Mobile Forensics

With the explosion of mobile devices there is little doubt that the number of security incidents were a mobile device is involved will also increase exponentially.

My next couple of posts will look at what is takes to perform forensics on mobile devices targeting specifically the iPhone, the Blackberry and the Android platforms.

Some interesting statistics on the iPhone in particular and the number of them that AT&T activated in the last couple of years. As can be seen below the number of iPhones activated in the 3rd quarter 2009 was 3.2 millions devices in the US alone.

This doesn’t equate to iPhone’s sold because activations would also count dad’s giving their iPhone to their daughter and buying a new one for themselves, which would mean 2 activations but just one iPhone bought.

According to AT&T they added 2 million subscribers to that quarter. Nevertheless the evidence is there on an upward trend.

The graph below shows the how activations for the 1st quarter of 2010 rose by 50% over the previous quarter.

Reblog this post [with Zemanta]

Accurate Risk Assessments

As professionals in security we are constantly researching new technologies to keep our skills sharp. The Internet Storm Center was formed to assist with keeping our peers aware of the fast paced changes in vulnerabilities, patches, hacks, worms, Trojans and threats in general.

How we communicate these risks to our key decision makers sometimes can be a challenge. A recent example would be the Conficker April 1st situation. It was important for us to convey the sense of urgency we felt to have MS08-067 patched, as well as cross checking all our systems for updates being rejected, anti-virus definitions up-to-date and so on. My question to you is “did you communicate the risk effectively”? Were you able to give a complete and accurate risk assessment to your management?

Remember that risk assessment is the process of identifying a threat, understanding how that threat relates (vulnerability) to your organization, assessing the cost and providing that information to management. The formula is simple, let’s break it down.

Risk = Threat x Vulnerability x Cost

  1. State the threat in language that is easily understood. It is your job to decrypt the threat for your management team.
  2. Portray clearly and accurately what the threat could do and how it would possibly perform in your environment.
  3. Identify the number of assets which may be affected by the threat. What is percentage of vulnerable devices in relation to the total devices? (Servers, workstations, operating systems, Internet exposure)
  4. Identify the corrective measures which are available to be taken.
  5. Calculate the SLE (Single Loss Expectancy). What is the dollar value of the cost that equals the total cost of the risk?
  6. State how the remediation would lower the exposure to the organization and give a cost for those actions.
  7. Recalculate the SLE with projected remediation included.
  8. Provide status of the protection mechanisms already in place (anti-virus definitions, IPS signature detections, patching statistics).
  9. Then allow management to make an educated decision based on risk to the enterprise, not just the security event itself.

By utilizing this concrete methodology, we can lessen the influence of media hype and provide a professional cost based opinion to those best equipped to make enterprise decisions.

Source:  http://www.dshield.org/diary.html?storyid=6223 by Mari Nichols

Reblog this post [with Zemanta]

Conficker Gets Ready To Strike

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

[ad]

https://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
https://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
https://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Reblog this post [with Zemanta]

Safeguard Against Random Password Hacks

Partial map of the Internet based on the Janua...
Image via Wikipedia

A great tool I ran across to protect your server from random password attacks which I have been receiving recently from China.

Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful attempts to access the server and then it updates the IPtables rules to reject those IP addresses for a period of time which is defined by you. It can also be configured to notify you if once these events occur.

Its no high-end Intrusion Prevention System, but it does the job.

Fail2ban comes preconfigured to detect and block attacks to ports 22 (ssh), 25 (SMTP) and 80 (http). Instructions on installing on CentOS are detailed below as well as adding functionality for ProFTPD.

I love package management as opposed to compiling because its clean and easy to maintain, so we will need to subscribe to repositories to install Fail2ban.

* Update the system

yum update

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install Fail2ban

yum install fail2ban

* Configure Fail2ban by editing and adding to /etc/fail2ban.conf

maxfailures = 3 (the default is 5)

ignoreip = 127.0.0.1 <the_server_IP> <network_you_want_excluded/24>

* Enable E-Mail Notification

[MAIL]
# Option:  enabled
# Notes.:  enable mail notification when banning an IP address.
# Values:  [true | false]  Default:  false
#
enabled = true

to = <your_email_address>

* Add ProFTPD functionality

[proftpd]
enabled = true
logfile = /var/log/secure
fwstart = iptables -N fail2ban-proftpd
iptables -I INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -A fail2ban-proftpd -j RETURN
fwend = iptables -D INPUT -p tcp –dport ftp -j fail2ban-proftpd
iptables -F fail2ban-proftpd
iptables -X fail2ban-proftpd
fwcheck = iptables -L INPUT | grep -q fail2ban-proftpd
fwban = iptables -I fail2ban-proftpd 1 -s <ip> -j DROP
fwunban = iptables -D fail2ban-proftpd -s <ip> -j DROP
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = Maximum login attempts|no such user found|Failed password

* Set it to startup automatically with the system

chkconfig –levels 235 fail2ban on

* Start Fail2ban and walk away

/etc/init.d/fail2ban start

[ad]

Reblog this post [with Zemanta]