Another platform that will see greater attention by cybercriminals is the smartphone operating system. There was a dramatic increase in malware targeting the Android OS and this is expected to increase.  Online banking attacks which are already at a mature stage will expand and target users’ mobile devices. And finally, the major threat that is expected to rise significantly in the coming years is the disclosure of personal information. The problem of protecting users’ confidential data has become one of the hottest topics.

Read the full report here -  http://www.kaspersky.com/images/Kaspersky%20report-10-134377.pdf

An infected Android phone with Tigerbot malware can be controlled remotely via SMS and phone calls. Trend Micro suspects that there will be updated versions of Tigerbot in the future.

Read more about Tigerbot here – http://blog.trendmicro.com/a-closer-look-at-androidos_tigerbot-evl/

Trend Micro recommends five important steps to secure your android phone:

1. Use your smartphone built-in security features
2. Avoid using free but unsecure Wi-Fi access
3. Scrutinize every application you download regardless of source
4. Understand the permissions you are allowing before accepting them
5. Consider investing in an effective mobile security application

Read more about these tips here – http://about-threats.trendmicro.com/ebooks/5-simple-steps-to-secure-your-android-based-smartphones/#/2/

Read the full article here – http://www.windowsecurity.com/pages/newsletters/december2011.asp

If you are purchasing a new vehicle, most probably you will want to purchase one with the best safety features including seat belts, air bags, compressible front and rear sections, and other extra features that add value to the overall safety of the vehicle. Basically, you would go for the options that give you the best means of protection while you are driving. The same goes with Cyber security. Security aware individuals and organizations would secure their internal assets and networks as best as they can, so that any information within their networks is protected.

But how secure the vehicle would be if there were no highway controls, no drivers’ tests, and no monitoring and response by law enforcement! I can include other regulatory requirements, such as regular state vehicle inspections and other highway checks. No matter how well protected the vehicle may be from the inside, it would still be unsafe to drive it in insecure highways filled with outlaws roaming about. 

Read the full article here – http://www.windowsecurity.com/pages/newsletters/november2011.asp

Read the full article here – http://www.windowsecurity.com/pages/newsletters/october2011.asp

Briefly, the document analyse vulnerabilities or weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data it processes. It explains exploits or malicious code that takes advantage of software vulnerabilities to infect, disrupt, or take control of a computer without the user’s consent and usually without the user’s knowledge. Also, it describes malware and potentially unwanted software, Email threats and malicious websites such as, phishing sites that are hosted all over the world on free hosting sites, on compromised web servers, and in numerous other contexts.

Download the full report – Microsoft Security Intelligence Report Volume 12, from here – http://download.microsoft.com/download/C/9/A/C9A544AD-4150-43D3-80F7-4F1641EF910A/Microsoft_Security_Intelligence_Report_Volume_12_English.pdf

Read more here – http://www.bcs.org/content/conWebDoc/44393

Users have become dependent on these devices and on the information they may contain, but do users or better organizations back up any data related to the business that may be stored on these devices?

If mobile devices are allowed to connect to corporate resources then the company needs to have a plan in place that allows for safe and secure usage. A mobile strategy which ensures that all risks are accounted for and managed appropriately.

For instance, a strategy could define the allowable devices that can use when connecting to internal resources, the type of services they can connect to, the type of authentication and encryption used and which applications are allowed to run on mobile devices. It is critical that the strategy would refer to a lost or stolen policy. Such a policy would include notification procedures when devices are lost or stolen, that all mobile devices are encrypted and have data wipe-out mechanisms.

After carefully analysing the situation, setting up a mobile strategy and policy then put in place the controls that give you visibility of all devices connecting to the infrastructure. The implementation and running cost of mobile device management solutions (or asset management solutions) may be costly, and at times it may exceed the cost of issuing of company devices. However, if the organization decides to issue its own devices then it can opt for the features that best fits its security requirements!

Take action now as one thing is for sure, if no mobile device strategy exists, employees may choose to bring in their own, unsecured devices.

Rapporteur Monika Hohlmeier (EPP, DE) said that:

“We are dealing here with serious criminal attacks, some of which are even conducted by criminal organizations. The financial damage caused for companies, private users and the public side amounts to several billions each year. No car manufacturer may send a car without a seatbelt into the streets. And if this happens, the company will be held liable for any damage. These rules must also apply in the virtual world”.

Read more about the amendments here – http://www.europarl.europa.eu/news/en/pressroom/content/20120326IPR41843/html/Hacking-IT-systems-to-become-a-criminal-offence

However, the seatbelt analogy is far too simplistic, isn’t? -  Software and Internet’s security is not just putting in place known safety measures and you’re fine! There can be many unknown factors, such as dependencies on other platforms and systems, unknown exploits, etc. and although it is critical to make sure that you have applied all safety measures, still systems are abused and compromised! Do you think the analogy used by the rapporteur in this case is approriate?

Secure Sockets Layer (SSL) is a protocol that provides secure communications over networks, including the Internet. The protocol allows client-server applications to communicate with each other and preventing third-parties from spying and interfering in these communications. The successor of SSL is Transport Layer Security (TLS).

Why it is used?

As already noted, SSL/TLS provides an excellent method to secure communications, however, it is not perfect.

Where it is used?

It is widely used in web browsing, electronic mail, wireless communications, instant messaging and voice-over-IP (VoIP).

What is the difference between SSL and TLS?

The main difference is that TLS allows for both secure and insecure connections over the same port, while SSL requires a specific port for secure-only connections. Also, they differ slightly in the way they start a secure connection. While, the SSL process starts immediately negotiating security between the client and the server, the TLS allows the first part of the handshake process to take place over an insecure connection.

Do SSL and TLS have vulnerabilities?

The protocol is susceptible to what is known as man-in-middle attack. Man-in-the-middle attack is when an attacker takes control of the conversation between two parties and relays messages between them as if they were talking directly to each other. Version 2.0 of SSL is known to be flawed in many ways and is disabled by default in Internet Explorer (IE) 7, IE 8, IE9, Mozilla Firefox (FF) 2, FF 3, FF 4, Opera and Safari. Also, a vulnerability was discovered recently on version 3.0 of SSL and all versions of TLS which can lead to plaintext injection attacks! However, workarounds exist to mitigate these risks. In general, there are more known attacks against the implementation rather than the protocol itself. It is recommended to use SSLv3/TLSv1 implementations and avoid SSLv2 and below.

Four crucial points were cited by Greg Hoglund, founder and chief technology officer of HBGary, at the RSA Conference. A brief summary is found below:

1. Compromised valid credentials – Rather than planting malicious code into your network, attackers target users credentials through social engineering and other methods, and use these credentials to access your network. In such circumstances, it is useless to monitor for malware code but instead you need to monitor for odd user behaviour. Trends, such as user activity after office hours or during weekends may indicate abnormal behaviour. 

2. False perception of attack vectors – Many organizations assume that an infected machine/s was the target of the intruders, however, APTs generate activity and anomalous network traffic to divert the attention of security experts and disguise the real malicious activity! Most of the times, the initial systems that are infected are used to serve as gateways to other internal systems, so make sure that you monitor for lateral movement inside your network.

3. Investigate before cleaning machines – When it is possible, retain a compromised machine (can be placed in a controlled environment) so that you can track down APT current and future activities. A compromised machine can lead you to other infected machines and compromised services that may remain dormant for some time! APTs are intelligent and are able to implant emergency backdoors in case you manage to control their current activity.

4. Monitor closely traffic (outgoing) leaving your network – Whatever, malicious activities APTs are able to perform within your network, at one point or another they need to collect sensitive data and send it to a malicious destination outside your network. A good starting point is to monitor for large compressed files which may be ready for uploading! Also, monitoring outgoing traffic to unusual destinations and the type of files being uploaded such as, RAR or CAB files may lead you to track down APTs.

Read the full article here – http://www.darkreading.com/advanced-threats/167901091/security/security-management/232601808/tracking-down-advanced-threats-in-your-network.html

The public available guides include templates for network resources acceptable usage policy, a secure IOS configuration template for use with Cisco routers among other templates. For organizations that are contemplating of building a team of security experts known as CERT teams, can find setting up guides, an example for an enterprise CERT and even lesson learned from other organizations such as, the Dutch government CERT!

Although, most of the technical guides may refer to older operating systems, the guidelines presented in these guides are still valid for the more recent systems. For instance, users who are still running IIS 6.0 and use a DMZ then can learn how to harden a Windows 2003 system running IIS 6.0 for DMZ deployment which will surely enhance their skills if later are to upgrade to a more secure platform such as, Windows 2008 system running IIS 7!

You can access these guides here – http://www.first.org/resources/guides#bp17

2. Review hardware devices: – Prepare an inventory of exiting devices supporting IPv6 and IPv6 tunnels. It is recommended to disable IPv6 tunnels if not needed. Review which network devices and network management tools in your environment are capable of analysing and/or blocking IPv6 traffic before going for a partial or full implementation.

3. Degree of control: – When you are planning the upgrade make sure that you understand the degree of control each possible configuration would give you! For instance, in stateless auto-configuration you can set an interface identifier using random numbers or MAC Addresses. If you are to comply with some legal regulations then privacy extensions (through random numbers) may not be the best option! If you decide to set IP addresses manually then make sure that these are not so predictable as to make it difficult to find attackable node in your network.

4. Gradual implementation: – Integrate IPv6 with your existing IPv4 gradually, that is, start with a few highly controlled services and when you acquire enough knowledge on the management of IPv6 systems then plan for a full implementation.

5. Filter Traffic: – As a general rule it is advisable to filter traffic coming from prefixes which are not assigned by authorities (IANA or RIRs). For instance, Unique Local Addresses (ULA-type) must not reach the Internet or enter the network!

IPv6 supports IPsec natively, that is, the architecture includes the option of using the IPsec (Internet Protocol Security) model. IPsec provides authentication, integrity and confidentiality for end-to-end communications. IPv6 limits or makes it impossible to scan all possible IP addresses due to the exponential growth in the total number of addresses therefore, making network scans becomes not feasible! IPv6 has eliminated the possibility of broadcast-type DDOS attacks since this addressing method is removed. There will no use of NAT anymore under IPv6 and end-to-end security will be less complex and cheaper. Other improvements include new features that improve the efficiency of the IP packet routing process.

Upgrading to IPv6 requires planning and you should review the technical aspects, management issues and the specific features of the protocol before going for the actual implementation! Certain security devices such as firewalls and IDSs may not be configured or even support analysis of IPv6 data flow. This may allow malicious communications to take place within your network whereas, perimeter security devices can be used for unauthorised communications such as, in botnet and P2P activity. Since, the implementation of IPv6 implies the removal of NAT, firewall settings would need to reflect this change and protect direct communications with internal computers. In addition, firewall rules that previously blocked certain protocols such as, ICMP are now needed for IPv6 to function properly.

New ways of attacking networks will appear, as hackers would take advantage of any new feature entrenched within IPv6. There are specific multicast addresses to find services such as, all routers, all dhcp, etc. During the migration period where devices are configured to support both IPv4 and IPv6, attack vectors can use either protocol or a combination of both, and where devices are supporting both protocols there will be vulnerabilities associated with both protocols.

One of the new features of IPv6 is the IP address auto-generation where a network interface card generates its IP address from its MAC address. If a device within the network generates false responses to a network interface during its auto-configuration then the interface would fail to connect to the network. Also, in this scenario a malicious device such as, a rogue router could lead to a man-in-the-middle attack. In addition, the fact that an IP address can be associated with a MAC address which in turn can be associated with a Computer and an individual owning that computer could lead to privacy issues over the Internet! However, there are solutions to these problems and you would need to investigate further whether these are supported in your environment.

Implementing IPv6 does not only require the latest technology but the necessary knowledge to manage the protocol. The implementation of IPv6, together with the interoperability of IPv4 is a complex process and therefore, all possible security requirements need to be assessed.

Read the full story here – http://www.symantec.com/connect/blogs/dropbox-abused-spammers

Download TaskManager_V0_0_1.zip from here – http://blog.didierstevens.com/2011/02/03/taskmanager-xls/

The WiFi Pineapple attracts devices looking to connect to an open Wi-Fi network, that is, networks that are not protected with encryption mechanisms. Mobile devices send out requests to connect to a list of Wi-Fi networks that the device has remembered and Darren’s router pretends to be the Wi-Fi network the user’s device is seeking. This is an inherent flaw in the trust model of open Wi-Fi.

Read more – http://hak5.org/hack/wifi-pineapple-flashing-guide

The new features include:

Status Checks and Events – The new DescribeVolumeStatus API reflects the status of the volume and lists an event when a potential inconsistency is detected. The event tells you why a volume’s status is impaired and when the impairment started. By default, when we detect a problem, we disable I/O on the volume to prevent application exposure to potential data inconsistency.

Re-Enabling I/O – The “IO Enabled” status check fails when I/O is blocked. You can re-enable I/O by calling the new EnableVolumeIO API.

Automatically Enable I/O – Using the ModifyVolumeAttribute/DescribeVolumeAttribute APIs you can configure a volume to automatically re-enable I/O. We provide this for cases when you might favor immediate volume availability over consistency. For example, in the case of an instance’s boot volume where you’re only writing logging information, you might choose to accept possible inconsistency of the latest log entries in order to get the instance back online as quickly as possible.

Read more – http://aws.typepad.com/aws/2012/03/the-next-type-of-ec2-status-check-ebs-volume-status.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+AmazonWebServicesBlog+%28Amazon+Web+Services+Blog%29

Since the SIP protocol allows for the addition of extra features, many vendors leverage this flexibility in order to enhance their commercial systems. However, this may render the protocol non-compliant with Internet Official Protocol Standards. For instance, SIP standards include the use of a default port, message headers with specific fields and many more definitions which may be modified for a multitude of reasons!

To complete our softphone compliancy test, I decided to use the free version of 3CX Phone System which provides a fully functional client softphone. 3CX is a company that develops IP PBX software for Windows. All the tools we need from one source! To monitor network traffic and capture SIP packets we will use the free and open source network protocol analyser, WireShark version 1.6.5. The VoIP phone system and softphone are installed on separate machines but both machines are located within the same local area network (LAN).

Some SIP Basics

The SIP protocol is an application-layer protocol for creating, modifying, and terminating sessions between parties such as Internet telephone calls and multimedia conferences. SIP runs on top of several different transport protocols.

Registration of a sip phone whether it is software or hardware based, is a common operation in SIP.  Registration is a process where a VoIP phone system learns the current location of a phone. Upon initialization of a phone, and at periodic intervals, the phone sends REGISTER messages to the server known as a SIP registrar. A registrar is a server that accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles.

In our test scenario, the server hosting our 3CX phone backend will serve as a registrar. It will receive requests in order to service them and sends back responses to those requests.  Servers can act as proxies, user agent servers, redirect servers, apart from registrars.

A SIP message is either a request from a client to a server, or a response from a server to a client. A SIP Request is a message sent from a client to a server, for the purpose of invoking a particular operation while, a SIP response is a message sent from a server to a client, for indicating the status of a request sent from the client to the server.

That’s enough for a brief introduction; now let’s delve deeper into the REGISTER request.

The REGISTER Request

RFC 3261 stipulates that the following header fields, with the exception of Contact which is optional, must be included in a REGISTER request as described below:

Request-URI: The Request-URI names the domain of the location service for which the registration is meant. The “userinfo” and “@” components of the SIP URI MUST NOT be present.

To: The To header field contains the address of record whose registration is to be created, queried, or modified.  The To header field and the Request-URI field typically differ, as the former contains a user name.  This address-of-record MUST be a SIP URI or SIPS URI.

From: The From header field contains the address-of-record of the person responsible for the registration.  The value is the same as the To header field unless the request is a third-party registration.

Call-ID: All registrations from a UAC SHOULD use the same Call-ID header field value for registrations sent to a particular registrar. If the same client were to use different Call-ID values, a registrar could not detect whether a delayed REGISTER request might have arrived out of order.

CSeq: The CSeq value guarantees proper ordering of REGISTER requests.  A UA MUST increment the CSeq value by one for each REGISTER request with the same Call-ID.

Contact: REGISTER requests MAY contain a Contact header field with zero or more values containing address bindings.

For more information about RFC 3261, I suggest that you go here.

Just after we load the pre-configured 3CX softphone and start the network protocol analyzer, we should be able to capture various SIP requests and responses such as, REGISTER, SUBSCRIBE and OK as shown below:

Figure 1: SIP requests and responses

Further investigating the first REGISTER request, we find that all fields as specified in RFC 3261 and as explained above are present. The only missing field is the Contact but this requirement is optional!

The standard defines that:

• the Request-URI field should not include the “userinfo” and “@” components of the SIP URI
• the TO address-of-record MUST be a SIP URI or SIPS URI
• The From header field must match the value in the To header field (exceptions exist)

So far, our test softphone fully complies with the above requirements as verified below:

Figure 2: First compliance test

To verify the Call-ID and CSeq fields, we need to examine at least two SIP REGISTER requests and compare the values in each request.

The standard defines that:

• All registrations SHOULD use the same Call-ID header field value for registrations sent to a particular registrar.
• The CSeq value MUST be incremented by one for each REGISTER request with the same Call-ID.

The captured REGISTER requests clearly show that the Call-ID value remains the same in both requests, while the sequence value increments every time a new REGISTER request is sent. As shown below, there were 79 REGISTER requests from the time we loaded the 3CX softphone until we took the second snapshot (Sequence number: 79). Therefore, our test 3CX softphone is fully compliant with the SIP protocol requirements for REGISTER request header fields as specified in RFC 3261.

Figure 3: First REGISTER request

Figure 4:  A later REGISTER request

Note: the Expires parameter within the CSeq field denotes an expiry time. When a client sends a REGISTER request, it may suggest an expiration interval that indicates how long the client would like the registration to be valid.

After a REGISTER request is sent by the softphone, the registrar server will acknowledge with an OK message if the request was successful. The Status code of the response is 200 as shown below:

Figure 5: 200 OK Message

SIP requests are distinguished by having a Request-Line in the start line, while SIP responses are distinguished from requests by having a Status-Line in their start line. This can be seen in figures 2 and 5 above.

Additional Requests & Responses

Worth noting from the data we have captured during our tests, is the SUBSCRIBE request and the status message 407 Proxy Authentication Required.

The SUBSCRIBE request sent by the softphone indicates that the client device wishes to receive information about the status of a service session. Clients may send these requests after they establish a connection with the network service and wish to get additional information about their status.  

Proxy Authentication Required responses are used by proxy servers. If no credentials are provided in the request, the proxy can challenge the originator to provide credentials by rejecting the request with a 407 (Proxy Authentication Required) status code.  This indicates that the client device must first authenticate itself with the proxy, however, in our test scenario no proxy settings were configured and we accepted a default installation to allow the server to act as a registrar.

A Proxy Server is an intermediary entity that acts as both a server and a client for the purpose of making requests on behalf of other clients.  A proxy server primarily plays the role of routing, and for enforcing policies.

This brings us to the end of this non-exhaustive compliancy test of the 3CX softphone initial registration. However, leveraging WireShark capabilities and a similar VoIP setup one can analyse the request, acceptance, setup and termination of a call – have Fun!

To conclude this article, I would like to share with you the real boons of software-based IP phone systems. These include cost savings in hardware equipment, network wiring and international calls when using VoIP providers or Skype gateways. The system allows for greater compatibility with various SIP phones and remote extensions’ capabilities.

The tool allows you to take a snapshot of your system state before and after the installation of new software and displays the changes to a number of key elements of the Windows attack surface. It can be used by developers to view changes resulting from the introduction of their code on to the Windows platform, and by IT staff to assess and control the organization desktop environment.

However, the major benefit of the tool is for security experts and auditors because it helps them evaluate the risk of specific software by taking snapshots before and after an installation and compare the resultant system changes caused by the software installation.

Read more – http://www.microsoft.com/download/en/details.aspx?id=24487