Category Archives: Security

Password Theory, Explained

I saw an article a couple of days ago by a journalist asking, basically, “when you attack a target, how do you do it?”  I wrote the journalist a reply explaining my basic modus operandi.

There isn’t anything particularly special about how I go about attacking a target, except one thing: where I get my password lists.  That is, when I’m using a brute-force attack on a target service, where I draw my usernames and passwords becomes highly relevant to the success or failure of my efforts.

It should be noted at this point that I do not make it a habit to attack systems that I do not have legitimate access to (e.g. through either permission or ownership).  That said, password cracking can be a time-consuming effort.

So, how do I attack passwords?  I use a utility called “hydra.” Long-story short, hydra is only as good as the passwords you feed into it.  For example, if you’re attacking a server in a foreign country, it’s not very useful to use a password list based on American slang. But the lists I use I have gleaned from published password breaches and other dumps.  Over the past several years, I have amassed a large collection of passwords that I use for brute-forcing systems.

You might wonder then, “How do I prevent my password from being cracked?”  The short answer is to avoid passwords that appear in those lists and further to use permutations of passwords that employ so-called “haystack theory” for your passwords.  “Haystack Theory” says that is the LENGTH of the password is the only thing that matters.

Accordingly, you want to make sure your passwords are long, but memorable.  So how does this play out practically?  Ask yourself, “Which of the following passwords are more secure?”  s3crEtp@ss or password………

If you said “password………,” you are right.  The first example has a possible password space of 96^10 possible passwords.  The second has a possible space of 96^20 possible passwords.  So, we’re talking about an exponential difference.

Now, unfortunately, a lot of password policies don’t permit passwords like this, but that shouldn’t stop you from being able to employ “haystack theory” in your passwords.

If you want to read more about “haystack theory,” you can at

Corey Steele, Network and Security Engineer

How Hackers Attack – Part 1

Most hackers have a favorite target. Some prefer web servers of a particular flavor, others prefer Remote Desktop or SSH, etc.  Knowing this ultimately helps an administrator to know and understand the threats that face their network.  So, how does this look in the real world?  Let us take a look at a practical example.

Let’s say my target of choice is the WordPress platform.   Now, because I have access to the WordPress source code, I spend all day pouring over the code looking for vulnerabilities.  (In fairness, it is not only open source code that I can do this on, but it’s easier on open source software because there’s typically less reverse engineering involved.)  Suppose now that I have found a vulnerability and want to develop an exploit for this vulnerability.  I turn to ExploitPack to write and test the exploit.

ExploitPack is a cross-platform tool that allows me to quickly write and test the exploit.  ExploitPack allows me to write my exploit(s) in Python, a language that is lightweight, powerful, and very easy to learn.  ExploitPack is essentially an integrated development environment (IDE) for developing exploits, and it’s free to anyone who can find it online.

So, now that I’ve found my vulnerability and have written an exploit for it, I now need to find a list of targets that would be affected by my vulnerability.  This can be a manual process, or a clever hacker can automate it.  Manually, I could search Google with a query of “link:wp-content/themes” and find all of the WordPress sites in the Google index, but now I have to compile that list by hand, and I’m quickly bored by that.  What are my options?  ‘zmap’ is a tool that allows me to quickly scan very large segments of the Internet for services running on specific ports.  I can find all the webservers on the “regular Internet” (I’ll write about the “dark net” later) in a couple of days.  Then I just need to crawl those sites using a tool like BurpSuite looking for “wp-content/themes.”  So, in a week’s time, I can find the vast majority of the sites on the Internet that run WordPress.

How does a hacker tie it all together?  They take the list of targets they found using zmap and burp, export it into ExploitPack, select their hand-crafted vulnerability as their payload, and select a payload (which can be any of a thousand things, but in a case like this, your attacker is probably going to use a PHP shell as their payload to allow them to do whatever they want on the box) and hit “go.”

A little patience, and now I’ve got a remote shell on potentially tens of thousands of hosts from which I can do a number of things, including deface websites, steal content, steal credentials, host malware – the list goes on.  And it only took me a couple of weeks.  If the site contained anything really juicy, I might be able to sell it, or otherwise monetize it (e.g. blackmail).

That is how hackers attack your network.  All said and told, the only tool I would need to pay for to achieve all of this would be a commercial copy of BurpSuite, which costs $300… which I could recover very quickly by ransoming the websites I’d just “pwned” (“owned,” or taken over).  In the next segment of this series, I’ll write about how we prevent these attacks in a robust fashion.

Corey Steele, Network and Security Engineer

Don’t Make Me Beg

As a security professional, published author, and frequent speaker about information security, I’ve observed that there is a relatively consistent role that denial plays in all data breaches.  It begins long before there is ever any data stolen and persists well through the discovery and resolution of the breach.  In my heart of hearts, I do not believe this denial is a conscious decision, rooted in a lazy attitude about security, but rather that denial is the path of least resistance.

How do we change the tenor of the discussion around information security such that it is easier to choose action over inaction?  Or funding over non-funding?  Or staffing over non-staffing?

Many who have attempted to answer these questions have buried the reader in statistics and anecdotal stories about how inaction, non-funding or non-staffing has ultimately lead to an organizations’ public humiliation.  Let me take a different tack: begging.

Please, please, please!  Please take seriously the trust your company and customers have put in you to protect sensitive data.

Please employ column-based database encryption to protect my Social Security Number, credit card number and other private data.

Please implement east-west packet filtering to protect data centers from insider threats.

Please employ SIEM systems to help identify anomalous events on your data systems and infrastructure, so an attack can be properly identified.

Please prepare the procedures and plans necessary to efficiently and effectively respond to a data breach.

Please invest in vulnerability scanning and patch management systems to help keep your systems up to date, to prevent the exploitation of sensitive systems, or the lateral movement from non-sensitive systems to sensitive systems.

I make these pleas first as a consumer whose card data has been stolen on numerous occasions, and second as a security consultant charged with helping prevent and/or recover from the breaches that such a denial creates.

Never think you’re too small a target.  Never think you have nothing a hacker would want.  Never think that its impossible you could be targeted, or that you have been breached.

Denial is the mother of demise; take your charge seriously and don’t be in denial.

Corey Steele, Network and Security Engineer

Candy Crush Malware Isn’t So Sweet

It was Easter this year when my aunt warned me, “Don’t start playing Candy Crush. It will ruin your life.”  She spoke like she herself had hit bottom, but she clearly hadn’t.  I heeded her words of warning, and today I’m glad, because today I’m seeing reports that a malicious version of Candy Crush, Plants vs. Zombies, and Super Hero Adventure (among others) have made it into the Google Play Store. [1]

If, by chance, you fancy a game of Plants vs. Zombies or Candy Crush, and you recently installed it (or updated it), you would be well advised to uninstall it.  But how do you avoid malware on your mobile devices to begin with?

There’s good news and bad news about malware on mobile devices.  First, the bad news: statistically, you’re exponentially more likely to get malware on an Android phone than you are on an iOS device.  The good news: our friends at ESET have a very robust antivirus suite for Android devices. [2]

“But wait, there’s more!”

Not only is the ESET for Android product capable of identifying malicious apps on your mobile, it also boasts a host of features including antispam, anti-theft, personal data protection, and call/text screening filters.

“And all of this for the low, low price of $14.95!” [2]

Personally, I’ve been running ESET for Android for more than a year, and in that time it has saved me from installing either malicious software or software that would push ads to my device.  Hopefully, your success will be similar.  If you have ESET in your corporate environment, talk to your HPN Account Representative about options for licensing ESET for your company’s mobile devices and enjoy the same great protection on all your corporate end points.

Corey Steele, Network and Security Engineer

Remote Access Policy

Given the proliferation of mobile devices and the “Anytime, Anywhere” mindset regarding company information, every company should at least be having a discussion about remote access.  The purpose of defining a policy is to:

  1. Define standards for connecting to the network from any host
  2. Minimize the potential exposure from damages which may result from unauthorized use of resources
  3. Set employee expectations for how and what they can connect
  4. Discover what is available for remote access

One of the first steps that needs to be done when determining a remote access policy is defining what needs to be made available remotely and through what method.  Review firewall rules, NAT policies and Client VPN or SSL-VPN settings to determine what is currently available.  Determine why those networks or applications are available, what their authentication levels are and how sensitive the information contained is.

When investigating what is available, keep in mind things like security cameras or applications that don’t necessarily contain company information, but may provide enough information to identify the company.  There is a website that is devoted entirely to security cameras that are publically available with the default passwords still set.  One would hate to have the view from their cameras for everyone to see.

When looking at our own infrastructure, our conversation about authentication levels revolved around two factor authentication.  If the application didn’t support two factor authentication, regardless of the sensitivity of the information, did we want access available directly from the Internet or did we want access to go through a device that supports two factor authentication?  Security comes at the expense of convenience, so keep in mind employee productivity when determining access methods.

Sensitivity of information can be defined many different ways.  Usually one thinks only of the leaking or confidential data, intellectual property or damage to critical internal systems.  Public image isn’t always thought of.  With the use of social media and how quickly information can spread, public image needs to be given a higher priority.

After looking at what services to publish, define how employees can connect and the requirements for connecting.

  • Are only company assets going to be allowed to connect?
  • Are employee owned assets (BYOD) going to be allowed to connect?
  • Are all device types going to have the same access?
  • Are requirements like Antivirus software going to be enforced on employee owned assets?
  • Are site-to-site VPN tunnels going to be allowed from home offices?

Each company has different requirements in regards to remote access, so there is not a one-size-fits-all policy that can be applied to everyone.  With careful planning, discussions with all affected stake holders and an understanding of requirements, a remote access policy can be crafted that can help keep the company secure while allowing employees to complete their job responsibilities.

Security Beyond the Firewall

Most companies take it as a given that firewalls, antivirus, and backups are minimum security controls for the standard business.  While it remains true that having a layer-7 aware firewall, solid endpoint protection and recoverable backups are controls every organization should have in place, there’s more to security than firewalls, endpoint protection and backups.

Central to any comprehensive security strategy is visibility of what is going on within the network.  This comes in two forms: network monitoring systems and log aggregation and alerting systems.  Network monitoring systems come in the form of SNMP monitoring systems and Flow monitoring software.  Log aggregation and alerting systems are most typically referred to as security information and event management systems (a.k.a. SIEM).

Systems that provide SNMP and Flow monitoring of the network give visibility into the packets traversing the network on a port-by-port and application basis.  Such information can be useful in identifying rogue PC’s on the network – such as those infected by a virus – or systems that are producing excessive volumes of traffic from one application type or another.   At the end of the day, this visibility gives insight into what constitutes a “normal” day on your network.

SIEM’s are another class of software altogether, designed to collect logs from various systems, to analyze those logs for anomalous events and alert on those events.  These alerts typically come in the form of emails or texts. The analysis that comes with those alerts is highly sophisticated to identify anomalies across all systems – not just the network, but across domain controllers, workstations, network appliances, switches, routers, antivirus solutions, data loss prevention systems, and any other variety of systems you send logs from to the SIEM.  Such systems can be quite powerful and insightful.

So, while state-of-the-art firewalls, antivirus, and backups provide protection against the myriad of threats that the average network may face, they are not sufficient to protect your network from the totality of threats that your network faces on a day-to-day basis.  To protect against the full range of attacks, you need security that extends beyond the firewall.

A Sales Guy’s Review of the ND Cyber Security Conference

North Dakota State University hosted the North Dakota Cyber Security Conference on Tuesday, March 17, 2015. Adam Martin, Business Development Manager at High Point Networks, was surprised by what he observed during his first time at this event.

I have gone to a variety of business conferences over the years. For the most part they are all the same – keynote, vendors and food. Recently, I went to the North Dakota Cyber Security Conference held at NDSU. What I had in mind for my expectations of the conference and what I observed were completely different.

When I think of security professionals, I think of Gilfoyle from the HBO show “Silicon Valley.” (If you are a security guy and reading this, you are probably offended. It’s ok, I’m in sales, you are supposed to be mad at me.) Gilfoyle is insanely smart and has a dark sense of humor. I thought when I walked into the conference, I was going to feel out of place and uncomfortable, and like everyone there would know I was not an engineer. For the most part, I was right – being that I’m not an engineer.

As I observed the conference taking place I noticed something I haven’t seen much of in other conferences. These people seemed like family. Everyone knew each other and seemed to be fond of one another. I’ve never heard so much laughter at a technology conference. As I sat at the tables during the breaks, people dove right into conversations they seemed to have been having for years about security. Better yet, they wanted to include everyone at the table. These were not sales people or vendors. These were security engineers that work at our local industries, schools and hospitals. Have I said how amazed I was?

The security classes that I attended were good – very thought out and presented well. But they didn’t catch my attention as much as what I saw after the presentations. As soon as one of the engineers was done presenting, they all gathered in the hallway. For a moment I thought I would see what I have observed at other conferences – debating technology and why the presenter was wrong. But I didn’t. What I saw was discussions, not debate. Even though these security people did not work together outside of this conference, they were working together in the overall picture. They know how important it is to be secure. If one of them has a problem, they all have a problem, and the discussion won’t stop until they have a solution. These people do not see company logos on each other’s shirts, they see people responsible for the safety of others. In a sense, they have created a bond like an army. Even though you are not of the same unit, you are of the same cloth.

They do not laugh when they hear of a company getting hacked, because in their view, “If one of us get hacked, we all get hacked.” So, they work together to make sure no one does. Their hearts and passion truly speak the motto of the Cyber Security Conference: “Cyber Security is Our Shared Responsibility.”

Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities

Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10 and 11. All three are included in Microsoft’s February 2015 Security Bulletin MS15-009 and documented in Microsoft Security Bulletin MS15-FEB.

As part of our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP), which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.

Palo Alto Networks is a regular contributor to IE vulnerability research. Previous critical IE vulnerability discoveries included three in November 2014, one in October 2014, 15 in September 2014,  three in August 2014, 10 in July 2014, and 22 in June 2014 (revised from 21).

By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing one weapon used by attackers to compromise enterprise and government networks.

By Ryan Olson, Palo Alto Networks