Tuesday, March 11, 2014

Phishing Technique and Its Success

Phishing is a social engineering technique that manipulating people to perform some actions as the attacker wants. The attacker prepares an e-mail as if it was sent from a known individual or organization, and leads the victim to click on a link that will take the user to a malicious website or download some malicious file, or to a fraudulent website that appears legitimate so the victim enters his username and password or some more individual information about himself.
Phishing is a very successful technique because people do not visit websites carefully or they do not have much time to be more careful, to investigate about the website or e-mail. One of the reasons may be that they did not become a victim before, or maybe they do not know even if they were. People easily trust brands and/or logos and influential texts. There is a lack of information assurance knowledge.

How Phishing Works



Phishing Examples
As I explained before, phishing is a very successful attack technique. These lines will prove this assertion.
In 2011, RSA, one of the biggest security firms was hacked. It was an attack against SecureID two factor authentication product of RSA. In this case, the attackers sent some phishing e-mails that has a subject as “2011 Recruitment Plan” and after an employee opened the attached excel file, they used a zero-day exploit of Adobe Flash.
As a newer story, just a few days ago, Forbes Magazine was hacked by Syrian Electronic Army with a phishing mail. You can read all the story minute by minute directly from Forbes;
Another story is from Turkey. Attackers send an e-mail  that has an attachment of electronic billing of a telco company. When the victim opens the attached file, the malicious code encrypts all usable files in the PC and pops up a warning that he has to pay money for decrypting the files. This malicious software is called FatMal.
Countermeasure
The most effective defense against phishing is creating user awareness. I will not touch the things how users beware of phishing on here but all companies should improve the awareness. RSA and Forbes are very good examples about that. One employee that you do not improve his awareness can cause to be hacked.
“You are as strong as the weakest link in your defense system” Sun Tzu
As a security admin, there are also some precautions that you can do. A proxy that has a dynamic scanning feature can decrease the possibility to be hacked by phishing. Even if the user opens the link in the e-mail, the proxy would not let him to enter the website.
Even if it is not enough for your security, ensure that all employee’s PCs, and antivirus agents are up to date. It is not enough because in the case lived in Turkey – I defined above, antivirus vendors did not have the signature of the malicious software and Trend Micro two, and Symantec five days later released the signature. 

Tuesday, January 28, 2014

"Additional forensics data is not available" error in Websense DLP

Sometimes, while DLP is working fine, you can encounter "Additional forensics data is not available" error in the "Forensics" tab of the incident. This means you cannot see the details of the incident.

It has a very simple solution;

1-  Stop the DSSManager service and rename the following folders:
  1. %DSS_HOME%\tomcat\work > work.old
  2. %DSS_HOME%\tomcat\logs > logs.old
  3. %DSS_HOME%\tomcat\temp > temp.old
2- Create a new %DSS_HOME%\tomcat\temp folder and restart the DSSManager service.

Websense says that you should not lose any incident in this scenario, and I have tried a few times, I really did not lose any incident. 

Monday, January 27, 2014

Advantages and Disadvantages of Reputation-Based Anti-Spam Services

One of the most efficient anti-spam techniques is IP reputation filtering. It is also the least costly technique for the anti-spam gateway and can block around %80 (or more) of spam before they reach your server. Firstly, I want to explain what “Reputation Service” is for those who don’t know, and the positive and negative effects of it.

IP reputation services based on gathering information about IP addresses. When someone is trying to send you an e-mail, during the first connection, your reputation service that already installed on the e-mail security server checks blacklists around the world and gathers information about the sender’s IP address. If the sender’s IP address is in the blacklist – it means “this IP address sends mostly spam”, it directly blocks the message. So the message is blocked before it reaches to your server, and this provides a better system usage over this server.

In most situations, IP reputation service can block around %80 of spam as I explained before. What it means that if you do not use IP reputation service, %80 more messages come to your server and use CPU and memory. So, according to the calculation, you may have to use two times more servers to process all these e-mails. Additionally, the tests say that when an IP reputations service is used properly, false positives amount is very little compared to typical content filtering.

Although IP reputations service provides such advantages as explained, there can be also negative effects on messaging in company. Assume that you have contacts that usually e-mailing to hundreds of their customers or using their ISP’s smtp service to send e-mail. It is very normal that the IP address they use is signed as spammer and gets in a blacklist. At this situation, you can do nothing to get e-mail from this contact. You cannot add it to a white list because filtering is happening during the first connection, so the reputation service does not know the domain of the sender. It just knows the IP address. It also will not work that you add its IP address to the white list because it is blocked before the message reaching to your content filtering rules. The only thing to do is the sender must remove its domain or IP address from the blacklists. You can think that it is not your problem. If they cannot send e-mail to you, they cannot send to someone else too. Yes, that is true but in the business, sometimes it does not work that way. At this point, it becomes a very critical decision to activate the IP reputation service.


As the result, it is very critical to try the critical business processes during the PoC. As I state before, if you do not test the critical business that has to get e-mail messages even if the sender is in the blacklist, you have to try it before you buy or enable the service. 

Monday, January 13, 2014

Non-repudiation Problem and Digital Signature

A digital signature is a hash value that has been encrypted with the sender’s private key. Non-repudiation is the reason why we need digital signatures. So at this point, I want to explain non-repudiation problem a little.

Non-repudiation
Soft documents are ubiquitous. So it is important to make sure that the sender is the real sender of the document, and it has not been modified while you are receiving it. According to Wikipedia, Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract.

Asymmetric Cryptography
Because digital signatures use private key of the sender, it is important to know the asymmetric cryptography. The public key is available to everyone, and the private key is known only by the owner. When a message is encrypted with the public key, only the corresponding private key can decrypt it. Meanwhile, when a message is encrypted with a private key, only the corresponding public key can decrypt this message. This is what we need for non-repudiation.

Digital Signature
Assume that UserA encrypted the hash of the document with his private key. This encrypted hash is called a digital signature. UserA sends this document to UserB and UserB decrypts this message with the public key of UserA. UserB calculates the hash of the document after decrypting and compares it to the decrypted hash value. If these two hashes match, UserB then will be sure that this document was sent by UserA.


Smart Card

Once the private key of UserA is stolen, then because someone else knows UserA’s private key, the non-repudiation is broken. The attacker can send messages someone else like he is UserA. That is why we store the private key securely. It is recommended to store private keys on smart cards. Private key does not leave smart card while being created. 

Thursday, January 9, 2014

Managing Websense Databases

Websense firstly creates a catalog database after installation (called as wslogdb70) and rollovers and creates new databases by the way the admin determine. The admin can choose to rollover every weeks, every months, or by the size of the database partitions. This method helps admin managing the database easily and increases the database performance rather than having a very big sized one database partition. However, Websense only allows 75 active database partitions.

Because of the active database count restriction, and maybe disk size restriction in your database server, you may need to detach and move the older logs to another server.

Assume that you want to keep only last one year's logs online and move older files to another server, so you have to disable it firstly, and then detach from the database. You can select the partitions by checking the start and end dates of it. Meanwhile, never forget not to detach and delete the catalog database.

If you need to see the logs older than your active databases, firstly you need to move it to your database server and attach to the database. I will not touch on how to detach and attach databases here.

At this point, you cannot see the logs of the partition even if you attach it. Because, Websense signed this partition as offline when you disabled it. What you need to do here is to log in to Microsoft SQL Server Management Studio and edit dbo.wse_partitions table.

As you can see in the top image, we disabled wslogdb70_1 partition. So, in the dbo.wse_partitions table, you see this partition's offline and read_only parts are numbered as 1, and the active partitions have 0. Just change this 1s to 0, and now you can see the logs that belonging to this partition.