Wednesday, 14 May 2014

Choosing a cloud security product & vendor

Enforcing end-to-end security in the cloud will require knowledge on how to choose the right security product and vendor, and various best practices on SLA management.
According to Bryce Boland, Chief Technology Officer of Asia-Pacific at FireEye, companies should follow these tips when making a purchasing decision:
• Review the vendor's service history, obtain customer references and ask them about their experiences with the vendor's concern for privacy, reliability and security vulnerabilities.
• Be certain that application and infrastructure security requirements are written into your contract with any SaaS provider. Include an audit clause whereby you or a third-party can periodically verify that the required controls are in place.
• Carefully examine the vendor's policies for data recovery in the event you decide to terminate the service. Be certain that you know how long it will take to retrieve your data as well as how long it will take to make it inaccessible online.
• Always maintain ownership of domain names that you provide to clients. That way, if you terminate a vendor relationship, you will not have to retrain your clients on the correct URL to use to find you.
Boland adds that after settling on a vendor or product, users should consider the following best practices to ensure cloud security:
• Get a solid Service-Level Agreement. An SLA requires that the vendor provide a specified level of system reliability. A good vendor will strive for performance that meets Six Sigma levels of service quality (e.g., 99.9997 percent of security patches made within a set number of hours, not days, after public disclosure).
• Insist that the vendor's own software development process adheres to a robust software development life cycle model that includes tollgates that check for secure coding standards. Request that a description of the process be appended to the SLA.
• Do not accept a policy of making silent fixes to service. Demand notice from the vendor when security fixes are made. Specify in the SLA that you as the CISO are to be notified directly about these reports.
• Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
The FireEye CTO will be speaking more about the topic at the upcoming CommunicAsia2014 Summit in June.

Network Admin Allegedly Hacked Navy—While on an Aircraft Carrier

Image: U.S. Navy photo by Paul Farley
Image: Paul Farley/U.S. Navy
A former systems administrator on a Navy nuclear aircraft carrier has been charged with conspiring to hack into government systems during a digital joy ride that spanned several months in 2012.
Nicholas Paul Knight, 27, who referred to himself as a “nuclear black hat,” was discharged from the Navy after he allegedly attempted to hack into a Naval database while at sea serving as a systems administrator in the nuclear reactor department aboard the U.S.S. Harry S. Truman.
On Monday, he and Daniel Trenton Krueger, a community college student in Illinois, were charged with one count each of conspiracy to hack in the U.S. District Court for the Northern District of Oklahoma.
They were allegedly part of a hacker gang that went by the names Team Digi7al and Team Hav0k. According to court documents, the gang also included at least three minors who have not been identified or charged in the case. Authorities say they were motivated by a combination of anti-government sentiment, boredom, and thrill-seeking.
The gang is accused of using SQL-injection hacks and other methods to gain access to various systems including ones belonging to the U.S. National Geospatial Intelligence Agency, which provides maps and other intelligence to the military, and a system belonging to the Department of Homeland Security’s Transportation Worker Identification system. The latter contains biometric and other sensitive data on workers who are issued special credentials to access secure areas of maritime facilities and vessels.
The group also allegedly hacked or attempted to hack into systems belonging to Los Alamos National Lab, a number of universities and police departments, as well as the personal web site of Rashod Holmes, a musician who sold merchandise from his site.
But despite more than two dozens hacks, the group had sporadic success. During an attempted breach of a Los Alamos Lab computer in April 2012, a systems administrator detected the hack and halted it before they could steal much data, according to a court document (.pdf).
The hack of a computer at the National Geospatial Intelligence Agency got them the schematics for more than ten databases, but they failed to download the sensitive agency data they sought from the computer, authorities say.
A May 2012 breach of an AT&T Uverse computer, however, got them mobile phone numbers of about 7,500 customers, as well as some email addresses of customers, physical addresses and cleartext passwords, the government says.
Three months later, according to authorities, they hacked into the website of Rashod Holmes and stole data on 1,000 customers, including the private bank account information of about 70 customers. They also breached the email account of the Ambassador of Peru in Bolivia and made off with the entire email contents of his account.
The group boasted about their exploits through a Twitter account — @TeamDigi7al — and even published the personal information they stole to storage sites where others could access the data, authorities say.
Knight, known online as “Inertia” and “Logic,” began hacking at age 16, according to the government, and was allegedly the self-professed leader of the gang who handled much of the publicity. Krueger, who was studying to be a network administrator and was known online as “Thor” and “Gambit,” allegedly performed most of the technical hacking.
The investigation, conducted by the Naval Criminal Investigative Service, began in June 2012, when a breach of the Navy’s Smart Web Move website and database occurred. The system, also known as Navy-SWM, is used by the Navy to manage the transfer and relocation of personnel and their family members in all branches of the military — Navy, Army, Air Force, Marines and Coast Guard. The database contained more than a decade’s worth of stored sensitive personal data on about 220,000 service members and their families, including Social Security numbers and birth dates. It also stored the answers to security questions that members used to reset their passwords for the system — such as their mother’s maiden name or the names of their children.
The amount of account data the hackers obtained from the database is unknown, but once the breach was done, Knight allegedly boasted that the domain had been owned and that “MY OWN BOAT” had been hacked. After news of the hack broke, Knight and Krueger allegedly discussed it in private messages on Facebook, with Knight telling Krueger at the end of one conversation that “if anything happens…send me a message saying goodbye so wo know one of us is caught.”
Two months later, members of the team discussed laying low and allegedly began to destroy evidence to avoid arrest. In early February 2013, however, NCIS investigators caught up with them when they appeared at Knight’s Virginia residence with a search warrant.

Agencies urged to file computer incidents

The Australian Signals Directorate (ASD) has urged Departments and Agencies to report computer-based security incidents to assist it in managing risk across the APS as well as developing policies, procedures and techniques for avoiding similar incidents in future.
Also known as the Defence Signals Directorate, ASD defines cyber security incidents as a single or series of unwanted or unexpected cyber security events that had a significant probability of compromising business operations and threatening information security.
ASD uses cyber security incident reports as the basis for identifying and responding to cyber security incidents across government.
ASD said reporting cyber security incidents helped the Directorate to develop a threat environment picture for Government systems and assist other Agencies who might also be at risk.
Cyber security incident reports were also used for developing new policies, procedures, techniques and training measures to help prevent future incidents.
According to ASD, incident reports were only used for investigative purposes and the identification of the reporting agency would not be disclosed.
ASD keeps watch on cyber security
ASD said examples of incidents reported to CSOC included: repeated domain administrator accounts being locked out due to too many failed authentication attempts; and unusual authentication events on VPN/remote access systems such as users being logged in from local workstations and VPN simultaneously or a number of log-in attempts from geographically disparate or overseas locations within a short time frame.
ASD said the types of cyber security incidents Agencies should report to CSOC included: suspicious or seemingly targeted emails with attachments or links; any compromise or corruption of information; unauthorised access or intrusion into an ICT system; data spills; and theft or loss of electronic devices that have processed or stored Australian Government information.
Other incidents that should be reported included: intentional or accidental introduction of malware to a network; Denial of Service attacks; suspicious or unauthorised network activity on a control system; control or monitoring systems; and tampering with ICT equipment while travelling.
The Cyber Security Incidents and the Information Security Documentation chapters of the Information Security Manual contain information on planning for, detecting, reporting and managing cyber security incidents.
The Manual can be found at this PS News link.

Google Docs “ClickJacking” (Information Disclosure)

(This issue was resolved 3-22-2014 before I finished writing the report, so it must have been reported before me)
POC Video:
tl;dr : Google documents leak full name and e-mail address via ClickJacking the “request permissions” dialog in a private doc.

  1. Victim visits the evil site.
  2. The evil server uses the google docs API to creates a unique document for the visitor.
    1. The document is named with the unique session id of the victim.
    2. The document is set to private.
  3. A URL to the new document is returned to the server.
  4. An iframe is created with the following page from google:google_perms
    1. This page is cropped to only have the “request access button”.
    2. Style is used to make the iframe 100% transparent and always on top of the page.
    3. Javascript is used to make the cropped request access button follow the mouse around the page.The resulting “Click Jack” or UI Redressing would look like:
    4. click_jack_goog
  5. When the user clicks anywhere on the evil page they are actually clicking on the “request access” button. of the google doc.
  6. Once the user clicks on the link the page starts polling with ajax for an update from the server.
  7. Google sends an e-mail, on behalf of the user including full name and e-mail, to the creator of the document ( to request access.
  8. The evil server is running an IMAP client listening for document requests to
  9. The IMAP client receives the request from the google doc that is named after the value of the session key. The evil server can now tie the user session (from the document requesting title) to the “from: ” name and address in the request. The polling request from step 6 will be updated with the identity of the current user.


Nodejs was used for the server which allowed a simple web server (express) and IMAP client to run in the same container.  This allowed me to inject directly into the user session. Once the e-mail was received.
Check out the POC code at