Author: Paul B Svenning

The little green box

Paul B Svenning

AS8033-377x228When walking around in office buildings that are protected by expensive electronic locks, requiring to swipe your access badge to be able to get in (or out), you have probably also noticed a little green box on the side with the text “emergency door release” written on it. This “Security bypass boxes” will let you through the door without an valid access pass.

If the physical security setup, and the security team have not been required to do compromises due to HSE requirements (e.g. emergency escape routes) or have been a sleep during the planning, this little green boxes will only allow your to get out from a security zone and not in. HOWEVER, as always compromises and mistakes are done and you will find that these little green “security bypass” boxes will grant you access into paces where an valid access pass should be to only way to get in.

Ah yes, its very nice that you have this super duper expensive physical access control system with electronic locks and encryption keys that have not yet been hacked, But why do you have these green boxes on each side of the door?

Alarms

These little green boxes can (and should) be connected to an alarm system, triggering an alert when the button is pushed. And if the alerts are monitored a guard might be dispatched to check out what is going on.  But when you think about  the chance for multiple guards will come storming down the hallway as soon as you have triggered the green “security bypass box” will be rather small.  Its usually no room in the security budget for that to happen.

Remember to lock the door

a771d8983e149cccdf438779fc6bb4d2So what this little green box does, is that it will actually cut the power to the magnetic lock (same as what happens when the fire alarm is triggered) . This means that the door will remain unlocked after you have passed through it, something that will might raise suspicion and an increased risk that someone (hopefully) will report it.  This can easily be mitigated by using a small plastic reset tool (example in the picture to the left). By inserting this tool on the underside of the green box you will reset it to its original state and the door will be locked after you pass through. And its likely that the guards monitoring alerts will conclude that it was just another false alarm. Not sure where to get such a tool? well get a 3D printer and start creating all the little reset gadgets you need.

OBS – Remember to get a permission slipp

Note that if you wish to test this, you must make sure that you have obtained permission from the relevant stakeholders  (The landlord, the company that uses the office, the guard company  ++) If you don’t have that, this will be considered breaking and entry.

And.. DON’T TOUCH the red one, that can land you into all sorts of trouble (unless there is a real fire.

 

Even security pro’s are suckers for free stuff (guess we are humans after all)

Paul B Svenning

free-stuffit is interesting to see that even on security conferences you will find every thing that warn our users about. Things that we as security professionals tell our friends and co-works that no no, you must not touch.

  • Free USB thumb drives. On the last conference I attended I got a free floppy disk, but I doubt that represent any major risk, unless it contains Brain.exe
  • Free and Open WiFi. A security conference is probably the last place you want to connect to a open WiFi.
  • Free gadgets made in China that you can plug into your laptop or connect to your phone
  • The opportunity to sell your contact information to get a sticker  on a piece of paper (well why not, you might win a prize and if you are really lucky the prize is a malware infected thumb drive, or more likely the chance to get a flooded mailbox)

And no, I’m not pretending to be any better then the rest of the conference participants… I’m also a sucker for free stuff we all get. Lets plug in this Chinese Bluetooth hands free without a user manual in English, nothing bad can come of that right? Maybe its best to stick to the occasional t-shirt or baseball cap.

Canary Tokens – Free IDS for small businesses.

Paul B Svenning

canaryIDS, or intrusion detection systems, can be very costly and resource demanding, because of this many medium and small companies never implements this types of solutions and as a consequence  breaches caused by external threat actors to internal employees snooping around in systems will most likely never be discovered.  And in the world of GDPR this might spell disaster for a company processing personal identifiable information, and according to GDPR that is more or less everything.

Canary tokens to the rescue.. (maybe)

Enter a free and easy to use tool called “Canary tokens” created by thinkst. Canary tokens will let you create free honeypots (or honey tokens) that will alert you by email when triggered. Now since this is a free and very basic tool it will not provide with much information on who actually triggered the token. It will give you the timestamp on when the token was accessed and source IP, but at least you know that someone is snooping around in your system, and you can take the appropriated actions to counter the breach.

The canary tokens website will let you generate multiple types of tokens, that should cover most of your needs;

  • A URL an adversary might visit
  • A domain or hostname an adversary might resolve
  • A Word or PDF document an adversary might open
  • A Bitcoin wallet from which an adversary might withdraw funds

So far I have just been playing around with the Word and PDF tokens and they have worked very well.

Of course as any other security tools and mitigations, advanced attackers can take steps that will void your canary tokens and prevent alerts from being triggered. But to be honest, if advanced hackers (e.g. state sponsored) have a foothold within your corporate network you will be very lucky if you noticed anything at all).

From the Canary Tokens blog –  Why should I care

“Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well known security pros. This is (kinda) excusable. What isn’t excusable, is only finding out about it, months or years later.

Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)”

Simple field test

I decided to do a simple field test and posted a canary token PDF file named password.pdf on my test web server. It was not linked from any web pages, but fairly easy to find through directory indexing and traversal, so I did not put much effort into hiding it. After approx 1 hour I got an alert informing me that someone had tried to open my super duper secret file on my web server.

IMPORTANT – It will not prevent a breach. 

It is important to note that canary tokens will not protect you from being hacked, but it will provide you with a simple tripwire that, when triggered, will alert that someone is accessing your data.

Your blog is futile

Paul B Svenning

futile

Futile? Yes, it probably is. It will not bring me millions in revenue, it will not get me invited to speak at huge global events, not even a little TED talk, nor will it save the world from the ever increasing threat from cyber crime it will not even get me famous at my workplace or within my own familiy. And most likly the only steady reader will be my self and some bots doing content indexing.

So why do I then write and try to maintain this blog? Well to me its about two, uhm no, three things, and they are all a bit selfish to be honest.

  1. Improve my writing skills.
  2. Motivation to learn more stuff
  3. Build an online presense that I own and control.

The third one is probably the most important. You might make the argument that building your own brand never have been so easy with the potiential given to you by Facebook, Youtube, Instagram, snapchat and linkedIn (++). But to be honest, to me it seems that sticking only to those types of communication platforms carries a risk of suddenly disappearing after programmer tweaks an algoritm or the legal department at LinkedIn decides to change their terms of use.

Don’t get me wrong, the mainstream social media channels are very good, and when used correctly they are extremly powerfull. But for people like me that not neccessary qualifies as communication experts it is not always easy to identify what message goes to what channel.. and sometimes I don’t want to bother all of my 37 twitter followers, my facebook friends nor my LinkedIn collegues with my scribblings that not always makes any sense at all.

Also, after googling my own name, I realised that the only pages with content generated by my self are some really bad homepages from the late 1990’s. So its time to push the sorry excuse for a homepage further down on the page rankings.

And… yes.. I wish to be able to post a photo of the “nipple tweeking sisters” if want to, without Zuckerberg and friends getting all puritanistic (is that even a word?) and remove my post because it contains a body part that for some reasion is very scary for americans.

The_famous_painting_of_the_nipple_tweeking_sisters_(8436601033)

So Futile, in the sense of saving and changing the world, but futile for me? hopefully not

Please remember 200 different passwords…

Paul B Svenning

ONE of the most useless “good practises” advice that always seems to be included is the “don’t re-use passwords on different websites”. Seriously can you expect someone to remember 200 different passwords?password-2781614_960_720

This might have been a good advice back in the 90’s where you maybe had a geocities account, but now the avarage internet user have almost 200 online accounts. (A sruvey showed that the avaarage UK consumer had 118 online accounts in 2015). So that makes me wonder, do the people giving these type of advice have 200 different passwords?… nah probably not.

So what is the alternatives? Multifactor authentication? password vaults? Both of them are of course good alternatives that will provide you with additional scurity, however my experience is that both MFA and password managers tend to raise the bar a bit to high for Average Joe and eyes tend to glaze over when I start talking about MFA and password managers and they and up with concluding that this is too cumbersome. This might ofcourse be due to my lack of communication skills 🙂 , however people tend to be lazy and shy away form anything that might make their day more difficult. (quilty as charged)

So I will not present a solution o this issue in this post, but maybe the “don’t reuse passwords” advice needst to be rephrased that makes it more likely to be adopted. E.g. “Don’t reuse passwords for important online accounts, such as social media, email and internet banking” If you are lucky you might be down to 10 passwords that you need to remember. And remember to WRITE THEM DOWN, on a piece of paper in a closed envelope. (the good old fasion analog method, not in an excel sheet stored on your computer or one drive.

What about the rest of the 190 online accounts? a good option for the websites you visit most frequiently is to have a set of 5-6 passwords that you can jougle between the different websites. For the rest of the websites that you maybe visit 2-3 times a year? use a random string of characters and use the “I have forgotten my password” function next time you visit.

….Or here is a wild idea… use multifactor authentication and password managers

“Secret Questions” – Why you should lie until your pants catches fire

Paul B Svenning

At some point in all of us have probably forgotten their password, but luckly the site or service that you need the password for has this magic password reset questions (also known as secret question). These are questions that are meant to have simple answers that only you can remember, so you can be positively identified as you and not an evil hacker trying to get access to your account. Password reset questions are often something like this:

◦What is your mothers maiden name?
◦What is the name of your first grade teacher?
◦What is the name of your favorite football team?
◦What is the name of your first pet?
◦What was the name of the street where you grew up?
◦….etc etc

As you can see they are questions that everybody should be able to remember the answer to. The thing is that these type of questions are a bit too simple and to easy. The thing is that after social media entered into our lives many of us have short bio’s available online for everyone to see. Telling the world that you grew up in a cosy streed called Evergreen Terasse , that your first pet was the a puppy called Kerbero, and that you will neverforget the loving Mrs Oswald you had as a teacher in first grade. In addition you might also have public profile on ancestry.com describing your lineage bot on you mothers and fathers side.

As you can see many of the answers of these questions are available online with a little reasearch, and for people that know what they are looking for it can be very easy to stich together a list of plausebal answers to such quetions that are used as “safeguards” to identify you.

You can also fine these type of questions in some of our systems. A good example is the self-help function in the disk encryption tool used to protect the data stored on our company laptops. Even if there is a restrected number of attempts you that you can answer before you need to call servicedesk, some of the questions can easiliy be answered by someone else if they do some reaserch into your profile on different social media sites.

So how can you avodi that someone that put some effort into reasearching your profile can actuially use that information to reset your passwords and gain access to your accounts? Well I know your mother probably told you to never do this but you could lie. lie until your pants catches fire, becaue the important thing here is that the lie must be so good that you can remember it so you can answer the questions correctly. If possible you should consider not relying on password reset questions, but maybe try a password manager instead

In addition you should also be careful on how detailed your online bio’s are, since that information also can be used for identity theft in addtion to getting access to your online accounts. The information in such bio’s can also help hackers guess your passwords ( one of the mehtods used in the apple celebrity hacking scandal last year).

Learning to fly

Paul B Svenning

So.. I have turned 40 (tbh I’m staring 43 straight in the face) And I guess its time to have a midlife crises. Even though I have spent many years within the field of cyber security but I have never seem to have the time to dabble within the filed of penetration testing (I have always left that to the “geeky young people….” So no in my midlife crises armed with Kali Linux, a pine apple and a rubber ducky i have decided to learn my self some pen testing to expand my horizon. I guess my current level would be Newbie script kiddie 🙂

LeBris1868