets look like when crafted with  evasion techniques such as fragmentation attacks or obfuscation. Then evader is definitely a good start. The tool illustrates quite well a significant amount of attack vectors. You can use it to complement frameworks like Metasploit to learn or reinforce skills about evasion techniques.

[2017-02-10]: The Evader tool is no longer available but I kept a copy here: Evader, for the ones that are interested in playing with it.

In addition to this write up, the following references will give all you need to acquire more knowledge about Intrusion Detection Evasion:

Insertion Evasion and Denial of Service Eluding Network Intrusion Detection
Ptacek & Newsham, 1998

The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection
Stefan Axelsson, 1999

A Strict Anomoly Detection Model for IDS
sasha / beetle, 2000

Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics
Handley & Paxton, 2001

IDS Evasion Techniques and Tactics
Kevin Timm, 2002

Combining Evasion Techniques to Avoid Network Intrusion Detection Systems
Gorton & Champion, 2003

Intrusion Detection System (IDS) Evasion
VeriSign, 2006

Thermoptic Camouflage: Total IDS Evasion
Caswell & Moore, 2006

Metasploitation
HD Moore, CanSecWest 2006

How to test an IPS
Renaud Bidou,2006

Networks Environment Detection of DDoS and IDS Evasion Attacks in a High-Speed
Oh, Park Jang & Jeon, 2007

Advanced Evasion Techniques: New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies
Boltz Jalava & Walsh, 2010

Active Mapping : Resisting NIDS Evasion without Altering Traffic
Umesh Shankar, Vern Paxson

Intrusion Detection FAQ: How does Fragroute evade NIDS detection?
Michael Holstein

Tagged , , , ,
Nov 09 2012
Leave a comment
Intrusion Analysis

Overlapping IPv6 Fragments

Antonios Atlasis is an independed IT security analyst who just recently joined the Centre for Strategic Cyberspace + Security Science non-profit organization. This year he released a paper called “Attacking IPv6 Implementation Using Fragmentation“. If you are interested in the security issues that arise from IP packets fragmentation then you should read it. It describes how it can be used by attackers to elude intrusion detection systems. It also includes PoC produced with Scapy tool. Eventually, one of the results of this research is the fresh CVE-2012-4444.

Worth to note is that IETF released a standard RFC number 5722 about this topic back in December 2009. On this RFC, Suresh Krishnan from the IPv6 working group, clearly states that IPv6 specification should prevent overlapping fragments. We should clearly see adoption of this RFC by the security industry in the future.

Attacks via IP packet fragmentation are not new and they were very well documented in January 1998 by Thomas Ptacek and Timothy Newsham on the landmark paper on this topic called “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”. Based on this paper Dug Song released a tool called fragrouter and later fragroute which implemented the techniques described in that paper. But that’s a different story and It’s my intention to write more about this topic in a near future because it’s still being discussed today.

Tagged , ,
Nov 07 2012
Leave a comment
Security Monitoring

Start with 334

Effective and reliable security monitoring that produces actionable information is one of the toolset’s that can help us adjust to today’s complex threat landscape. One of the existing mechanisms under security monitoring is the use of real time blacklists (RBLs). These blacklists keep track of IP addresses that are considered malicious or offensive and will help people and organizations keeping track of IP addresses that they own. For example, you can monitor and potentially detect if your public IP address space is being blacklisted ; or one of your systems has been compromised and is communicating with a blacklisted IP (e.g. sending intellectual property overseas or receiving command and control commands with malevolent instructions).

The information available is mainly public and is a contribution of well-known individuals – like Roman Hussy from Abuse.ch or Steven Adair from Shadowserver Foundation –  to the security community. I have reasons to believe that when combining information from reliable and trustworthy blacklist data source with the defense mechanisms in place – traditionally blacklists are used at perimeter due to the volume of data – we have a straight forward method which will accurately identify signs of dangerous, reduce our exposure to today threats and provides actionable intelligence.

From the available data sources of blacklist, three of them worth to remark (description taken from their respective websites):

Abuse.ch is one of the best public resources that you can use to track botnet command and control domains and IP addresses. At the moment is contains three trackers:

  1. Zeus tracker is a list of all ZeuS C&Cs as well as Fake URLs which are currently known to the ZeuS Tracker. You can browse the ZeuS Tracker to get a list of ZeuS C&Cs and FakeURLs in a specified Country or AS number. Additionally the ZeuS Tracker provides a feature which allows to filter the ZeuS C&Cs for specified Nameservers, Level, Status and many more.
  2. SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility
  3. Palevo tracker is a list of Palevo infections. Palevo is a worm that spreads using instant messaging, P2P networks and removable drives (like USB sticks). It is being sold in underground forums like ZeuS. The worm (also known as Rimecud, Butterfly bot and Pilleuz) made big press in 2010 (see Trend Micro: “Clipping Mariposa’s Wings” / Symantec: “Symantec: The Mariposa Butterfly“).

Shadowserver Foundation is an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. You might have heard about them on their collaborationw with Microsoft on taking down the Waledac botnet.

Emerging Threats is an open source community for collecting Suricata and Snort rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily.

Other than those three, the following picture illustrates a compilation of data sources of blacklisted IPs with the amount of addresses they provide and the respective site to download the blacklist. Most of them are free for private use.

Block Lists

All these lists contain a sum of 16749 IPs (type = address) from which 95.4 % are unique. The amount of IPs for Shadowserver is not mentioned because their monitoring service works based on the information that is provide to them by you about the ASN or CIDR ranges that you own.

Besides that, you can search through these block lists to get valuable information, which at the same time it can be time consuming. Nonetheless, online services like the Anti-Abuse Project automatically checks IP addresses and domains against 60 Real-time blacklists and would give you actionable information. For example if the IP address is listed in more than 10 block listed is positively malicious.

Well, after all this text, the name of this blog entry is 334 due to the fact that at the moment of writing this is the number of IP addresses that you should certainly monitor. This 334 IP addresses are the sum of the IP addresses on the lists provided by : Zeus, Spyeye and Palevo tracker from Abuse repository (+) RBN (Russian Business Network) Frequent Malware Advertisers from Emerging Threats repository.

If you use any of these blacklist, you should updated them at reasonable intervals. These blacklists will definitely help you creating a list of prohibited events and build procedures for remediating them. Use them as you see fit.

Tagged , ,
Nov 06 2012
Leave a comment
Incident Handling and Hacker Techniques

Tavis Ormandy strikes again!

For those of you who might not know who Tavis Ormandy is, you might have heard about his name back in June 2010. At that time, he published his research about a vulnerability and PoC code on how to exploit the Microsoft Help and Support Center application that could be exploited on Microsoft Windows XPSP3 with Internet Explorer 6,7 or 8 (CVE-2010-1885). After the disclosure the vulnerability was rapidly introduced into Metasploit framework and some controversy was made around his responsible disclosure approach. Microsoft released a patch for this vulnerability on 13th July 2010. Additional research was made using this vulnerability and results were found on how to bypass AV due to the fact the vendor’s products allowed the execution of code before detecting the malware. This resulted in CVE-2010-3496, CVE-2010-3497, CVE-2010-3498 and CVE-2010-3499 affecting McAfee, Symantec, AVG and F-Secure respectively. Other than that Tavis Ormandy has more than 120 vulnerabilities disclosed between 2004 and 2010.

Conversely, what I wanted to mention here is that he just recently published the second part of a great research about the Sophos AV. The first paper released on this topic named “Sophail: A Critical Analysis of Sophos Antivirus” can be found here. On this second part, you can find very technical detailed explanation and detailed analysis on how typical Sophos antivirus deployments are exposed to several attacks like integer overflow, local privileged escalation, XSS and many others. A summary of the vulnerabilities can be found on Sophos website. The vulnerabilities found affect the latest version of Sophos at the time of the published paper. If you are using Sophos you should consider patching it.

One thing to note other than this great research it’s the good cooperation and collaboration that was done between Tavis and Sophos to release this information in a responsible approach. Further details and a timeline of the events can be looked at section six of the document. According to Sophos the majority of the  vulnerabilities have been addressed. The ones still not fixed, a patch is expected to be released on 28th November.

Tagged , , , , ,
Nov 05 2012
Leave a comment
Common Criteria

Common Criteria Information Technology Security Evaluation

The ISC Handlers from SANS Internet Storm Center made a series of diaries called Cyber Security Awareness Month trough out October. The goal was to promote standards and security. Once again they made very good diaries and you can see a list of the published diaries here.

Considering this, I decided to write a small article also on this matter. The idea is to promote the knowledge about Common Criteria Standard. This is an international standard which specify security requirements and defines evaluation criteria to measure the security of a system product (hardware and software). I also briefly write a small background on what existed before this this standard.

Among others Common Criteria has the goal to be the world standard for security specifications and evaluations. To accomplish this, the different national organizations that constitute the Common Criteria consortium worked with the International Organization for Standards (ISO) in order for the standard to be accepted by them. This was a step in the right direction and Common Criteria version 2.1 is formally recognized as ISO 15408.

But let’s get back 30 years ago where at the National Computer Security Center (NCSC), at that time a branch of the National Security Agency (NSA). The center was established and was responsible for the United States government trusted computer program known as TCSEC (Trusted Computer System Evaluation Criteria). The center was also responsible to evaluate commercial security products, publish and sponsor research and promote technical guidelines. In 1985 the NSCS published the famous “Orange book”. The book goal was to define security requirements giving the security industry an instrument to measure the security of their system. This the book which specifies the well-known Class C2 rating. It can be downloaded here.

The Orange Book got this name basically due to its cover which was orange. This book was part of the Rainbow series, a set of security requirements and guidelines documented named after its colorful covers. All books were produced by National Security Agency and all products were tested by them. Over time, the TCSEC security evaluation lost interest by the security industry because there was little return on investment, it only covered US market and it was a time consuming process that caused products to gain the assurance certification levels when they were already end of life.

The next step made by government intuitions was the evaluation criteria known as ITSEC. It was created by Canada, UK, France, Spain, Germany and United States. These security evaluation criteria addressed some of the limitations of the TCSEC, it covered integrity and confidentiality but the process didn’t last long.

After that, discussions started in order to develop a common set of standards that could be agreed by an association of countries. The necessity of having a program that would evaluate and quantify the assurance levels of a security product which would be recognized across different countries was needed and Common Criteria was born. The goal of the program was to establish a high degree of assurance that products would consistently perform the security function safely and securely when handling data and, that failures would not result in the compromise of sensitive information. The expansion of the program also provided a broader market for those products completing the evaluation process by allowing international sales to the nation participating in the program. Some participating nations mandate the use of these products in their information systems. This mandate has translated into requirements for the system under development.

So, this is where we are today in terms of security evaluation criteria for IT systems. The CC philosophy is to provide assurance based on an evaluation (active investigation) of the IT product that is to be trusted. Evaluation is the traditional means of providing assurance and is the basis for prior evaluation criteria documents. The CC propose to use expert evaluators to measure the validity of the documentation and the resulting IT product with increasing emphasis on score, depth and rigor [Common Criteria part 3, 2006]. The score, depth and rigor increases along with the levels of assurance known as EALs (Evaluation Assurance Levels). There are seven hierarchically ordered evaluation assurance levels defined in the CC to rate a TOE (Target of Evaluation) which could be a software application, an operating system, a software application in combination with an operating system, a smart card integrated circuit, a database application etc.

The list of EALs is as follows:

Evaluation assurance level 1 (EAL1) – functionally tested
Evaluation assurance level 2 (EAL 2) – structurally tested
Evaluation assurance level 3 (EAL 3) – methodically tested and checked
Evaluation assurance level 4 (EAL 4) – methodically designed, tested and reviewed
Evaluation assurance level 5 (EAL 5) = semi formally designed and tested
Evaluation assurance level 6 (EAL 6) – semi formally verified design and tested
Evaluation assurance level 7 (EAL 7) – formally verified design and tested

The intent of the higher levels is to provide higher confidence that the system’s principal security features are reliably implemented. The EAL level does not measure the security of the system itself, it simply states at what level the system was tested. Achieving a higher EAL certification generally costs more money and takes more time than achieving a lower one. The EAL number assigned to a certified system indicates that the system completed all requirements for that level.

The CC evaluated products begin the process by being evaluated in a certified laboratory. These commercial laboratories are approved by the National Information Assurance Partnership Program (NIAP) members. The National Voluntary Laboratory Accreditation Program (NVLAP) provides third-party accreditation to testing and calibration laboratories. NVLAP accreditation is the primary requirement for becoming a Common Criteria Testing Laboratory.

How to configure your IT systems using CC is provided by the vendors for example, there are Microsoft operating systems or Red Hat Operating systems or Checkpoint Firewalls among several others with EAL4 certification. The CC program provides you with a wealth of information that can help enable higher security in their implementation and deployment of evaluated products.

Windows Server 2003 Common Criteria Configuration Guide.
Windows Server 2003 Common Criteria Administrator’s Guide.
Checkpoint R7x Installation Guide for Common Criteria Evaluated Configuration.
Checkpoint R7x Administrator Guide for Common Criteria Evaluated Configuration.
Cisco ASA 7.0.6 Installation and Configuration Guide for Common Criteria Evaluated Configuration.

The list of certified products can be accessed on the Common Criteria Portal.

 References :

Official (ISC)2 Guide to ISSAP CBK
Common Criteria for Information Technology Security Evaluation Part 1 : Introduction and General Model, version 3.1 Revision 4
Common Criteria for Information Technology Security Evaluation Part 3 : Security Assurance Requirements, version 2.3

Tagged , ,
Nov 04 2012
Leave a comment
Uncategorized

Day one for Count upon Security

I am very excited about this new project. It will allow me to contribute to the IT security community with material about multiple security disciplines. My goal is to share comprehensive information, increase awareness and provide illustrations about security matters. Optimistically it will allow you to learn new skills, reinforce current ones or just read for fun and pleasure.At the moment I have lots of ideas on my mind about topics that would like to share and discuss with you and just need to start putting them on paper.

One of the main reasons I’m starting this blog is because I work on the security field and based on my experience I have reason to believe that information security industry will continue to grow in size, density and specialization. Therefore the demand for qualified security professionals who possess knowledge and skills will increase substantially. One of my aims is to help you grow your security expertise and awareness, that doesn’t mean you will find a job here but IT security career is a very interesting one to take.

Just recently, this article illustrates this job demand. As you could read, the Homeland Security Department from United States created a new fellowship program designed to attract recent college graduates into cyber security careers. Also they said that its cyber workforce increased by 600 percent over the last few years. Furthermore, the last search I made with keyword security on JobServe for IT & Telecommunications industry in the UK it shows 1429 jobs. On the Swiss job portal jobs.ch the last query I made with the same keyword gave 448 results – quite amazing considering the size of the country.

Tagged , , ,
Newer posts