Tag Archives: Offence

Mobile Phone intercept, it’s not new

A 60 Minutes report demonstrated how mobile networks could be intercepted and that this has been an open secret within intelligence agencies.

Mobile intercepts are done by accessing the mobile network infrastructure shared by providers across the world. The mobile infrastructure utilise a protocol called SS7 that handles call connections and subscriber information. So, anyone with access to SS7 can intercept subscribers on the network just about anywhere in the world.

Demonstration on base band weaknesses was made as early as 2010, Karsten Nohl the person who demonstrated this to 60 Minutes presented his findings in 2010 and again in 2014. If you have thought about it, chances are that someone else has as well. In this case, intelligence agencies.

Why is this not a big deal?

Just as providers and adversaries could intercept landlines through a PBX, wire taps and even exchanges, surely the same principles/assumptions would exist for mobile technologies?

All the same information security networking rules apply: if you have anything of importance to transmit over a 3rd party network, assume that the 3rd party is not trusted and make sure you have some sort of end to end encryption in place (like the couplers used in spy movies) or use an alternative method.

You are the weakest link…attacking the weakest link on a global level

When protecting a high value target, a single point of failure could be a catalyst for a catastrophic breach.

When securing multinationals, consideration must be made for the smaller subsidiaries. They are connected to the corporate network and as any good pentester can tell you, pivoting is a powerful concept.

Smaller subsidiaries may not have the same level of physical, network, endpoint security. Some subsidiaries may face different level of threats: political, socio-economic, domestic instability.

A quick example is an UK multinational operating in Argentina, or Taiwanese company operating in China, could there be repercussions?

On the other end of the spectrum, subsidiaries may not have faced the same level/intensity of threats as their parent company. Psychologically, citizens maintain the perception that being in a safe backwater nation, the developed world threats are not of major concern.

It is important to note that security is a global effort, consider the threat level and adjust to it.

http://www.databreachtoday.eu/interviews/targeted-attacks-how-ready-japan-i-2820

Using Endpoint Security Products against you

Pretty interesting read on several vulnerabilities relating to Symantec Endpoint Protection

http://codewhitesec.blogspot.be/2015/07/symantec-endpoint-protection.html

The article discuss various means to remotely compromise the management console and plant code in the distribution package.

There are several takeaways here:

  • Given that your security product is supposed to be securing your entire environment, your management console must be locked down, patched, etc.
  • If you haven’t performed an audit on your management console settings, you are asking for trouble. At the very least, explain why you have certain rules in place (file/folder exceptions come to mind)
  • Does your management console have a auditing function? Do you check it?
  • Are the endpoint packages that you create, verified and signed?
  • (To the vendors) Do services really require local SYSTEM to run?
  • If your endpoint product is compromised, you can no longer trust it or the system that it is protecting.

Security is a balance between offence and defence.

Summary:

  • How do you know that your defences are good if you don’t test them?
  • What lengths would your adversaries take to compromise your systems?
  • Adopt the same offensive mentality as your adversary in order to test your defences

You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…

Really…?

As mentioned in a previous blog, security must be tested either by you or by your threat.

The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)

Let’s be ignorant and ask a few questions:

  1. How did they get through our defences?
  2. Why did it take so long for them to be detected?

etc…

Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?

This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.

From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.

Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.

A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.

Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.

As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?

To answer this, you need to put your defensive hat on…

1. https://www.mandiant.com/threat-landscape/