Fast Flux Domains

by Süleyman Petek 30. Kasım 2015 12:25
According to Wikipedia : "Fast flux is a DNS technique used by botnets to h

According to Wikipedia : "Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies." When a domain of a fast flux network is resolved, it returns more than one IP addresses. These domains continuously changes the IP address order that the domains are returned, this technic is called round-robin. The HoneyNet project provides a deep information about this issue : Know Your Enemy (http://www.honeynet.org/papers/ff)

It will be more effective to realize fast flux networks otherwise you will just waste your time blocking each IP address for them. Instead, blocking  the domain would be much more intelligent.

The fast flux domains will return several IP addresses when you resolve them or may return only one address but change it frequently.

How can we catch it ? 

A German security company BFK will help us at first step : http://www.bfk.de/bfk_dnslogger_en.html The BFK query page will allow us to query for passive DNS services.It is obvious that passive DNS search results will return many IP addresses for a fast flux network domain. If your search results contains dozens of different IP addresses, you can say that the domain you searched is a member of a fast flux domain.

We have another way  to check the status, that is checking the TTL value. If the TTL value is very low and the hostname is changing the IP address very quickly, it can be said that a fast flux domain. The value of TTL is zero means DNS server are not caching the IP addresses. You can use "dig" in Linux to find the TTL value of a domain.



Tags:

IT Security | Awareness | Malware | Malware Analysis | Web Defense

Securing The Internet of Things

by Süleyman Petek 28. Eylül 2015 20:30
Internet of things aka "IoT" is a very popular word recently. Many large companies are investing abo

Internet of things aka "IoT" is a very popular word recently. Many large companies are investing about this issue. We can also say that another popular word "Big Data" is overlapping with IoT. The architecture of the original Internet was created long before communicating with billions of simple devices such as sensors and appliances was ever envisioned. The upcoming explosion of these simple devices creates gorgeous challenges for the current networking paradigm. The scope and range of the devices to be connected are huge and the connections to the edges of the network where these devices will be setup will be low-speed, lossy and by snatches. Within a few years, devices on the IoT will overdose human beings on the planet and the number of devices will continue to grow.

Here are some basic design guidelines;

  • It should specify as little as possible and leave much open for others to innovate.
  • Systems must be designed to fail gracefully seeking not to eliminate errors, but to accommodate them.
  • Graduated degrees of networking functionality and complexity are applied only where and when needed.
  • The architecture is created from simple concepts that build into complex systems using the analog provided by natural phenomena.

There are many products on the market today under the label of IoT with the lack of  basic security architectures. It is very easy for a knowledgeable person to take control of devices for malicious purposes. The management knows how to manage known risks but they don't know how to measure them in the field of IoT and computer communication. We can list the attack types as:

  • Denial of Service
  • Breaking the Stored Credentials / Guessing the Credentials
  • Man in the Middle
  • Network Sniffing
  • Port Scanning / Web Crawling
  • Search Features & Wildcards
And how can we protect ourselves ?
  • Virtual Private Networks
  • Certificates & Encryption
  • Authentication of things


According to the HP Fortify 2014 IoT Security report
  • Six out of 10 devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS and weak credentials
  • 70 % of devices used unencrypted network service
  • 90 % of devices collected at least one piece of personal information via the device, the cloud, or its mobile application
  • 60 % raised security concerns with their user interfaces
etc.

You can also check the OWASP for IoT as they list the top 10 for 2014 as below

  • I1 Insecure Web Interface
  • I2 Insufficient Authentication/Authorization
  • I3 Insecure Network Services
  • I4 Lack of Transport Encryption
  • I5 Privacy Concerns
  • I6 Insecure Cloud Interface
  • I7 Insecure Mobile Interface
  • I8 Insufficient Security Configurability
  • I9 Insecure Software/Firmware
  • I10 Poor Physical Security

Tags: , ,

IT Security | Awareness | Tech | Internet Of Things

On behalf of September 14, 2015 (:

by Süleyman Petek 15. Eylül 2015 21:52
As i promised last night on #developersTube, i think i have to give some little information for our

As i promised last night on #developersTube, i think i have to give some little information for our friends who are interested in Software Security...

First of all, the links to be followed below :

  • https://www.owasp.org
  • http://www.webguvenligi.org
  • http://www.scmagazine.com
  • https://packetstormsecurity.com
  • http://www.tripwire.com/state-of-security/topics/latest-security-news/
  • https://www.fireeye.com/blog.html
  • http://null-byte.wonderhowto.com
  • http://www.securityweek.com
Then the tools;

For static analysis:
  • HP Fortify
  • Checkmarx
  • IBM Appscan
For dynamic analysis:
  • Netsparker
  • HP Webinspect
  • Nikto

I would like to thank again Burak Selim Şenyurt for this kindly conversation
and for those who have missed it, enjoy...


Tags:

IT Security | Awareness | Secure Coding | Web Security

The Security Mindset

by Süleyman Petek 17. Temmuz 2015 21:00
Everyone in your organisation, all the time should keep security in mind. Remember that you are as s

Everyone in your organisation, all the time should keep security in mind. Remember that you are as secure as your weakest link in the chain. Whatever latest technology you use, your firewalls, IDS, IPS, antivirus etc. your level of protection is as high as your weakest link.


Everyone may not have the same level of mindset however the developers and IT staff should be careful about this. Of course having a company-wide mindset is not easy and it requires continuous education. Education comes with the cost of money and time. Top management should also have the mindset in order to approve these expenses.

Let's consider a project manager or a business analyst or a scrum master. While planning for the project, nearly none of them allocates time and human resource for security issues. Being aware of these issues requires allocating time plan for fixing the security issues and also aligning with the secure coding standards. The majority of the developers concantrate on learning new technologies but unfortunately they are not keen on security or they are not aware of the seriousness of the topic. 

In general there are some principles that should be kept in mind:

Least Privilege
Sometimes used as POLP (Principle of Least Privilege) is
 limiting access to the minimum level that is necessary to complete the job.

Simple is More Secure
Simply getting rid of unnecessary functions, unused features as possible as it is.

Do Not Trust Users
When we tackle about user actions, being paranoid is a good security behaviour. Even if your administrators are not 100% reliable for you (An unhappy employee may be very harmful). Sometimes offline actions such as phone calls can be considered as an attack.(Social Hacking)

The Unexpected Always Happens
Preventing the attack before it happens is vital. People generally see the "Happy Path" in projects but the edge cases should be considered also.

Defense in Depth
Slowing down the attacker via layered defenses. "If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system." - OWASP


Obscurity
If you read the CEH preparation book, hacking starts with reconnaissance process. The more information you give the more hackers benefit. Limit the information you give as minimum.

Blacklisting & Whitelisting
"A Blacklist is testing a desired input against a list of negative input's. Basically you would compile a listing of all the negative or bad conditions, then verify that the input received is not one of the bad or negative conditions.

A Whitelist is testing a desired input against a list of possible correct input's. To do this you would compile a list of all the good input values/conditions, then verify that the input received is one of this correct conditions."

Tags: , ,

IT Security | Awareness | Web Security | Web Attack

Reverse Engineering 101

by Süleyman Petek 14. Temmuz 2015 23:43
The process of extracting the knowledge or design from anything human made. In fact the concept is n

The process of extracting the knowledge or design from anything human made. In fact the concept is not new. Before computers, in the time of industrial revolution, when the scientists were trying to resolve the atom or when doctors (are also still trying) were trying to explore the human body. The difference between computer reverse engineering and scientific reversing is that the first one is human made whereas scientific reversing is an exploration of a natural process.

Software is the most complex and popular element nowadays for reverse engineering. Like software engineering, software reverse engineering is a completely virtual process where you only have a CPU and your mind. Software reverse engineering unifies code inspection, problem solving and logical analysis.

In the meaning of security for instance, reversing can be used to identify encryption in the application and this way he can evaluate the level of protection for the application. Reversing is very important for IT security issues recently, as the increase of malicious software is unpreventable. And also crackers love it, as they analyze it to reproduce  without registration key ! 

Reversing can be useful  for software developers. Especially with the legacy, undocumented software, developers can use reversing to discover it. Some other case may be  to test the 3rd party code or even may be your competitor's code to find out how they are doing the work.


Namely, you can do the reversing in two scales:

  1. System Level Reversing
  2. Code Level Reversing
System level reversing involves obtaining information from operating system. Every application uses the operating system to interact with the outside world. Thats why it is really important for reversers to understand the operating system.
Code level reversing can be considered as an art. Reversing highly complex software requires a solid understanding of software development, CPU and operating system along with essential tools and techniques.

Some of you can ask if it is legal ? There is no clear cut answer to this question yet. Is it OK for others to see a competitor's intellectual property by reversing the product ? In my opinion, producers need to think about reverse protection, somehow you can see the reverse engineering as a benefit to show your product as it is working like a charm and harmless to people they use. It is up to you wherever you look from.

Generally, many products are protected by copyrights and patents. Patents are the stronger protection against copying since they protect the ideas behind the functioning of a new product whereas a copyright protects only its look and shape. Often a patent is no more than a warning sign to a competitor to discourage competition.

Tags: ,

IT Security

Secure Software Development Lifecycle

by Süleyman Petek 13. Temmuz 2015 23:00
Security should be a part of your DNA while building  a software system.

Security should be part of your DNA while building a software system. Here below a short list for acronyms.

Information Security Risks: The probability that a particular threat-source will exercise a particular information system vulnerability and the resulting impact if this should occur.

Software Security: A way to defend against software exploits by building software to be secure.

Application Security: A way to defend against software exploits  after deployment is complete.

Return Of Security Investment in Security (ROSI): The total amount of money that an organization is expected to save in a year by implementing a security control.

The core components of Secure SDLC process are:

  • Clear and detailed requirements of business
  • Security requirements 
  • Threat modelling (Early in the security design phase, threat modelling should be done in order to identify the potential threats that exist specific to the application.)
  • Design
  • A policy for secure coding
  • A framework for secure coding (OWASP may be a resource here)
  • Segregation of environments (Dev/Test/Staging/PreProd/Prod)
  • Static and Dynamic Analysis of the code
  • Change management
  • Release management

To mitigate the probability of writing insecure code, a few steps should be included in the SDLC. Since writing secure code is vital for minimizing the occurrence of vulnerabilities, it is worth elaborating on this topic for the benefit of executives. This step in development is too often misunderstood or deemed to be of secondary importance compared with production deadlines. It is worth to review the basic steps of writing secure code and at some point it may look as an attractive return on investment.

Secure coding needs some key factors:

  • Top level management buy-in
  • Security architect engagement
  • Segregation of duties
  • Backups
  • Monitoring and logging of events
  • Patch management
  • Password management (authentication-authorization)
  • Session management
  • Input validation
  • Output encoding
  • Exception management (Fail safely)
  • Developer training (Create awareness, educate)
As you see the cost of a bug during SDLC, the security issues should be considered and fixed as early as possible.



What can you lose if you don't ?
  • Reputation
  • Data
  • Money
  • Time
And never forget that risks are for managers, not for developers !


Tags: , ,

IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

Web Application Security 101

by Süleyman Petek 11. Temmuz 2015 14:25
Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis ha

Since the proliferation of internet nearly for 20 years, the usage of internet in our daily basis has been increasing day by day. At first we adopted to read newspapers from web, then we started to make our basic financial operations over web from our banks' web sites. The shopping a.k.a "e-commerce" madness followed these. Buying your plane tickets, betting, dating etc. there has been a huge cyber world over there. This is nice until here however you should be aware of your security and privacy in this cyber world. Nowadays mobile applications are very popular, we can not say they will replace web applications but we should notice the power of mobile also. 


Web applications have brought with them a new range of security vulnerabilities. There is a rising awareness that security is an important issue for web applications. Most of web sites say that they are secure because they use SSL. Increasingly, organizations also cite their compliance with Payment Card Industry (PCI) standards to reassure users that they are secure.  In real life, unfortunately the majority of web applications are insecure, despite the widespread usage of SSL technology and the adoption of regular PCI scanning. Here is an example saying that "Half of firms hit by web application security breaches".

There is a non-profit world wide organization called OWASP (Open Web Application Security Project). There are many materials there to learn about application security. Especially OWASP Top 10 may be a very meaningful start for the newbies. It is about the most critical web application security flaws. The latest one was released in 2013.


Web applications face a fundamental problem in order to be secure. The client is outside the application’s control, users can submit arbitrary input to the server side application. The application owners/coders must assume that all input is potentially malicious. The majority of attacks against web applications involve sending crafted input to the server to cause some unexpected event.

Unfortunately SSL can not stop an attacker from submitting crafted input to the server. If the application uses SSL, this simply means that other users on the network cannot view or modify the attacker’s data in transit. 

Some key factors to the problems are

The developers are not aware of the issue, they should be educated for secure coding.

  • The executive management generally care on the dead-lines, not the security of the application. So the developer just try to be as fast as he can do, bypassing the security issues.
  • The resources and the time is limited, the market is too aggressive, executives are somehow right. But security is not an issue  to underestimate. The company can lose money and prestige because of insecure applications.
  • The threats are evolving rapidly.
  • To sum up;

    World Wide Web has evolved from basic static information repositories into highly functional applications that process sensitive data and perform powerful actions with real-world consequences. Most web applications face the core security problem that users can submit arbitrary input. Every aspect of the user’s interaction with the application may be malicious and should be regarded as such unless proven otherwise. All the signs about the current state of web application security shows that although some aspects of security have indeed improved, entirely new threats have evolved to replace them. The overall problem has not been resolved on any significant scale. Attacks against web applications still present a serious threat to both the organizations that deploy them and the users who access them. 


    Tags: , ,

    IT Security | Awareness | Secure Coding | Web Security | Web Attack | Web Defense

    What is PCI DSS ?

    by Süleyman Petek 3. Temmuz 2015 21:46
    Payment Card Industry Data Security Standard aka PCI DSS

    Payment Card Industry Data Security Standard a.k.a PCI DSS is a set of policies and procedures for fine tuning the cards that you use instead of money.  

    As they define in their website "The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step. The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process  including prevention, detection and appropriate reaction to security incidents."


    When you think of your daily life,

    • you work for money for a month
    • at the end of the month you earn your salary and it is transferred to your account
    • you pay your bills online
    • you use credit card / debit card while you are at a cafe/bar restaurants etc.
    • you use credit card while you shop online
    • bla bla
    Did you notice that you do not see the money physically indeed ! You just see numbers on your screen whether on a mobile phone or website of your bank. As a customer of your bank, you should be confident about your privacy and security. 

    Comparing the old days, the way thieves work changed a lot. When a was a child, Lucky Luke was protecting the bank from the Dalton's.

     


    Now life is easier but somehow life is easier for the thieves also. So you need a proven security guidance. When you comply with PCI DSS, 

    1. Your customers will believe that they are secure as they have money related work with you
    2. This trust will make a positive feedback in your business
    3. Your partners will feel also trusted
    4. Having reputation among business partners will also bring the new partners and new customers 
    In order to comply with PCI DSS you need these below, there are 6 main goals and 12 requirements are issued :


    Say that you have done all of them above, then what is next ? The answer is audit. You will be audited by a  QSA (Qualified Security Assessor) and ASV (Approved Scanning Vendor) who are authorized by PCI. In some cases, the company is not ought to be audited on place, they can prove their compliance via SAQ (Self-Assessment Questionaire).

    Major payment card brands has created their own security guidelines based on PCI DSS, for instance Visa is like below.


    For further information you can check this out.

    According to the document, the PCI DSS applies to "all entities involved in payment card processing - including merchants, processors, financial institutions and service providers, as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data."

    The standard defines cardholder data (CHD) and sensitive authentication data (SAD) as follows:

    Cardholder Data

    • Primary Account Number (PAN)
    • Cardholder Name
    • Expiration Date
    • Service Code

    Sensitive Authentication Data

    • Full track data (magnetic stripe data, or its equivalent on a chip)
    • CAV2/CVC2/CVV2/CID numbers
    • PINs/PIN blocks

    If you're confused about how to get started with this process, then contracting a qualified assessment firm can help you to pinpoint any areas of improvement in your existing security policies.


    Tags: , ,

    IT Security

    Calendar

    <<  Temmuz 2018  >>
    PztSalÇarPerCumCmtPaz
    2526272829301
    2345678
    9101112131415
    16171819202122
    23242526272829
    303112345

    View posts in large calendar

    RecentPosts