Monday, August 27, 2012

Scammer how-to, or so sad the response

My wife is VP in our elementary school PTA, assisting this year's PTA president whom I will call "P".  Recently P mistyped the e-mail address of one of the PTA members, "J1", and subsequently drew a complete stranger into their internal conversations.  I will call this stranger "J2".

J2 proceeded to post Reply All messages joking that they should send him/her all the petty cash, or delete all those stupid student records, and similar annoying interjections.  P failed to recognize this situation, and rather than broadcast to all the PTA members of the error and that they should delete that original mail thread and correct their addresses for the original J1, she only responded back individually to this interloper apologizing and assuring them they would not get more messages.  Unaware of this trouble, various PTA members continued the conversation with Reply All, and soon J2 reappeared with more rants.  Then my wife noticed that J2 had included a new e-mail in the thread that was identical to P's e-mail address, except that it included a hard-to-notice letter.  Something like "myemaiil@yahoo" or "myernail@yahoo" instead of "myemail@yahoo".

About 4 minutes after a particularly nasty retort by J2, P's Yahoo address spammed everyone in her contact list and the PTA with a plea for money.  Hacked!

The letter from P now described how she was trapped in London after the recent Olympics and needed cash to get home.  This is a classic scam to fool the victim's friends to wire money to the attacker.  Meanwhile, P was still here in the U.S. and completely unaware of the danger she and all her friends were in.  My wife has learned some security tricks over the years and she immediately knew that P's Yahoo password was no longer her own.  She tried vainly to reach P several times and decided to begin responding to PTA business since P seemed off-line and probably would be quite busy.  In her voice messages and SMS texts to P, she offered to send me over to help sort out the security issue and its fall-out.

Eventually P did call my wife back, but only to berate her at length for running business that the PTA president is supposed to do, not the VP.  Thanks for nothing, huh?  P then worked with Yahoo to regain control of her account and discovered that all of her Contacts and many years of Inbox data had been forcibly erased.  This is another part of this scam, to prevent the account owner from reversing the damaging scam broadcast.

But rather than call us up, or notify anyone that the prior message was bogus, P went back to her everyday business.  She asked the VP to forward all prior PTA messages so she could catch up.  Then she called my wife and yelled at her for the things that she read in the messages, even though they had been posted by other officers.  Apparently she was reading the threads in reverse order and felt the sender (my wife) had been posting these messages rather than forwarding them to her as requested.

Added to this mix, P never notified the PTA members of this event, nor apologized for the bogus broadcast, or even warned the PTA to drop J2 from any message threads.  So one week after all this, I fully expect another incident with P and/or J2.  And I wonder if J2 was the scammer who broke into her account as revenge for the mail mix-up?

So sad that you can see this happening and be rebuffed so badly.  It may be a long year at the PTA.

For my non-security friends, here is the scam and the recovery method.

* Acquire or break the password on a victim's web mail account.  Send their entire Contact List a well-formulated letter explaining how you are traveling and have lost the means to come home.  Ask for money transfers, and provide either the wire details or provide a toss-away e-mail account to respond to for more instructions.  Immediately purge all mail and Contacts from the victim's mail account and log off.  Never have to log back in.  Monitor toss-away mailbox for incoming victims.

* Realize a scammer just used your e-mail account.  Contact the ISP and recover your account credentials.  Reset the password to something very tough, and ask the ISP if they can add some additional security features to it, even if it makes it more challenging for yourself to log in.  Consider doing this with all your on-line accounts that use this mailbox as your point-of-contact.  Restore your Contacts list however possible, whether from the ISP, your own back-ups, manually from other sources, or by asking all friends in your social network to forward their e-mail addresses once more.  Be sure to broadcast however possible that your account was hijacked, but that it has been resolved.  Hopefully you did have a Contacts back-up, perhaps on your Smartphone or the Cloud or a local mail client on your home PC.

~~~~ Habeas Data

Wednesday, August 15, 2012

Do your parents know what they are surfing

It's 10 o'clock at night, do you know what your parents are doing on-line?  Do they?

Let's not kid ourselves, security on the Internet is absolutely crazy complicated.  Security experts are not immune to being targeted and hacked, and so it goes without saying that everyone else on-line is probably being put at risk daily.  If you are like me, you have become the de facto tech support for your family.  Perhaps you set them up with a nominally secure home router, some A/V software, some favored (more secure) software, and a stern yet vague warning about being careful on-line.  So what happens when you are not there?  Do they know what to watch for, and how to react to it?  Have you prepped them?

If you are like me you always get called at the 11th hour, or perhaps the 33rd hour, long after you yourself could have plugged the hole in the dike.  Perhaps it is a live virus they acquired, or maybe they just got hit with a drive-by and unceremoniously shut down their system when they noticed it "acting odd".  Or maybe it is waking one morning to find that their live-in son left thirty-dozen porn site pop-ups on their login account before he passed out the night before, clear proof that their account password is no secret.

In these scenarios you have to treat your parents like adults, and bite back any criticism.  They are completely new to this Internet thing, they do not have the depth of knowledge you do, but you cannot treat them like children.  That being said we can do some things normally reserved for children.

Prep Work:

First off, have an open discussion about using the Internet and what "screen time" should constitute.  Besides all the cool new sites their friends tell them about, identify openly what do they most need to do on-line. These may be things such as banking and brokerage monitoring, backing up the family tree and photos, digitizing their album collection, and watching movies.  This discussion should include clear examples of dangerous behaviors or locations/scenarios to be expected on-line.  Free porn, ripped media, and similar edgy materials may be part of their adult interests, but perhaps you can locate other resources for them.  Maybe not completely legitimate resources, but "better".  A good suggestion may be that they should look into various media subscriptions, since paid material is generally "cleaner".  You are laughing, but you know what I mean.

Next, make it clear that you are in no position to enforce any restrictions on them (they are your parents after all), but that your advice is important and you may not be immediately available in all future instances.  Especially if brownies are not involved.    ;-)    Then suggest they limit themselves voluntarily, such as using various Parental Controls software.  Even if they have the bypass password for these controls, it is an added layer to help limit their exposure and slow down those malicious browser scripts.

Teach them some of the tricks of your trade that they can do themselves.  When setting up their back-ups, walk them through the set-up rather than doing it yourself.  Show them an example of their A/V software or parental control browser add-on blocking something, e.g. an EICAR file or an adult material site.  Provide them with their own copies of your favorite A/V boot disk, and show them how to use it.  At the least you will be able to walk them through using it on the phone.  Provide them with links (bookmarked!) to a tailored list of sensible security sites where they can double-check what you are telling them.  Have them bookmark also!

If your parents are substantially older, or suffering from dementia, you may need to be more authoritarian with some of these suggestions.  You may also need to expand your access to other areas like remote control software and their cell phone plan (TXT monitoring) as well as personal safety and health monitoring.  Facebook activity and shared Netflix accounts have even been used as additional ways to keep tabs on one's parents and their daily activity or inactivity.

Real Suggestions:

Big talk, but what do I do?  I tend to "do things the hard way" personally, so it has been a struggle to provide the family with simple suggestions and frameworks that may not be up to my own preference.  As we know so well, if security is too complex, the users will bypass the controls.  But at the same time, if Internet access is super simple, so are scripted malware drive-bys.

* browser - I standardized my family on Firefox with the HTTP Everywhere add-on to lock them to SSL sites whenever possible.  I included the IE View add-on and helped them configure it for their favorite sites that really do require IE.  I also showed them MozBackup and send them a periodic e-mail reminding them it's time to back up their profile.  While I love the NoScript add-on, it does complicate browsing and can be a bit too chatty when the user does not want to answer and tailor the various prompts just to load a web site.  I hold it in reserve for the next big incident.

* file management - Be sure they know the basics of Copy/Paste, mapping drives, adding/disconnecting devices, and getting around in Windows Explorer and similar file systems.  You would be surprised how often this skill is overlooked or assumed.  There are many free on-line training videos for this sort of elementary material.  Even better, they will learn it from someone who is not you, but who says the same things you have been trying to teach them.

* back-ups - Help them install and configure a regular back-up process.  Get them a large capacity USB drive as a gift, and string it to the back-ups.  If the data is really important, swap the drive out during your periodic visits so on copy is off-site back at your house.  Don't neglect a back-up process for their home router's configuration, their browser profile, and their on-line web mail and Contacts.

* anti-virus - Regardless of which you choose, set it to auto-update and auto-install.  Maybe use it yourself or join the vendor's mailing list so you know when there might be a large update that has to be managed manually.  You will be surprised when that freeware A/V provides no automated path to their next big version, and your parents simply uninstall or disable the prompts.

* firewall - Besides their home router's basic firewall capabilities, help them use a host-based firewall or IPS.  Teach them how to turn it On/Off, especially when they take their laptop on the road.

* wifi - Set up their wifi, and then document its connection details onto a hard copy they can keep at home.  This material should be something they can share with friends who visit, and it should be dirt simple guidelines like you may find at a moderately secure Internet cafe.
  Next, force them to visit your wifi network as well as at least one Internet cafe or other free wifi source.  This will teach them how to configure their own connection, tell the difference between a infrastructure and a peer-to-peer wifi, and to check their on-line status besides depending on only the browser.

* password safe - Acknowledge how many passwords and accounts you yourself manage and then share KeePass or another favorite password safe.  See if they will share the locking password with you, just in case.  And assist them in putting this on each of their favored devices (USB stick, smart phone) where they may want or need it.  Include the data file in the back-ups process.

* drive encryption - Maybe your family is ready for this technology.  Be sure you are fluent in whatever tool they do use, since you will probably have to help fix it in the future.  The same is true for any find-me software like Prey.
  If it is not too uncomfortable, see if you can teach them the basics of encrypting select files with things like PGP/GnuPG or TrueCrypt.  Note that the Polaroids of today are digital, and encryption is the only way to keep them out of young hands.

* power management - Best feature may be to schedule an automated shutdown process each evening and automated start-up each morning.  This will ensure they reboot their Windows system frequently enough, plus it takes their system off-line when many trouble-makers are on-line.

* Parental Controls - These do not need to be draconian measures, but they can serve as a heads-up when they begin surfing outside of the safety ropes.  They can still  put in the bypass password and surf on, but it serves as good notice.  K9 is a simple and free one with a humorous barking warning, and it applies equally for all user accounts on the (Windows) machine.  Once notified of the risk, just put in the password to open up the dangerous category of content for a certain amount of time.  Much better then typical  "Yes, Allow, and don't ask me ever, ever again" security filters.  Windows itself include Parental Filters (although a bit byzantine) and there are various other free and commercial ones available.

Real (Bad) Tales:

* Dozens of browser windows open on-screen.  Closing one spawns two more, each with graphic nudity and advertising.

* Slow Internet connection.  Turns out they got confused and connected to the neighbor's wifi instead of their own, and had that set as their default for weeks.

* Many instances of e-mails asking if something is legitimate or spreading the latest chain letter.

* The classic, "I clicked on it and nothing happened, but the hard drive light stayed on for quite a while".

* Plugging the laptop into the router and refusing to move it around the home for fear of using the wifi.

* Passwords on sticky notes.  Coupled with traveling on vacation and not knowing how to log into any systems they need (e-mail, airline sites, Netflix, et al).

* An e-mail broadcast to the entire address book with a link in it.

You may note that most of the suggestions here are mainly user training and not security training.  They need to be familiar with the virtual environment and the basics of managing their security.  Remember, they are your parents and you owe them a lot.  And they need you a lot regarding computer security, but are not sure how to ask for it.

~~~~ Habeas Data

Wednesday, August 8, 2012

Disabling all discovery checks in WebInspect

In an earlier posting about limiting WebInspect's scan reach, I mentioned the following complaint regarding the scan Policies.  I wanted to use this posting to explain this further and detail a solution.

<< The Audit-Only scan method sounds good, but it is not foolproof.  Currently most of the scan Policies you may use for your Audit will perform a variety of forceful browsing and discovery checks.  To completely disable this possible expansion of your scan target, you will need to make a custom copy of your desired scan Policy.  I will detail that in a separate posting. >>

 The Audit policies utilized by HP WebInspect (currently at version 9.20) are templates that dictate what quantity of the available attack database will be used against your target during this particular scan.  Even when using the Audit-Only scan method, there are still several ways that WebInspect will bypass your desired limitation and perform some crawling/discovery of the site.

To prevent this, the user will need to use a custom scan Policy.  Open the included Policy Manager tool, then click File > New > {select desired HP policy} > and then save this for your own use.  You may want to annotate the Description to remind yourself what makes this custom copy different.  In this custom Policy you will want to disable the following features.

1. Open the Attack Groups view, then expand the Audit Engines branch.  Disable the following engines underneath it.
    • Directory Enumeration
    • File Extension
    • File Prefix
    • Fixed Checks
    • Known Vulnerabilities
    • Local File Include
    • Site Search

2. Within the same Audit Engines branch, locate and expand the Audit Options sub-branch.  Disable the following options found there.  These parsers do not directly request these specific resources, but they would fully investigate them if they were found during the scan.
    • CVS entries parser
    • Robots.txt parser
    • ws_ftp.log parser

3. Move up the top of the Attack Groups tree listing and disable the Web Site Discovery branch, a peer of the Audit Engines branch.

Based on how HP (or SPI Dynamics) originally designed the Audit Policies mechanism, it is difficult to fully disable all crawling even for Audit-Only scans.  Their development team has been contacted about this and understands why it should offer a cleaner method, but until that arrives we must use this work around.

~~~~ Habeas Data

Tuesday, August 7, 2012

How to use HP WebInspect to scan only a part of a web application

I saw a thread on-line regarding this topic, and realized my response would be too large and look silly stuffed into the post comments.  So I will rewrite and expand my response here.  No offense meant, Rohit.

WebInspect is highly configurable for whatever situation you may be encountering.  Please do not feel that you have to perform all of these configurations.  They are just there for when you need them.

Question:  Can anyone explain the way to scan only a certain part of a web application using WebInspect?

Answer:  There are many ways to "shape" your scan with WebInspect (currently at version 9.20), depending on what you are faced with and your end-goal.  I will review them from most common to lesser known (and least used).

Restrict To Folder:

This feature is not found in the scan settings, but it is on page one of the Scan Wizard.  By enabling this option, the user gets three sub-options as follows, defined in the Help guide.

  • Directory only - WebInspect will crawl and/or audit only the URL you specify. For example, if you select this option and specify a URL of www.mycompany/one/two/, WebInspect will assess only the "two" directory. 
  • Directory and subdirectories - WebInspect will begin crawling and/or auditing at the URL you specify, but will not access any directory that is higher in the directory tree.
  • Directory and parent directories - WebInspect will begin crawling and/or auditing at the URL you specify, but will not access any directory that is lower in the directory tree.
A common error with this Restrict To Folder feature is that the user may not realize that the Starting URL field defines the anchor point for their chosen Restriction. The specific folder is identified by the final portion of the Starting URL that is enclosed in slash marks ("/").  This means that both the Starting URLs "../folder1/folder2/" and "../folder1/folder2/index.html" would anchor to "folder2", but that the path "../folder1/folder2" would anchor onto "folder1".

Session Exclusions:

Let's say that rather than focusing on one area, you wish to omit it from being scanned.  For example, the /manuals/ folder within any default Apache installation is rife with samples and various junk text that will add time to your scan without appreciable results.  For that scenario, open the Session Exclusions scan settings panel and add an Exclusion, such as (URL contains "/manuals/"), and the scan should complete faster.  I had an international client use this to split a very large site separated into three languages (English, Chinese, Arabic) into three separate scans.  Their site structure was primarily segregated, so scanning with Session Exclusions for the other two languages kept the scan targeted to one language area.  Post-scan, they were able to combine these three scans into one report.

The Session Exclusions settings were expanded in WebInspect 9.10 or 9.20.  Besides simple keywords or parts of a URI path, the user can also exclude via a variety of Targets (POST parameter, Query parameter, Status Code, et al) and a variety of Matching styles (Contains, Regex, et al).

Scan Log:

As an added feature, when using the Restrict To Folder or Session Exclusions, you may want to watch Scan Log tab found at the bottom of the WebInspect UI (Summary Information pane).  This area should display informational messages when pages found are removed from the testing coverage due to one of your scan configuration.

Scan Methods:

Stepping out of the settings, the Scan Wizard itself offers a variety of methods for controlling the scan, currently found on page one of the wizard.

Crawl-Only:  This will only perform a Discovery of the target, perhaps with some passive auditing of keywords seen in the traffic.   When completed (or Paused), the user can deselect the undesirable pages or folders in the Site Tree and then proceed to the Audit phase by pressing the Audit button found in the toolbar area.  Bear in mind that each folder is selected individually.  To deselect entire branches, use the right-click menu for additional options.

Audit-Only:  Switching from the default Crawl-and-Audit to Audit-Only will prevent the crawl, or discovery, of the rest of the website.

Manual Step-Mode:  This option turns off automated Crawling.  WebInspect will turn itself into a localhost proxy and spawn an instance of IE.   The user will be performing the discovery phase by hand, by browsing.  When finished, return to WebInspect and click the Finish button found at the top of the Site Tree.  You now have an opportunity to deselect undesired folders or branches in the Site Tree (right-click menu!), and then proceed to the Audit phase by clicking the Audit button found in the toolbar area.

List-Driven Scan:  This is a different style from the automated scan where the crawl engine is provided a list of known URLs at the onset of the scan.  This list can be a XML file listing all of the web root files harvested from the target server by its administrator, or it can be a simple TXT file with one full URL per line.  This style of scan can be used with the Audit-Only method to only attack the pages in the list.  Or it can be used with the Crawl-and-Audit to force-feed the crawl engine with that list input.

Workflow-Driven Scan: Identical to the List-Driven scan, except the input used is a pre-recorded "Start Macro", a browser capture of your desired business process.  Using this Macro feeds the crawler or the Audit-Only with the recorded sessions, and then the scan continues from there.

Scan Policy - Audit Only:

The Audit-Only scan method sounds good, but it is not foolproof.  Currently most of the scan Policies you may use for your Audit will perform a variety of forceful browsing and discovery checks.  To completely disable this possible expansion of your scan target, you will need to make a custom copy of your desired scan Policy.  I will detail that in a separate posting.


The defaults for Session Exclusions include a variety of exclusions where the URI may indicate a logout page, such as "exit", "logoff", and "logout".  But what if the offending data does not suit the Session Exclusion model, such as dynamically named folders?  For this, you could avoid that specific data by defining a HTTP Request filter that replaces the offending value or data in real-time.  With a regular expression and Filter, you could dynamically alter all live submissions such as "/pda2789/" (regex="\/pda(\d+)\/") to "/pdareplaced/", a nonsensical value that would cause the server to not identify or honor the request and thereby avoid scanning it.


~~~~ Habeas Data

Friday, November 11, 2011

WebInspect is the Honey Badger

I have been selling or supporting WebInspect for years. The one aggravating customer question I always hate, especially when it comes from our newly trained Sales reps, is "Can WebInspect handle my website?" As a preface, I will say that WebInspect is designed only for scanning web sites and web services, so if it uses the HTTP/S protocol, WebInspect is designed to attack it. Obviously the attack database has many specific or named vulnerabilities for due diligence, but the majority of the attacks do not care what the system's technology or brand is.

To help my Sales reps, I built the following graphic. I hope you enjoy it.

For those of you not in on the meme, let me introduce the Honey Badger (NSFW).

~~~~ Habeas Data

Monday, November 7, 2011

Dynamic scanning is the tip of the iceberg

Here's a funny thought I had today, and hopefully one that will not put me out on the streets.

Dynamic web application testing tools ("D.A.S.T.") such as HP WebInspect, HP QAInspect, and HP AMP are just the tip of the iceberg. These are the first tool sets a new security program sees and starts with, but they are in no part the full program. Fortify Software has been saying this for years. In their view, ostensibly as purveyors of code analysis tools ("S.A.S.T."), only beginners depend on dynamic scanners. And you know, they are right to some degree.

Certainly implementing a dynamic DAST tool is the quickest thing to do to help your broken system and begin to catch those security defects. It is also cheaper and faster to enact than the true solution, the implementation of a full Secure Software Assurance program or Secure SDLC a la OpenSAMM. Too many companies are checking for security only in a silo, right before the code goes out the door. Too frequently the security testers are portrayed as the bad guys, the bottle neck that gums up the product releases. This is partly why HP QAInspect exists, because once upon a time SPI Dynamics customers experienced bottlenecks from having HP WebInspect used in the final stages of approval and not having security testing earlier.

We all know that secure code is better than insecure code. The Rugged Code Manifesto, OWASP, and many others have been trying to make security an integral part of the development process. This is where the largest portion of our security iceberg is found with mature processes, system governance, stream-lined efforts, and security baked in. This requires reviews and changes to the current development process, but the ultimate outcome will be code that is self-hardened. Now the security team can serve as the trusted advisers they should be, focusing on the logic attacks and tougher items inherent with implemented code.

Dynamic scanners still serve a purpose. Auditors need them. There are classes of vulnerabilities that are based on the implementation or not an issue on the code-level. These scanners can operate in the absence of code access. Or with periodic post-production test runs, they can identify new zero-day vulnerabilities that are live on the company web sites after the full SSA process has been completed. So if your company just got real with a new dynamic scanner, welcome aboard, now get to work!

~~~~ Habeas Data

Thursday, July 21, 2011

Stroke development versus not drowning

Second blog post this week, but over at the Wh1t3Rabbit blog again:​ollowing-the-White-Rabbit-A/St​roke-development-versus-not-dr​owning/ba-p/4832281

~~~~ Habeas Data