InfoSec – Back to Basics Article – Published

After a quiet period of non-activity on my blog due to rather extensive commitments at home and with my new job, I was recently approached and asked if I would like to put together an article for Cecile Park Media, who write and publish numerous journals on law and technology, including Cyber Security.

I wrote for them once before with an article titled “Modern Day Policing and the fight against Cyber Crime”, which was published in their May issue back in 2015.  This time I was asked if I would consider doing more on Information and Cyber Security, to which I was both flattered and also very happy to agree to the request.

The article is titled “ISO 27001 and 27002: Going back to basics on Security” and discusses how I feel organisations and businesses should consider taking a step back, reviewing their Information Security plans and policies, and starting off with the basics before spending huge amounts of money on potentially unnecessary controls, whilst giving the CISO (Chief Information Security Officer) full support to implement a comprehensive and hollistic Information Security Management System (ISMS).

The article goes into a little bit of of detail as to the things to consider, how to use both the 27001 standard and 27002 guidance together to build the ISMS to suit the organisation, and recommends ways in which to better support and educate staff on best practices both at work and at home.

The link for the journal issue can be found here:

http://www.cecileparkmedia.com/cyber-security-practitioner/

Unfortunately, it is currently behind a paywall for the journal, but you can sign up for a free trial quite quickly, or alternatively I’m allowed to post a PDF copy of the article (not the rest of the journal) 30 days after publication, which I’ll be sure to do.

I hope you enjoy the article, and if anyone has any feedback or comments then don’t hesitate to let me know.

Advertisements

Forensic Research & the Dangers of Legacy Installer Files

It has been a while since I posted anything on my blog, but following a very busy couple of months I’ve decided to do a quick piece on the dangers of downloading legacy installation files from filesharing sites, as well as praise some of the great customer service I received from one company in particular, whilst I was doing some research for a case.

To many the advice I’m going to offer should be very obvious, but to some this might be valuable nuggets of information that may well save your systems and data from disaster.  Either way, I hope it makes for a fun and interesting read.


The Case

So the last few weeks I’ve been working on some devices where the user frequently installs and uses the well known software program, CCleaner (by Piriform), on their windows systems.  They have several devices, and each one has a different version of CCleaner installed (typical!).  The details behind the case are not something I will disclose, but in short, I wanted to know a little bit more about how CCleaner works, stores logs and whether there are variations in default settings, or the way configurations are stored and monitored by the program across different versions.

CCleaner comes in both free and paid versions, with the usual model of free (limited ‘lite’ versions for home users) and paid for pro versions (functionality fuelled for business and the security conscious).

ccleaner-crop
Image 1: Screenshot from the Piriform website (www.piriform.com/ccleaner)

My subject was using the free versions, which made life a little easier for me purely from the ability to gain access to the installation files and run tests across the different versions.

My plan was to generate a virtual machine (VM) of the same host operating system to test the various versions on (in this case I needed two VMs: Windows 7 Home Edition, and Windows 10 Home as upgraded from Windows 7 Home Edition) and install in-turn each of the different versions of CCleaner, identify the default settings and setup, pull the configuration files, hash them and compare these all against the settings and configuration files I had on the devices I was examining.  A simple but effective test for a quick comparison.  There are more in-depth and scientific ways to do this, but time is a luxury that I did not have.


Obtaining the Legacy Installer Files – The Risky Method

Unfortunately for me, Piriform only have the latest version of CCleaner available to download from their website, and the versions I needed dated back to around 2010/11, and so I needed to find an alternative method of obtaining the files.

Out of curiosity I searched the web for the relevant CCleaner version and two sites immediately came to the fore, one I knew well and the other…not so much.

The site I knew well, and is likely known by many of you, was FileHippo (Image 2) and the not so well known site was ‘Brothersoft‘ (Image 3).

filehippo-crop
Image 2: Screenshot from FileHippo (filehippo.com)

 

brothersoft-crop

Image 3: Screenshot from Brothersoft (Brothersoft.com)

Both sites claimed to have the version of CCleaner v.3.02.1343 available for download, and both claimed to be safe and secure.  I am always suspicious of such things, and whilst I had another method in mind to obtain the files (which I will explain shortly), I decided to fire up another locked down VM, remove access to my host machine from within it the best I could, secured my browser by forbidding various scripts and autorun features, and downloaded the files (albeit, not open or run them).

The FileHippo file came down with the traditional filename format for CCleaner of ccsetupXXX.exe (with the XXX being the version number), whereas the Brothersoft file actually appeared with a different name, “Installer_for_CCleaner.exe” (how very interesting!).  As you can imagine, alarm bells were already ringing on this one.

At this point I didn’t have a confirmed original hash value of the genuine installer file in question, and so I was unable to verify whether either file was what it claimed to be, so I decided to run both files through VirusTotal (www.virustotal.com) which is a cracking site for checking files and URLs for malware and nasty surprises.

I uploaded both files, firstly the brothersoft download (Image 4) and secondly the FileHippo download (Image 5) with the following results:

virustotal-brothersoft-crop
Image 4: Brothersoft download virustotal result
virustotal-filehippo-crop
Image 5: FileHippo download virustotal result

 

 

As you can see, despite both files claiming to be the genuine article, both vary greatly in their scan results, with the FileHippo file potentially being the genuine installer, whilst the Brothersoft download is clearly not as it should be!

Another sign was the file sizes – CCleaner installer files have grown in size from one version to the next, with the latest version to date (v5.28) sitting at around the 9MB mark, whilst the version I was after here was around the 3MB mark.  The Brothersoft installer file registered a file size of less than 1MB, which was suspicious in itself, with my immediate thoughts being that this was a simple payload dropper of sorts which will call out to a command and control server (C2) to malicious download and install some nasty malware if the program was run.  Definite sad face moment!


Obtaining the Legacy Installer Files – The Safer Method

So the method I was always going to use was to contact Piriform directly and ask them whether I could have access to their legacy installers for the specific versions in question for my forensic analysis.

Now I have to say that Piriform were absolutely fantastic!  I cannot fault them for their customer service and have passed on my thanks to them for their support.  They responded to my request within a day (which included details on log files and configurations etc as well) with copies of the original installer files, hash values, and gave me the command line run options to generate the .INI configuration files and make them accessible on my system for the default settings associated to that version of the software.

For reference, I was given the below advice:

If you need to review the complete list of default/non-default cleaning definitions that are available in these versions of the product, you can extract the winsys and winapp INI files from them as follows:

  • Open the “Run” dialog in Windows (Windows Key +R)
  • Type exe /EXPORT > click OK

After this, the INI files will appear in C:\Program Files\CCleaner, or in whichever folder location the software was installed at.

This worked a treat!  It wasn’t available for the v3.02.1343, but the later versions I requested this worked wonderfully and is something worth noting if you ever need access to these files in the future!

What is also handy to note regarding these files is the following:

…currently, we only have the default settings (in terms of cleaning options) available for review in the format of our program’s INI files, and I’ve attached these to this email for you.

(see attached “winsys.ini” and “winapp.ini” files)

If a default setting, the INI file will show “Default=True” whereas if a non-default setting, the INI file will show “Default=False”.

If you have any questions about this, or if you need anything, please let me know – I’ll be glad to help.

Out of curiosity I ran the installer file v3.02.1343 though virustotal and compared the hash and discovered that the FileHippo file was the genuine article (huzzah!) and clearly the dodgy Brothersoft download was malicious and full of nasty malware!


In conclusion…

So to finish, whilst this wasn’t the most scientific research process, I wanted to highlight this to anyone who may be interested for several reasons:

  1. Be careful where you download files from and never ever run them without confirming they are genuine.
  2. Never be afraid to contact the developers, suppliers or manufacturers to obtain legacy software if you are in need of it.  They will most likely oblige wherever possible and give you some level of support.
  3. Piriform are awesome! 🙂

I hope you’ve found this useful or interesting, and please don’t hesitate to contact me if you want to know more (obviously, I won’t be disclosing any details about cases…this blog is merely to help provide security advice and tips for forensic analysts)

Researchers Discover new “Fileless Malware” in the Wild

Researchers from Kaspersky Lab have recently discovered a new “Fileless Malware” in the wild that is targeting banks and financial institutions globally, and due to the nature of the malware, is proving incredibly difficult to identify and forensically recover.

The new malware uses “Meterpreter” which is an existing Metasploit penetration testing tool that effectively plants malware payloads directly into a computer’s memory (RAM) rather than dumping the payload onto the file system as a file or series of files.  The frustrating thing about this from a forensics perspective is that whenever a computer is switched off and power is no longer supplied to the memory modules on the motherboard the data held in RAM is lost, as it is volatile and requires a constant source of electricity to maintain its state.  This makes any kind of “dead box forensics” (i.e. switching off the machine and taking it to the lab for analysis) incredibly difficult.

Additionally, this new malware also plants obfuscated powershell scripts planted directly into the windows registry which are designed to load Meterpreter straight into the computer memory on startup, again, leaving no further traces on the file system.  This means the malware will run and start a fresh each time you reboot your machine.

Lastly, the attackers use Windows NETSH, which is a command-line utility that effectively allows you to modify network configurations of running computers, which you can either locally or remotely administer.  The malware uses this utility to set up proxy connections in order to connect to the malware’s command and control server.

In essence, initial research suggests the only chances of forensic analysis of such infections are the RAM, network traffic and windows registry.  All-in-all, not a lot to go on, unfortunately.

However, the research continues, so further learning should be released from Kaspersky in due course.  In the meantime you can read further articles from the Hacker News and ComputerWorld Security, and also read the official Kaspersky report for more detailed information.

POTUS Password Problems…Epic Security Fail!

So following the inauguration of the now President Trump, there was a lot of talk of Cyber Security being a priority for the new US Government.  Whether you support Trump or not, putting financial backing into improving Cyber Security can only be a good thing for the global population, not just the US, so fair play to that!

However, several security blunders recently from major US officials, including the POTUS himself, have cast doubt over the awareness of good security practices within the administration, and also how serious they actually are about cyber security (or are they more concerned about posting copious amounts of controversial Twitter posts…?!).

Today I was reading several different articles, all detailing several blunders.  Firstly, it turns out that Trump is still not only using his insecure Android device to Tweet from the Whitehouse, but the @POTUS twitter account has actually been linked to a private gmail account!

The Hacker News reported how the hacker @WauchulaGhost, who was responsible for taking down ISIS accounts, identified the vulnerabilities.  Rather than exploit them, the hacker has made those responsible aware of the vulnerability in the hopes that security practices may be improved. It has since been suggested that the linked account is now a secured internal administration account, which is a far better idea…well done, guys! <sigh>

We can but hope that they learn something from this…really really hope…

To top that off, it was reported in the Metro and Techcrunch that the US Press Secretary, Sean Spicer (@PressSec), tweeted his account password not once…but twice!  Yes, one of the most highly followed, reviewed and monitored twitter accounts in politics (and potentially globally) just tweeted to the world their account passwords for all to see!

…well done Sean, good job, mate! <face palm>

So today’s security lesson to take away, people…don’t publish your passwords…please!

Cellebrite Mobile Forensics Company – Hacked!

Anyone working within the Digital Forensics field knows of and has likely used Cellebrite equipment and data extraction and analysis tools.  There are a number of products and companies out there, the other well-known and equally well used and liked provider is MSAB who provide, among other things, the XRY mobile forensics tool.  Both companies are good at what they do and most forensic experts would agree that to carry out comprehensive mobile data extraction and analysis across the wide range of devices available, you need both sets of tools to achieve the best results as no single tool does it all.

In a recent article by motherboard.com it is revealed that Cellebrite have, themselves, been hacked and had 900GB of data stolen, including customer details and even what appear to be some mobile data extraction files.

The article by motherboard.com explains the circumstances in more detail, so I won’t go over them here, but it is concerning that access was gained to both customer data and potentially evidential data of some sorts.  I’m sure more detail will be announced in due course and further reports/articles will emerge with various updates, but for now we can only speculate on what exactly has happened and why this data was accessible from a single source.

One thing I do disagree with is that the article states “The hackers have been hacked”.  Cellebrite do not produce hacking software and are not hackers.  They crack mobile devices and complete forensic data extractions, but they are not hacking tools or hacking solution providers.  You can understand the confusion, but these days the media seem to bundle in any form of computer usage that isn’t browsing or sitting in front of MS Office as “Hacking”, when it just simply isn’t anything of the sort.

There are even the hard-core, old school hackers who would tell us all how there is a difference between “crackers” and “hackers” and how the terms have been confused and misused over time (nice little explanation can be found here, if you’re interested)…but unfortunately I think it is far too late the turn the clock back on that, now.

Anyway, I digress…what I wanted to point out was that one of my fellow MSc students did some digging on the Cellebrite Exec team and noted that there was no mention of a CISO (Chief Information Security Office) present on their exec board.  Could this potentially be a reason as to why security was lapse?  One to think about, and even if you are experts in forensics and data extraction, without proper focus and consideration for information security policies and procedures in all aspects of your information assets then even you can fall victim to malicious attacks from determined hackers.

Getting to the “Route(r)” of the Problem?

Ok, so I need to work on the title of this post, but at least it drew you in enough to read it, so it has worked to some degree! 🙂

So over the last few months we’ve heard a number of high (and some low) profile issues and vulnerabilities regarding various routers out there in the market place or being provided by our ISP’s as freebies for signing up to their broadband services.

Back in October “We Live Security” put up an article following research carried out by ESET on people who volunteered their router data for analysis, with some rather worrying results.  This was followed in December by Computerworld.com reporting on unpatched vulnerabilities in Netgear routers, not to mention the big companies such as Cisco even announcing vulnerabilities in their products back in July!  Today I even stumbled across an article regarding poor security in D-Link routers and IoT devices.

One of the important lessons learned from these is that router security is vitally important and as a basic set of security steps you should change your router access passwords to complex passwords with long character sets, as well as changing your default admin access passwords as well when logging into the router to change settings.

One recent worrying discovery that highlights this is the recently announced Switcher malware as discussed in an article posted last week by Kaspersky.  The malware and methodology of this attack is very clever and yet extremely simple.  The article does do a very good job of providing a very simple explanation, but in essence the malware infects a mobile device (currently Android devices are being targeted) via malicious apps and when connected to a WiFi network calls home to its command and control (C&C) server with details of the network that it is currently on.  The C&C then gives instruction for the device to begin hacking the WiFi admin access via brute force (so trying every possible password combination).  If you have default passwords (i.e. ‘admin’ or ‘password’) then this will not take long at all.  Once inside the malware changes the default DNS settings to reroute all of your outbound traffic to a malicious DNS server that then sends you to a fake, but legitimately looking, website in an effort to capture your credentials.

All-in-all, routers are being targeted and currently it is down to the users themselves to secure them as best as they can against these malicious attacks!  So if you haven’t done so already start changing those password, consider monitoring your traffic, configure your firewalls and raise the drawbridge of your network fortress to keep unwanted visitors out of your precious network! In addition to this, avoid malicious apps, install security software on your phone and other devices, and generally deploy good cyber hygiene for you, your family and your business!

Ransomware – The Fight-back has begun!

Security researchers and experts back at the end of 2015 and earlier this year predicted 2016 to be the “Year of Ransomware” due to the dramatic increase in ransomware attacks, infections and reports.  The malware variants used for extortion and blackmail became more and more prevalent as the year progressed and it was clear that the new form of attack was a firm favourite of hackers and cyber criminals across the globe.

Up until now the only defence has been prevention and resorting to backups, with authorities pushing out advice and guidance to communities and businesses to try to tighten up security practices, improve their “cyber hygiene” and try to look at preventing the infection, with the only fall-back being to resort to good, clean backups of the data.  Whereas many did pay the ransoms, this was never advised as it merely encourages criminals to continue to utilise the tactic, and there is never any guarantee that victims would get their data back.

Thankfully, new developments have started to emerge to help in fight against ransomware, with new tools and advice having recently been published.

It was recently announced in the Hacker News that the American firm Cybereason have released a free ransomware monitoring and detection tool dubbed RansomFree which they claim is able to detect ransomware trying to run on your system and can halt any active processes running as a result, requiring user authentication before taking further action.  This appears to be the beginning of a new form of security software for end-point devices to help protect against this malicious attack type.

This new tool follows the announcement of a similar tool for MacOS devices called RansomWhere, which does a similar thing for Apple devices.

These tools are all well-and-good, but as always, prevention is better than cure, and so one of the best first lines of defence is still good security on your devices and awareness of potential social engineering techniques used to infect your systems with ransomware.  For the latest advice visit either the Government’s CyberAware website, the National Cyber Security Centre (NCSC) or the not-for-profit organisation Get Safe Online.

Worrying new Ransomware that offers Free Decryption if you Spread the Infection!

An article that appeared today on The Hacker News explains how criminals are turning the ransomware infection model on its head slightly and encouraging victims to either pay the ransom of bitcoin or alternatively infect two other devices in order to gain access to the decryption key.  If they pay the ransom then the initial victim get their decryption code for free.

The choices around morality and ethics are put into the court of the victim to decide…ignore and deal with it yourself, pay the ransom or become a criminal yourself…how many people do you think will go for this option?  Is this a move to divide and conquer the general populace?  How do attribute blame or responsibility if everyone becomes a criminal guilty of this crime??

This reminds me of the morality vs fear choice you see in “The Dark Knight” Batman film where you had the two boats, each with a detonator to explosives on the other boat.  This kind of situation is only ever found in such films, but now we are starting to see such tactics used in the ‘real’ world…

…worrying developments, and I fear more is yet to come!  I feel that swift action is needed to prevent this becoming in any way profitable for the criminals, and to prevent such trends seeming to be viable options for criminal operatives, or else a wave of new attack vectors could be heading our way in the next 12 months.

Beware New Ransomware Strain – “Satan666”

A new ransomware strain has been released onto the internet titled “Satan666”.  This is yet another piece of sophisticated malware distributed via email attachments (currently) and is yet further reason to be extra vigilant in how you treat emails and associated files.

A good article explaining more details on the new malware can be found here at 2Spyware.