LogJam Flaw Discovered

This week, security researchers revealed evidence of a new flaw, LogJam, which could allow hackers to weaken encrypted connections between a user and a web or email server.  The vulnerability was discovered as part of investigations into the FREAK flaw, found earlier in the year.  LogJam takes advantage of software using 512-bit encryption keys and allows a hacker to trick a webserver to think it is using a stronger encryption key than it is.  Any organization that patched the FREAK flaw will not be vulnerable to LogJam, and to take advantage of the vulnerability, the hacker needs to be on the same network as the victim.

Currently it feels like a day doesn’t go by without an organization being hacked, or a new security vulnerability being revealed.  Over the last year or so we’ve seen a few serious flaws exposed and it’s likely we’ll see many more as the internet gets older and hackers get better at finding and exploiting cracks that have appeared.  However, some threats are more serious that others and, while it pays to make people aware of all of them, we need to try and avoid causing mass hysteria each time one emerges.

The fact that LogJam can only be exploited when hackers and targets are on the same network, as well as patches being imminent, means that hype around it is likely to be a bit of a storm in a tea cup.  Organizations should, however, use flaws like this as an excuse to give themselves a security health-check.  While the fact that someone has to be on the same network to take advantage of the flaw may see many breathe a sigh of relief, they do have to ask themselves one question – would we know if they are and taking advantage? With an increase in remote working, as well as a few high profile breaches perpetrated by a malicious insider, no-one should be resting on their laurels quite yet.  We’ve seen countless cyber hacks take months, or even years in some cases, to be identified and remediated, so everyone should really be double-checking they’re clean.

No business is safe today and trying to prevent attacks is becoming almost pointless.  If a hacker wants to get in badly enough, they’ll happily spend some time by-passing even the best firewalls and intrusion detection systems.  Given this, organizations need to shift their focus from trying to them getting in, to making sure that, when they do, they can get them out as quickly as possible.  Businesses now need to have the necessary security intelligence in place, to enable them to detect and respond to threats in hours and minutes – rather than months and days – to be sure they can limit any damage.  With flaws like LogJam being identified with increasing frequency, the only real way to know you’re safe, is to know you can stop an attack in its tracks as soon as it gets going.


Tags: , , ,

0 Comments | Security


Investigation Operational Security Tips

Operational security during an investigation is extremely important and there are a couple tips I’d like to share. While they may seem obvious at times, it’s imperative that they be kept in mind during an emergency or a normal investigation, especially for those organizations without a dedicated incident response team. Cutting corners in order to save time or ignoring some basic rules can compromise and inform unwanted individuals of your investigation.

  1. DNS Requests

A common practice in many investigations is to gather information and observe a suspicious domain, if one is involved. While this preliminary information gathering can be beneficial it can also compromise your investigation. Making DNS requests to an attacker’s server could inform them that research is being conducted, or their activity has been detected. It is extremely rare for an average foe to monitor inbound DNS requests, but it is a reasonable practice for a targeted and much more sophisticated adversary. In theory, such an adversary could monitor their own DNS servers for communication. Once irregular inbound requests are detected an adversary then has a head start to immediately back out, cover their tracks. and change their tactics. 

This mistake is most common with traffic capturing utilities used within a network for automatic name resolution. These tools can automatically give intelligence to the attacker around your monitoring capabilities. Here are two common examples of disabling automatic name resolution:


This setting is disabled by default, but good to double check if loading a PCAP that may contain network traffic for an investigation or research. The setting can be found in Edit > Preferences > Name Resolution.

Figure 1


Use the –n option. As stated in the manual, this setting will disable name resolution.

Figure 2

  1. Communication Timing

This one is more on the theoretical side, and again very dependent on the sophistication and focus of the attacker. If you are examining a file that could be malicious, the odds are this file will want to ‘talk’ outbound to its control server or request further downloads onto the network. There are obvious best practices when it comes to examining and testing malicious binaries, such as offline operations only, but that’s not always possible.

If you need the code to run, or perhaps you identified the URL holding the download file, be careful with your timing. As a small warning, the hosting location you are reaching has an increased possibility to spot the odd behavior. If they were to know all of their victim machines will reach out to them at a specific time, anything outside of that could inform them that you are researching and potentially identified their activities.

  1. Upload and Sharing of Data

For many, the first step to discovering if a file is malicious or not is to upload it to all the free scanning websites. While this process will provide some quick details for an initial analysis, it can also inform its creator that you have found and are researching their efforts. Some of the more popular destinations for these actions would be VirusTotal, Malwr, and the new IBM X-Force Exchange. These are some of my favorites, and also Lenny Zeltser happens to have a great list of options focused on automated malware analysis.

When it comes to using the numerous online scanning and analysis tools, avoid any aspect of sharing the upload during the initial investigation. Instead, simply search for the data names or hash when possible. An attacker can automate the ability to query the various sites for their binary to see if anyone has found and uploaded it. Searching instead of uploading will allow you to check for possible results while also keeping it concealed that you are performing an analysis on it.

Sharing with the industry can be a great thing, but take caution in the timing and amount of information you decide to make public. VirusTotal does not currently provide the option to opt out of sharing data while Malwr along with X-Force Exchange do. Lastly, there is the option for setting up your own analysis environment with something like Cuckoo Sandbox, but that’s for another blog post!

Figure 3


  1. Defense On The Sea Begins On The Shore

We’ve all heard it, do not share anything private or confidential on social media, yet many people still do. An interesting trend I’ve seen recently comes from LinkedIn in particular. It is common among professionals to connect with each other over LinkedIn shortly after meeting. Think about the timing and viewpoint from individuals watching for this activity. They could find it rather helpful when the team of Company-A begins to connect with people from Company-B. For example, if you began connecting with multiple individuals from a particular security vendor, someone from outside could then assume there may be use of that vendor at the organization. Also, LinkedIn is one of the most widely used sources of information for the social engineering competition (SECTF) each year at DEF CON. The solution may be obvious, but avoid connecting with patterns like this, or just turn off the ability to publicize this information within the account settings.

Treat any social media information with the same paranoia. Tweeting your thoughts on how terrible your users are at clicking links in phishing emails, or taking pictures of your office for your friends on Facebook are the first that come to mind as bad practice. This awareness would also be helpful to TV broadcasts as well, such as the recent event at a London rail station.

In conclusion, it all really comes down to the basic policy of “need to know” for all investigations or activity taking place. Individuals or groups targeting you can use the above methods to potentially gain the upper hand on your labors. None of this is a new idea or method to operational security, but in the ever changing world we must continually assess our practices to ensure its integrity.

Tags: , , , , ,

0 Comments | Digital ForensicsSecurity


Security Awareness: Taking Advantage of Opportunity

Security Awareness is an incredibly important aspect of any security program. As we’ve seen in countless high-profile breaches, users are consistently the path of least resistance into any organization. Which is why training employees to identify ‘suspiciousness’ and react in a safe and effective manner is just as important as maintaining perimeter security and aggregating log data. Since LogRhythm is a security-focused company, we take a more aggressive approach than most when it comes to Security Awareness training by testing our defenses regularly, in realistic ways.

Open Wireless networks are the perfect medium for malicious activity and criminals have leveraged this attack vector in many high profile intrusions for years. One of the more recent and public Wi-Fi attacks came to be known as “Dark Hotel“. In this scenario, the attackers preemptively compromised a hotel network which they know their target would be visiting. They leveraged the Wireless network to deploy their malware to hotel guests for around seven years. This is just one of the more notable breaches involving a public Wireless network; though this case is a bit different than a true rogue AP attack. For this reason, training your employees on the security precautions they can take when using such networks is incredibly important.

Recently, LogRhythm hosted one of our many regular sales events. This is a time when a majority of the organization gathers in Colorado to meet and discuss the future of the company. We decided to use this event as a learning opportunity. Since employees from all around the world gather in one central location for the event, we launched a rogue access point attack with the goal of simulating an adversary targeting LogRhythm employees. This is a fairly straight forward attack in that we hid multiple Wi-Fi Pineapples throughout the hotel and captured employee domain credentials using a custom captive portal (note – we only captured usernames for obvious reasons). Luckily we have some very sharp folks working here and many reported the pineapples immediately, one guy even found one of the Pineapples. Had this been a real attack, it would have been shut down hard and fast due to the diligence of our employees.

Figure 1: Wi-Fi Pineapple

Figure 1: Wi-Fi Pineapple Mark V

Exercises like this are usually not common within non-security focused organizations, however it is important for security awareness training programs to take multiple attack vectors into account when evaluating their overall security posture. By now, most people are well aware of generic phishing attacks – however training exercises such as deploying rogue access points are not often conducted internally. This is why I’d like to walk through how to conduct such an exercise and train your employees to report things that just ‘don’t feel right’.

If you frequent the LogRhythm blog, you may have read through the xfinity pineapple post that I put together last year. Since then, I’ve received many questions around exactly how to build such an attack using the Wi-Fi Pineapple. Primarily because I didn’t really dive into the code and this can be a bit more complex than some of the other deployment options, such as PwnSTAR. To help out with this, Labs put together two blank captive portal templates that can be used with either vector in order to assist both penetration testers and various organizations with orchestrating similar training exercises. This code can be downloaded at the link below:


I also gave a talk a few months ago at AppSec California on the topic that goes into much more detail than this post. The slides and presentation recording can be found here:


Essentially, deploying this attack comes down to a couple key aspects and both Mark Vankempen and Michael Logoyda deserve some major props for figuring out the JavaScript specifics of the Pineapple captive portal. In fact, Mark decided to swing by the hotel to do a little recon and testing before everyone arrived. The hotel staff asked what he was up to, and he told them the truth, that he was there to set up some wireless access points for the LogRhythm meetings. The hotel staff then very graciously provided him with power strips, extension cords, and even credentials to the hotel’s access points. This was all done with no verification of Mark’s identity and relationship to LogRhythm, which gives you an idea of how easily this could be done by just about anyone. Maybe even using the real access points…

Getting back to the Pineapple configuration, I like to deploy captive portals using a basic redirect within the NodogSplash configuration — this allows you to stand up various captive portals quickly and easily. All you need to do is point to the new web directory where the actual portal pages will be stored. This also gives you the ability to use PHP scripts, which is not possible on the initial splash page.

Figure 2: Splash Page

Figure 2: Splash Page (click to enlarge)

With the basic splash redirect in place, this opens up the possibility of very elaborate captive portals. This can contain whatever you’d like — anything from a false login form to malicious content delivered via browser exploit. The latter is easy as you can simply pass the client through, however capturing form data is not as straightforward as it sounds — at least not on the Pineapple. In fact there is a thread dedicated to deploying a specific captive portal attack on the Pineapple, which still does not have a definitive answer. Mainly because this attack would be dangerous in the hands of someone who doesn’t really understand the legalities of what they are doing and giving away the easy solution would be irresponsible in my opinion… So, I’d like to cover the attack in general to help folks better understand how to defend against it.

As you saw in the splash page above, we are passing the authtarget variable through. On the actual landing page, we need to add two small JavaScript scripts. The first of which is a script that should be placed in the header of the landing page. Without getting into too much detail, this essentially captures the authtarget link and allows it to be used as a variable.

Figure 3: Landing Page JavaScript – Part 1 (click to enlarge)

The next bit of JavaScript needs to be placed within the form. This allows us to pass the authtarget variable through so it can be used by our form processor and actually allow the user through to the Internet.

Figure 4: Landing Page JavaScript - Part 2

Figure 4: Landing Page JavaScript – Part 2 (click to enlarge)

The final piece of this is the PHP form processor. This page basically appends each login attempt to a flat file by capturing the entire contents of the POST data and subsequently allows the user through to the authtarget link once the form has been successfully submitted.


Figure 5: PHP Form Processor (click to enlarge)

Make sure to set permissions properly so your Pineapple doesn’t get owned and that’s it! Now, just give the access point an interesting SSID, launch the captive portal, then sit back and watch the credentials flow…

Figure 6: Customized Captive Portal

Figure 6: Customized Captive Portal

Quick Open Wi-Fi Security Tips

  • Always use a VPN/VPS/SSH Port Forwarding/etc. when connected to an open access point.
  • Turn all Wireless devices off when traveling or in crowded areas, many devices still connect to wireless networks even when ‘sleeping’.
  • Try false credentials first, if it lets you through it was a scam.
  • Use different credentials for basically everything.
  • Visit a common site, like as Google.com and look for a valid SSL certificate — if you get a certificate error then your traffic is being sniffed.
  • Use NetCat to check the HTTP Headers of the landing page for the word ‘Pineapple’.
  • Beware duplicate networks or the system connecting to your ‘home network’ when you’re really nowhere near your home.
  • Use caution when your Wireless connection suddenly drops and re-establishes itself, especially if this happens to everyone around you.
  • If it just ‘doesn’t feel right’ then trust your instincts…

Attackers thrive on opportunity.  Even something as simple as a target visiting an unfamiliar location can be a goldmine for an adversary — allowing them to manipulate the environment around their mark. Why don’t we as security practitioners do the same? It is important to think outside the box and leverage unique attack vectors to actively test employees. Not only are they your greatest asset, they can often be your weakest point. Training employees on how to recognize and respond to various attacks is crucial to the overall security posture of your organization.

Tags: , , , , , ,

0 Comments | Security


City of London Police Commissioner Warns Cyber Crime is Now of Greater Threat than Drugs Trade

The City of London police commissioner Adrian Leppard recently spoke at an industry conference where he said that incidences of cyber crime are significantly underreported to police, with only 20 percent of cases being reported.   Leppard blamed unwillingness by organizations, particularly banks, to report breaches, a lack of police capability to respond, as well as the international nature of cyber crime.  Leppard insisted that the way cyber crime is dealt with needs to fundamentally change as the traditional police approach to crime of gathering all the details to understand what has happened before dealing with it does not work when it comes to online threats.

What Adrian Leppard has said rings very true for those of us working to tackle cyber crime at the front line.  While his comments mainly call for a change in the way the authorities deal with the investigation of threats, organizations themselves should also take heed of his warnings.  Cyber criminals don’t care about a couple of firewalls or other point security solutions – they can, and will, easily get past them.  Attempting to prevent a breach has therefore become relatively futile, and instead focus needs to be placed on identifying and dealing with threats as quickly as possible.

Every organization in every industry is at risk.  Anyone reading the news recently will know this – from bugs in software, to malicious insiders, as well as outsiders, the cyber landscape has become incredibly treacherous and requires a dedicated and long-term strategy to safely navigate.  By reducing the amount of time it takes to detect and respond to the breaches businesses have a far greater chance of containing any damage.  We need to make everyone aware of the fact that the time between detection and response is when they are at their most vulnerable, and without a strategy in place to effectively and efficiently deal with the problem, the consequences could be far reaching.

As such, businesses need to take an intelligent approach to security, ensuring that they are continuously monitoring their networks so that they can identify and deal with any threats as soon as they arise.  With so much data now crossing networks, security teams can struggle to distinguish the good from the bad and adopting a security intelligence model is the only way to see the wood from the trees.  The authorities can only work with what they are given, and every organization needs to give them a helping hand by ensuring they have the right systems in place to limit the threat at the source

Tags: , ,

0 Comments | Security


Security Awareness Training: Secure Remote Access to Corporate Infrastructure

In this installment of Lab’s weekly series, Security Awareness Training, we’ll be discussing appropriate methods for users remotely accessing corporate or cloud infrastructure. Many of us work remotely at some point and need to access corporate file shares and other network resources.  As an organization, the employees are as much of an effective (or defective) means to securing remote access into a network as IT solutions that are applied.

In a recent Security Awareness Training installment by another LogRhythm Lab’s team member, Zack Rowland, he discussed the need for sound authentication techniques, such as 2-factor authentication, which are very much applicable to securing remote access into the corporate network.  However, the end users are just as important as the technology solutions being applied.

Here are some areas of best practice to consider:

Always utilize Virtual Private Networks (VPNs): All authorized users should connect to a centrally authenticated VPN.  The client software associated with that VPN may need to be installed on your local machine.  For connections where strict data confidentiality is required, as seen with intellectual property for example, remote access devices should leverage end-to-end encryption.

Confirm you are logging into a legitimate site or access point:  This includes both the coffee shop up the street (public Wi-Fi) as well as your own home network.  To reiterate from Greg Foss’ message around securing your home network, it’s important for end users to take ownership for ensuring they are connecting to a legitimate, secure access point. In some public access points where a VPN is not available, data associated with strict confidentiality should not be sent over that access point.

Ensure the login page is served up via HTTPS: When logging into a web page over HTTP, it should be noted that credentials will be sent in clear text.  This means that any man in the middle or sniffing techniques could obtain those credential or session tokens and lead to a potentially compromised account.  As compromised account credentials are a leading factor in opening the back door into the network, it is vital for users to be aware of this.

Only use IT approved software or applications when using business related machines: The only time domain credentials should be used are when logging into the domain itself or through services known to be part of single-sign-on.  Lastly, when leveraging web facing applications, ensure they are approved and are associated to the business such as SalesForce.com, SharePoint, Egnyte, etc.

Ensure critical updates and patches are current: Keeping your laptop or other device connecting remotely to the network up to date on updates and patches is necessary to mitigate risk relating to contracting malware or viruses on your device.  Any indication that critical updates or patches were not installed successfully on your device should be communicated with IT to address the issue before traveling or working remotely.

Notify IT of any travel outside of your normal locations before you leave:  For some of us, travel is a normal occurrence, especially in sales. Travel that may deviate from your normal locations or to countries known for a heightened presence of malicious cyber activity should be communicated to IT before departing.  Procedures may be recommended to limit the risk exposure and for IT to be aware of any authentications to the network from uncommon or risky locations.

Only use IT approved software or applications relating to file sharing: When using business related machines, it is important for employees to leverage file sharing solutions that are approved by IT.   When using public file sharing solutions, such as Drop Box, this brings business content, proprietary information, or information relating to compliance (PCI, HIPAA, SOX, etc.) outside of IT security controls. As mentioned before, reliance is placed on the end-user to adhere to IT security policies and usage agreements.

Notify IT of any rogue or potentially malicious access points:  It is best to identify these before accessing them; however if you do connect to a rogue wireless access point, this should be communicated to IT so they can validate no infectious malware or executables were installed on your machine. If this occurs, the next step is to contain any compromised machine as soon as possible.  As mentioned above, AD credentials should only be used in approved, known IT services or applications.

Be vigilant about where you leave your computer or device: Many of us are aware of the risks associate with leaving your computer unattended in public places such as coffee shops or airports.  When in these public environments, be sure to keep your computer with you at all times and to lock your computer when not in use.  Other methods of privacy can be used, such as privacy screens, if working with confidential information.  Something else to consider is how we store our computers when traveling to and from work.  We may stop at a store and leave the device in our locked vehicle, unknowingly putting the business device at risk.  Many computers are stolen from cars that have been broken into.  To mitigate this risk, ensure your computer is out of sight and locked in the trunk if you are unable to take it with you. If a business device is stolen or lost, you should communicate this to IT right away to limit the risk of compromising the device.  IT can even wipe the device if a solution has been deployed, disabling the thief’s ability to access the network or content on the computer.

In closing, IT can deploy many solutions, services and/or applications to promote secure, remote sessions for users.  However; many of these controls can be trumped by end-users not being vigilant of their own security practices.  Having the appropriate IT solutions deployed and an educated user base is imperative for establishing secure remote sessions into the company’s network.

Until next time,

Bob Swanson

Tags: ,

0 Comments | Security