How to Become a Psychic CISO

Does John Powers have some sort of psychic connection to the spiritual realm?

Probably not, but he relies on a great security solution that provides him with unrivaled visibility into activity on his organization’s IT systems. That’s not channeling spirits from the netherworld, that’s simply having the right people, skills and solutions to be confident.

Our friends at Tripwire have released the second video in the hilarious “John Powers Supernatural CISO” series. This time John’s coworkers think his uncanny knowledge of the system network is coming from the spirit realm.

For more information, astral project over to the John Power’s site, or for live readings check out their Twitter feed.

Security Trap: Many New Security “Training” Courses are covering Outdated Material

Over the last week or so I have been reading through a lot of security “training” material that either has been recently published or was being submitted for publishing. The problem is, a lot of the material was very old and not necessarily even relevant anymore.

Most Anti-Virus programs catch new threats by installing an updated virus signature so it can recognize the new threat. They “learn” to detect the newer threats. Granted many “new viruses” are just re-hashed code that has been modified so it’s signature changes. But there are completely new creatures out there that haven’t been seen before.

If the anti-virus engine didn’t evolve, it would never be able to stop (or detect) the never threats.

I find it concerning that of all the “new” security articles and training material that I have read in the last two weeks, one of the most advanced techniques I read about was from a security book written in 2004!

The example talked about a new attack that the author detected hitting Air Force systems. The attack was actually pretty impressive, the attacker used several machines and each machine was programmed to attack a certain system but intermittently and only for a brief amount of time.

The individual attacker systems would only run one small attack per day and then it wouldn’t attack the system again for a week or so. The next attacker system would do the same thing. It would attack a different part of the target system. Then like the first, it wouldn’t attack again for a long time. These systems attacked one after the other, a sort of distributed botnet of attacking systems each hitting only once for a brief amount of time.

It was very difficult for the system analysts to detect this attack. They had to focus on the attacked system, not the attackers, to find a pattern. Because they had full data capture of all their network traffic, they were able to find and track the attacks against the target network. But the pattern only showed up over weeks and months of network security monitoring – analyzing captured packets for patterns.

Pretty advanced stuff!

The problem is that this attack was recorded as happening in 1999…

Hacker groups are very good at sharing attack techniques with others in their groups. They share training and tools fairly rapidly on hidden websites and secure forums. Granted security groups that are meeting once a month are doing a good job at getting security techniques disseminated, but there is still a long way to go to get the good guys up to speed and on the same page.

Also be aware when looking into purchasing security training material. Check into the company and the instructors. You may be getting recycled material that may no longer be relevant.

“It was Just a Virus” – Full Data Breaches through Malicious Attachments

If a malware file is allowed to execute, and it collects all of the personal files off of a system and sends them to a remote hacker, was your company hacked or did you “just have a virus?”

I love all parts of security and I’ve been trying my hand at some basic malware analysis. I’ve only analyzed a few so far, but the results have been pretty eye opening. A couple of files inspected were new data miners, part of a phishing or social engineering attack.

Basically a corporate user would receive a crafted e-mail saying that they have receive a fax from their internal fax server. Sure enough the attached file would have a pdf looking attachment. But once the “attachment” is executed, the user gets a whole lot more than a fax.

The “.pdf” file is actually an executable malware file using a PDF logo as an icon. The file executes a data mining attack that searches the hard drive for personal data, browser caches, system files, registry settings, installed applications – including FTP and security programs, remote access programs, file manager programs, web site authoring software, and even clients for remote online storage.

Once it gathers this information, it tries to connect to a foreign server to upload the purloined data.

So should these attacks be considered as “just a virus”, or should this be considered a full data breach?

All the elements of “being hacked” are present. Private data files, including password files and databases could have been obtained. And then the information is sent out of the network to a remote hacker’s server set up to receive the info. Malware is already running on the system, so how hard would it be to use the system as a persistent backdoor into the corporation?

And lastly, these evil infiltrators are coded to bypass anti-virus and firewalls – only 2 AV companies detected one of the malicious executables I examined as containing a Trojan. And since the program connects back out to the malware server from your system after executing, your firewall does not block it.

Sure most companies consider that they were hacked when their server has been compromised, but what if a top engineer who kept classified research information on his system or an IT administrator of a secure facility allowed the phishing e-mail to run?

And how would these people even know that private data was sent out from their network if no network security monitoring was in effect? Would they just write off the attack saying, “It was just a virus…”?

Long gone are the misspelled fake looking social engineering attacks. E-mail attacks are getting much better, they look professional and are believable. Especially when your company uses some of the same software that the e-mail is pretending to be (like an incoming fax message).

Employees need to be warned about malicious e-mails and that they try to replicate legitimate communication. That if something looks or feels suspicious, that they should not run it and contact your support department.

Sure this will probably mean more calls to the data center, but if you can catch these things BEFORE they execute, you can take steps to protect your network. Especially if you find out what servers they are trying to connect out to as you can block the address so others who aren’t as vigilant will be protected too.

The Deep Web vs Network Security Monitoring

We have all heard the horror stories of the Deep Web. You know, the evil internet underground where cyber criminals and sexual predators lurk. Where boogiemen and anarchists trade secret coded messages through encrypted channels.

But is it really that bad?

Into the Void

The “Deep Web”, Dark Web or hidden internet, is a massive collection (some say up to 500 times the size of the regular internet) of sites and databases that don’t show up in standard search engines like Google. One of the easiest ways to connect to this network is via Tor, which ensures data encryption and anonymity. There are several Deep web search engines and portals that are only accessible through Tor. They have long cryptic names that usually end in “.onion”.

Does the dark web stand up to it’s dark side nomenclature? Absolutely! View any of the portal entrance menus and you’ll instantly know that you are not in Kansas anymore. Criminals, hitmen, drug dealers and others openly ply their trade. And don’t even bother putting normal “g-rated” terms into a Deep Web search engine. It most likely won’t find a response, or it will find a very deviant response for what you typed in.

So, is this a place that you want ANYONE on your corporate network to visit?

NO WAY.

Though many use Tor for legitimate purposes, the deep web just isn’t that kind of place. But what can you do?

Enter Network Security Monitoring!

You do have a network monitoring system don’t you? If you don’t have a web proxy to control and block suspicious traffic, you can still use your network security monitoring system to catch Tor traffic.

As a test, I downloaded Talis, the Unix distro that comes all wired to run Tor out of the box. To it’s credit, it is one of the fastest tor implementations that I have seen by far. Surfing normal websites and searching with Google was relatively quick, not like the normal Tor use that I am used to on my Ubuntu or Windows systems.

I visited a couple of the “Deep Web” portals and even used the Torch search engine. Other than being painfully slow accessing these portals, I was actually able to find some legal material to use as a test! I grabbed some hardware “how-to” images and a couple goofy .pdf files.

I then pulled up my security server console to check to see if it caught anything:

It sure did! I received several alerts concerning my trip into the void. The traffic tripped several “known Tor node” rules. The Talis system IP address is listed along with the rule alerts. A security analyst monitoring this network could easily tell what corporate system was using the Tor network, and when they used it.

For further analysis, I grabbed the network packet capture for the session and imported it into my Netwitness Investigator program. It too detected the Tor traffic:

It didn’t throw an alert though, which I really thought it would. Suspicious traffic usually shows up at the top of Investigator, under “alerts”.

I did notice something else that did bother me. To be extra sure, I ran the packet capture through both Xplico, and Network Miner. The results from these backed up my initial findings.

There were no pictures… Or text documents…. Or pdf files… found in the packet capture.

As a matter of fact there was 0% detected unencrypted text. Yikes!

With just standard packet capture and detection, without SSL decryption, there would be no way to determine what was viewed or downloaded from the Tor network or worse the Deep Web.

Conclusion

The Tor network creates an encrypted channel from your system to the Tor onion routers. The data is then bounced around several servers and then unencrypted at the exit nodes, when the packets leave the Tor network. Though some businesses use Tor for legitimate purposes, most don’t use it at all. If your corporate users are accessing the Deep Web from work, then this could open up your network to a multitude of malicious threats. And if they are downloading questionable, illegal or copyrighted material this could put your corporation at legal risk.

Record and monitor ALL of your network traffic. This could help you detect issues before they become major problems. Block or monitor suspicious SSL traffic on your network. You may capture Bot command and control communication or someone using your network for less than legal purposes.