Hibernation …. Well Kinda

If you are reading this post then you are still subscribe to my RSS feed (thank you kind person) or you have stumbled across this site for the info from one of my old postings.

So I wanted to make a quick post to say this blog isn’t forgotten, but I am more focused on www.subliminalhacking,net and I don’t see the point of posting something just for statistics sake. So when I get some time (there  isnt much as a new parent) I will post something worthy of your time.

 

When Does DLP (Data Loss Prevention) Make Sense??

I read Dan Raywood’s SC article this week called “Criticisms made of lax attitudes to data loss prevention tools” and I totally agree with Michael Gabriel’s thoughts on companies, and in some respects the InfoSec communities attitude to DLP technology.

The reason for my interest in this article is because I am in the process of deploying a DLP solution across EMEA and so far I have been very impressed with how things are going, and the benefit it can bring to the organisation. Before doing this project I did think DLP technology would be valuable to organisation, and because I am a geek I love any excuse to mess about with new technology, however I did have concerns about how effective it can be.

I still hold true to some of my original thoughts, and I don’t think DLP is right for everything. I think it is very dependant on the industry you are operating in, and the maturity and security posture of your organisation.

In the article Andrew Waite mentioned that the basics are essential, and unless you have this right you shouldn’t look at DLP. I agree that security basics are essential, and for many reason companies still struggle with this (lets not even talk about patching), however I think DLP could actually help you build an improved case for securing budget for a security back to basics programme.

So when does DLP make sense, and what do you need to be aware of if your going to implement it?

DLP makes sense if you know what you want to protect. This might sound obvious or stupid, however many companies don’t really know what their critical business assets are. Some DLP system can help you identify where this data lives if you don’t know via network and endpoint discovery. Obviously its not a miracle system so you need to give it a clue. You can provide a sample of data and let it use its signatures to find similar, or you can use keywords and phrases etc.

So if you know what your data looks like, and even better if you know where it is, you can point your DLP solution at it, and it will form extracts of the data within the files, and monitor specific network files and folders and then perform verification lookups in real time when data passes through its systems. This is where your policies and rules are important, and as also noted in the SC Article don’t expect it to be effective if you create once and never look at them again, the business changes, so do our processes, policies and rules. We can then leverage (or build cases to invest) in other technologies to prevent the data from leaving the organisation in the first place. So monitor and alert on all network traffic, prevent your critical information being lost externally on removal media, corporate email, webmail, social networking sites, forums, blogs and instant messaging. In my mind the primary reason for DLP is to help your protect and prevent the loss of what matters most to your organisation, its intellectual property, its key business assets. However, DLP can also help you with your Data Protection Act obligations, as well as the wonderful PCI:DSS requirements, as you can define signatures / criteria for your DLP system to match against, some vendors even have these available as default policies.

So if by now your thinking it makes sense to you, and your company has a reasonable grasp on its assets, and hopefully data flows, and you have convinced someone to release the purse strings, your install DLP and your done…. right?

Of course things are not that simple (although it is a little simpler if your in the US as we know there is no privacy :) ). I am in the UK, but need to know about EU regulatory requirement, and as soon as your talking about monitoring and blocking you need to do alot of preparatory work. So hopefully you have some policies in place, and have worked with your legal and HR teams when you implemented email and web filtering technology, well now is a good time to renew those friendships.

So what should you be thinking before you go switching on your new shinny DLP technology. Below I have created a list, some of them may not be applicable to you and the country you are in, but it should at least provide a checkpoint and food for thought, before going away monitoring everyone, until to be shutdown by HR and Legal when you go to give someone the boot from gross miss-conduct when violating company policy.

DLP points for consideration:

  • Resilience in your solution
  • Capacity in your solution (Powerful Tin, Pipes with Capacity, Geographical coverage)
  • Acceptable Usage Policies (Covering the level of monitoring and prevention DLP will provide)
  • Communication (Even though your policies cover it, have you communicated this to staff, and updated policies. The goal is to stop loss by have it not happen)
  • Employee Consent (In some countries such as Germany for example, employee consent is required when you doing this monitoring)
  • Consent not given approach (When an employee does not give consent, how will you handle it? Prevent the use of business systems for personal use?)
  • Data Protection Commissioner Approval (It is always worth having a DLP business process defined so you can share this with the DPC if questioned, however in some countries prior consent from the DPC is required)
  • Workers Council Approval (In some countries workers councils have alot of grunt, it is essential to get their buy in and approval)
  • Labour Inspection (In Italy for example the labour council need to give consent for each office location monitoring occurs, other countries may have something similar)
  • Build and Test policies and rules (This is hopefully obvious. Build and test your DLP policies and rules, tweak as required, and use this as evidence to reassure the business on the uptake of your new solution)
  • Ensure the data your policies are using for matching is accurate and up to date
  • Ensure enough resource is available for daily review, monitoring and management
  • Have a process defined for expediting and reviewing policy violations

DLP is a good tool with the right information, processes and people behind it. Like anything understanding your business, your objectives and proposed outcomes is essential in its success.

 

Merry Christmas and Best Wishes in 2011

Merry Christmas and Best Wishes for 2011 to all my readers.

Its been a good and busy year, and I hope the blogs I have been able to do have been worth while. I already have a good review planned for you in 2011 around wireless password cracking, just need some new hardware and time, oh the time.

Hope your all on the nice list, and don’t drink to much, catch you on the flip side  :)

Keeping tabs on your Apple Gear… Orbicule Undercover

Since the beginning of the year I have jumped on the Apple bandwagon, and acquired a few of their lovely products. I like the look of them, I like how they work, but I am not the biggest fan of the cost :) However, it obviously hasn’t stopped me becoming a fan. So with cost in mind, one thing that is of course a worry is losing my MacBook Pro, iPhone or other bit of kit. I looked at the Mobile Me offering, but I didn’t fancy paying Apple for more services, when I only wanted one feature. This is when I stumbled across Orbicle’s Undercover, its tracking software for Mac OSX and iOS (iPhone, iPod Touch, iPad). I contacted the guys in Belgium and they were kind enough to let me have a copy to review, so here we go.

I started off with the iPhone. As per usual you need to pop into the App Store, locate Undercover (a quick search soon takes you there) purchase and install. The first thing you will notice at this stage is the cost $4.99 (£3.37) that’s a good way to get started. Once you have installed the App you have to enter an email address that you will register the phone to, and an appropriate name for the device, you will then get a notification to expect an email to setup your Undercover account, you need this for device tracking, and to log into the web console.

Now we check the email and as promised, we have some verification to take care of.

Once we are all signed up we can login to the Undercover Web portal and manage our devices.

Once we are logged in we can instantly see where the iPhone is reported (using Wi-Fi positioning ,GPRS, or  GSM Cell) to be (as the programming is running on the iPhone). We can get information on the iPhone (serial number, etc), we can then report it lost or stolen, and fill out police information, so we can create a nice bundled report to send to the police.

If we decide to do a test and decide our beloved iPhone is lost or stolen, we then have the ability to push an alert to the device.

We can configure our own message, and even force the phone to go to a specific website. Once we press send, just moments later we get the alert on the phone.

When the user goes and views this message, then a little game starts loading. In the background this is launching the Undercover App and sending the co-0rdinates. Personally I am not sure if there is value in this loading splash screen, perhaps it could do with being more stealthy and launch the app in the background. However I appreciate they want to ensure some time elapses whilst the information is sent.

So now as seen earlier when we log into the Undercover Dashboard we can see the co-ordinates, and it will continue to update its location whilst the application is running.

When the device has successfully sent it’s co-ordinates it sends you an email to confirm the device has been located.

Now we have finished playing with this we need to set our device as found.

So there we have the iPhone version, does a decent job of helping you find your lost or stolen device, although I would say the only negative is the requirement for device interaction (thief needs to read the notification), I am not sure if other offerings are fully automated. This solution also works on the iPod Touch and iPad.

So next we have the Mac OSX version, and I have to say I like this alot.

So as you would expect we need to install the application on our Mac, its just under 13Mb so not very big. Once the install has completed the machine will need to be rebooted to get Undercover up and running in the background. It will transfer its position again using the Skyhook Wireless Technology to give its position to around 10 meters.

So as we have seen before we need to log into our Undercover dashboard and add and manage our new device.

Now this time, when we mark our MBP as stolen, as default everything happens in a more stealthy fashion. As expected we get the map location we saw with our iPhone, but we also get details of IP address, we can then lookup the ISP being used, and other funky IP related antics.

We can also get screenshots of what is being looked at at the time the information was collected.

Then for the next trick, if the device is camera enabled, we can literally get a mug shot of the criminal using our device.

So now we can download all this information into a nice little bundle and send it off to our friendly law enforcement people, to recovery it for us :) Its ok, there is a Plan B.

When we enter plan B mode we can move away from the stealth approach and fade the screen away so its very difficult to use, or we can simply blank the screen and have a customised message displayed on screen, making the machine unusable until restored, or formatted.

When this message is displayed, the computer also gives a little cry out for help via the speakers. Something along the lines of “Help, Help, Help, I am a stolen Macintosh Computer, please return me to my owner”

So on the whole I think this is a great product, and even more so as the price is so reasonable. For more information please check out the Orbicule site, and see some more information below on pricing etc.

Undercover Mac

Single User License £30.92 – Covers 1 Mac
Household License £37.23 – Covers up to 5 Macs
Site License £157.13 – Covers up to 25 Macs
Student License £24.61 – Proof of full-time student status will be required
Upgrade to Household £10.10 – Upgrades from a single user to a household license
Volume Education License £6.30 – When ordering 100 copies or more

Undercover iPhone / iPad

Covers all your iPhones and iPads £3.36

We take a look at Elcomsoft iPhone Password Breaker… Its Good

Elcomsoft are a Russian based software company, who make excellent security and audit products. Perhaps the name doesn’t ring a bell, but I am sure if you look at their product offerings you will be more than familiar with their products.

I first heard about Elcomsoft around 2002 I think it was when I needed to do some password recovery for some Office documents, and a colleague had a copy and it did its magic and we had a happy user. Ever since then I have kept the site bookmarked and keep a check on it every now and again.

Fast forward to 2010 and I find myself looking at iPhones and their suitability for use in the corporate world, and then I hear again about Elcomsoft releasing an iPhone Password Breaker (EPPB). So here we are, reviewing this product, and seeing just how it works and if it does what it says on the tin.

At the time of writing the professional version is advertised at £199 and the home version at £79. To see the difference between the version, please see the end of the review, or click here to visit the Elcomsoft site.

Thanks to the guys at Elcomsoft for letting me have a copy to review, and for helping resolving any issues I came across on the way.

So first things first, the EPPB requires a Windows Platform, so I fired up an XP SP3 VM, and a physical W7 box to do some GPU based testing.

Once its installed we need to get hold of our encrypted iPhone backup. So the main file we are looking for is the Manifest.plist file, however if you will want to look at the keychain info you will want the complete contents of the appropriate folder.

When iTunes takes a backup of your iPhone it will include your settings files, from the preferences library, and databases, such as your calls, notes, bookmarks, password etc.

So if your on a Mac you need to look here > /Library/Application Support/MobileSync/Backup
On a PC you need to look here > Documents & Settings\\Application Data\Apple Computer\MobileSync\Backup or Users\\AppData\Roaming\Apple Computer\MobileSync\Backup

So once you have located your encrypted backup its time to fire up the password breaker and point it at the file in question. You will see the details of the device once you have selected it. We can see in this example the backup is that of an iPhone 4.

Now we have our file selected, lets make sure we are using the right hardware. So now we can enable / disable our CPU and GPU options.

So now the hardware is selected, we are almost ready to get cracking :) Now we just need to decide how we are going to go about it. We can use dictionary based attacks and supply files with the information (although it does come with some) or we can configure some brute force settings.

So now we are all configured, and lets face it, its all easy and straight forward. Now we kick off the cracking and watch the speed.

In the image below I am using a dual core Intel 3Ghz processor and a ATI Radeon 5880. As you can see its 15,108 passwords a second, not to shabby at all. My quickest crack was a 7 character dictionary password that was popped in 2.33 secs, GPU for the win. I also tried just a 64Bit Athlon 3Ghz on its own, and it only did 102 passwords a second, I also tried a 2.8Ghz Dual Core Intel in a VM and saw about 300 passwords a second, I then finally tried a cheaper GPU, a NVIDIA 8800 GTX and this provided the power to crunch 3,804 passwords a second.

So now we have the password for this backup. We can now open the file in iTunes and complete a restore if we had forgotten the password. Or we can launch the keychain explorer and have a look at the information stored within the backup from the iPhone, as well as exporting the contents to an XML file.

Obviously I have sanitised the screen shot as it contains information I dont want to share, but you are going to see details of services used, usernames and passwords, access point information and access passwords, phone numbers and more.

So you may be thinking this is all good, but why is this tool of interest to me. Well first of all, as I have mentioned before many organisations are looking at, and are deploying iPhones. Out of the box they are not an enterprise ready tool and require 3rd party enterprise tools. So you get a call from you user, the iPhone needs restoring, they dont want to lose their information so they want to restore from the backup. Fine, however they have forgotten their password. So now you have an option to recover with this tool.

Next is the addition of gathering this information as part of a penetration test, or even a social engineering engagement. Obviously you need to get the files off the users machine, not the iPhone itself. I don’t need to tell you guys the ways this is possible. If your feeling really lazy, you may want to check file sharing networks, people share all sorts.

If you are a file sharing network user, please check you are not sharing your entire hard disk, and if you are…. STOP IT.

To conclude I think this is a tool worth having if your organisation is offering the use of iPhones, and it also has a place in your pentesting toolkit. For more information check out Elcomsofts website, and read below for some more information on the tool itself.

Elcomsoft iPhone Password Breaker enables forensic access to password-protected backups for iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices. Featuring the company’s patent-pending GPU acceleration technology, Elcomsoft iPhone Password Breaker is the first GPU-accelerated iPhone/iPod password recovery tool on the market. The new tool recovers the original plain-text password that protects encrypted backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache. The program is also able to read and decrypt keychains (saved passwords to mail accounts, web sites and 3rd party applications) from password-protected backups (if password is known or recovered).

  • Gain access to information stored in password-protected iPhone and iPod Touch backups
  • Recover the original plain-text password
  • Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)
  • Save time with cost-efficient GPU acceleration when one or several ATI or NVIDIA video cards are installed
  • Hardware acceleration on Tableau TACC1441 hardware
  • Perform advanced dictionary attacks with highly customizable permutations
  • Perform offline attacks without Apple iTunes installed
  • Recover passwords to backups for original and ‘jailbroken’ iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices
  • Compatible with all versions of iTunes (incl. 10.0) and iOS (3 and 4, incl. 4.1)

Elcomsoft iPhone Password Breaker supports Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista or Windows 7 with x32 and x64 architectures. Password-protected backups to iPhone, iPhone 3G, iPhone 3GS, iPhone 4, iPad, and iPod Touch 1st, 2nd, and 3rd Gen devices are supported.