Data Leakage – A covert channel

If you think you are safe having adequate NAC (Network Access Control) but not controlling local administrative access and application execution on your workstations, you should think again.  This post will go through some of the risks as well as some of the controls in an enterprise environment.  This is an example of bypassing a NAC and the controls what you can put in place to ensure that your risk is mitigated.

The weakest point is normally an unsuspecting administrator, lack of proper configuration, and simple default installs.  In this example, let’s look at a complete CISCO ISE implementation whereby

Guarding the ‘Perimeter’

the workstations have been locked down to a secure realm and the MAC Address is used as one of the authentication mechanisms.  Here, for argument, we will be using an user connected to the network using a physical cable.  The user has a laptop with a Wireless LAN adapter as well. (As we can see, a compromise will depend on many requirements to be met).

I will not go in detail on the actual application that compromises access, but the normal PowerShell command are in the public domain.

The workflow of the penetration is to activate the WLAN card on the laptop to act as a Access Point and use the authenticated users credentials without his knowledge to access the Internet.  This of course may lead to implicating the user into actions against the Acceptable Use Policy.

The windows commands are as follows:

  • NETSH WLAN set hostednetwork mode=allow ssid=Your_SSID key=Your_Passphrase
  • NETSH WLAN start hostednetwork
  • The next step is to enable sharing on the WLAN device and this is done normally through the Network Connection Properties.  This can be done programatically via updating registry keys.
  • In order to stop the share the following command must be entered NETSH WLAN stop hostednetwork
  • and then NETSH WLAN set hostednetwork mode= disallow

Now visualize a possible compromise

  1. Develop and application requiring UAC elevation privileges and give this to a user with local administrative rights
    1. This application will execute the above commands using either PowerShell or an API
    2. The unsuspecting user’s laptop is Wireless Access Point (AP) with your predefined SSID and Password
  2. One this is done, any wireless device can connect to the AP and access the Internet
  3. If the local user has authentication to the Domain/LDAP (or other authentication mechanism) to access the Internet, any access via the local AP will be through his account using his MAC address of the wired connection.

Controlling the risk

  • A simple to control to the risk by ensuring users do not have local administrative access.
  • Ensure only known (white-listed) applications can run on administrator workstations
  • Monitor and report on user behavior (access to the Internet)
  • Monitor, log and react on system changes outside the acceptable defined control framework

Free Internet at Santander Totta

The banking landscape is changing at an exponential rate.  Travelling a bit and finding myself on the island of Madeira.  Off the continent of Africa, closest country is Morocco, but it is part of Portugal.  A few years ago, BANIF Bank was experiencing some financial stability and was bought out by a the Spanish Bank Santander Totta.

UALA

User Agreement

A very interesting finding was that while sitting outside the bank I saw the Wi-Fi SSID of the bank.  It was ‘unsecured’ (no password required) and I decided to connect to the Wi-Fi.   To my amazement, I got connected to the Internet with full browser functionality.  Whatsapp worked, Instagram as well as Facebook, and other social media applications.

This is a total different approach to some of the banks I have experience in and I think it will be good to comment on the approach here.  As part of a past implementation of a new infrastructure, it was discussed to give GUEST access to clients in the bank limited by time.

What can be realized as a benefit to the bank?

  • Branding is number 1 here.  Your bank’s logo will be shown as part of the agreement.  The user, client or not, will be happy for this free service and will relate ‘happiness with the bank’s logo’.
  • Based on the User Agreement, it will be possible to obtain some statistics of usage and possibly have some leads for product sales.

Are there any new risks to the bank?

I can see no material risk to the bank if the network access via the Wi-Fi is totally separate from the bank’s production network.  The bank of course should have good practices in place where IPS (Intrusion Prevention Services) are part of the delivery platform.

  • Make sure users cannot visit blacklisted sites.
  • Make sure that exploits are blocked.
  • Monitor access as the platform may be used for criminal activity.
  • Only allow services such as HTTP, HTTPS and other protocols that will enable a good experience for the user but cannot be used as a springboard for malicious intent.

Based on the rules, it is simple to control and monitor.

The only recommendation is the security certificate that is not properly implemented.  This should be updated.

This is a plus for the Bank.  Well done Santander Totta.

Links

Santander Totta

Mentor Program

A notice to budding Information Security professionals.  With many years of experience in many aspects of Information Security, IT Auditing at business and low-level, it is always a pleasure to meet some of my peers that have dedication and zest.

Any person is welcome to submit a query to get more information in obtaining information to start walking the path with me.  This will of course be vetted to ensure that no users with dubious intent get onto the road.

Why am I doing this?

Information Security is growing globally and we need to develop the skills of many users entering the market.  Information Security is a huge domain and we need to focus on the right skills and right development path.  It will be beneficial creating a group with like-minded intent and learning from those who have walked the path.

If you need any further information, please complete the following form and I (Mervin Pearce (CISSP-ISSAP)) will be personally be contacted from my personal domain.

 

Bank Re-branding – Criminal Exploitation

ABSA Bank, from whom Barclays has dis-invested, re-branded the bank with a new logo and with some fanfare.  As expected the criminals are waiting for such events to exploit bank clients during the ‘transition’ phase.  The interesting fact here is that the compromised sites with the Phishing exploit code is mostly in South Africa.  This shows that the fraudsters are actively thinking about their attack vectors.  If an unsuspecting ABSA client clicks on the Phishing email and he is directed to a local site, it will see valid and the risk of account compromise is higher.

Compromised site

One of the emails received contained a link to a local (.co.za) site called http://absaonlineupgradeservicesecure(.)co(.)za and reviewing the registration details, it is noted that this site was registered on behalf of a client through MWEB.

Planning process

Having obtained the source code from a compromised site, the analysis was quite simple and it seems that the ‘hackers’ are not that complete by closing access to the compromised site.  On one

Possible fraudster source in Ghana

of the sites, we noted a text file that contained the results of the Phished users.  There were also many test IP addresses which possibly virtual shows the source of the hackers.  This was noted to be from Ghana.

Within the text file, there was account numbers with PIN.  This information was forwarded to fraud@absa.co.za with all personal contact details in case they needed to complete this for verification.  No communication received after a week. (update: Communication received after 9 days)

The problem exists that it is not possible to educate all of the users to NOT CLICK on a link as the Internet was designed to click links. 

Two approaches to combat cybercrime must be followed and that is one from the end-user and the other from the bank.  This is not an exhaustive list, but will help to secure the eBanking process and make life for fraudsters more difficult.

End-Users (Bank clients) needs to be educated and this is an ongoing process.

Text file of compromised accounts on the compromised server

The bank can use technology to combat online fraud and some of the steps include:

  • Monitoring for increased access of the bank logos in relations to referenced pages.  This will only indicate a possible new Phishing campaign and allow the active monitoring to be placed in a higher level of readiness
  • Monitoring of client accounts from outside normal IP addresses.  For example if the source IP is outside South Africa (in this case), additional authentication should be required.
  • The bank should get actively involved with fraud notifications.  I have had two experiences now where two different banks do not respond.  The other was a possible fraud on a credit card and one of the options was block and phone the client back.  This never was done. (Not ABSA here)
  • The positive for ABSA here is the 2nd level access which the user selected passphrase is broken up into multiple selections.  This makes it more secure against actual compromise.
  • Banks also need to supply 2-factor authentication at all times to ensure that a physical token (mobile phone as an example) is required at all times.  I did experience problems with ABSA while travelling outside the country with the SecureCheck mobile app. Acknowledgement never was delivered and could not do any transactions.

This does not exclude the fact that the fraudsters may use other methods, such as a phone call or social engineering, to obtain information that is lacking to complete the fraud.

We have to acknowledge that some major changes has to take place in order to make it more secure for the end-user.  Combating fraud is a leap-frog exercise where bank security specialists have to be highly skilled and dedicated.

 

Presidency.gov.za site hacked

Take away: Make sure you stay up-to-date with latest security news and apply all patches as soon as possible depending on the exposure and impact.

On the 7th of July 2018 accessing the South African Presidency site, http://www.thepresidency.gov.za, were greeted by the following home screen…

It has been restored to it’s previous form.

Visiting Zone-h (listing of hacked sites), 2 South African sites were found to be hacked by the same ‘team’.

The back-end revealed that both uses Drupal 7 (A popular Content Management System) with 3 critical security risks identified in March and April 2018.  This is easy by right-clicking and inspecting the web source.

The Presidency ‘Source’

 

Another Drupal 7 source – RoyalCaribbean.co.za

Tips

  • The source of the web pages are post the hacks and hopefully all new patches have been applied.  There is nothing wrong to use opensource software, but the installation, configuration and security monitoring and management is critical;
  • You need to be proactive and have the right staff/functions in place;
  • Monitor security notifications and apply patches or compensating controls to minimize your risk;
  • Monitor and review your logs
  • Expect to be hacked and prepare your response plan
  • ‘Hack’ your own systems to test the security.

 

Practice Safe HEX