Archive for the 'Endpoint Security & Pentesting' Category


February 5, 2016

Today we are going to share a few tips for a more secure Apple iPhone.

1. Lock your phone.

Use a pass code and set your phone to lock after a few minutes of inactivity. To make it easier for a Good Samaritan to return a locked phone if lost, use image editing software to put text including your contact details in your phone’s wallpaper.

2. Backup your phone’s data.

Backup your data on a regular basis and download system software updates when prompted. “This way, you’ll always have the latest security updates and ensure that your device is always performing at an optimal level,”

3. Only use what you need.

Disable Wi-Fi, Bluetooth and location services when not being used. These can let evildoers access your device. “iPhones try to connect to the nearest WiFi signal and if this is left open, an attacker can create a WiFi hot spot, which the user could connect to without realizing it,”

4. Use security apps.

The BlackSMS app encrypts messages, requiring the recipient to know a password to decode them. This keeps your secrets from someone who picks up your unlocked phone and scans your message log or receives a forwarded message. “As long as the password is only known to you and the recipient, your message is safe,” says BlackSMS creator Tyler Weitzman.
The free Lookout app locates a lost or stolen iPhone, warns you if you connect to an unsecured hotspot and offers other useful security tools. You can also use Apple’s Push Notification service to lock your iPhone remotely, or erase the data on it. If you use a Cisco firewall, the free Cisco AnyConnect app sets up a secure connection permitting advanced work like using Windows Remote Desktop to remotely control a PC.

5. Choose your friends wisely.

Family, friends and acquaintances who have an opportunity to pick up an unguarded and unlocked phone probably present the biggest security risk, guesses Weitzman. Families that share iTunes accounts also, depending on settings, sometimes share text messages, he reminds. And your security is only as good as your correspondents’. “If you send a message to someone, even if you have perfect security on your own phone, if they don’t then there is still a security risk that unwanted eyes will read it,” he says.

6. Finally, don’t be lazy.

Most people don’t activate automatic locking and require pass codes to open their phones because they get tired of punching in the codes. Even more people don’t turn off Bluetooth and Wi-Fi when not used. And only a small number will go to the expense and trouble of buying and installing security apps.

7. Be careful what you click on.

“SMS texts coming to the device with links or attachments could potentially be an attack on the device,” IPhones hide the actual URLs of links included in messages, making it hard for users to know if they’re being redirected to a spoof or phishing site that will attempt to get you to type passwords or other information into a Web page, he notes.
In this regard, treat your iPhone as you would your PC and don’t click on links in e-mails or messages from sources you don’t recognize. (To find out the actual URL contained in an iPhone e-mail, tap the link and hold until a menu appears. Details about the link will be displayed at the top of the menu.) “Users should be aware of how to look at the URL bar on their iPhone to make sure they are actually on the Website they think they went to,”

Share

500 worst passwords

Author: Martin Voelk
January 7, 2016

Some Pentester sometimes think way too complicated. At Security conferences, when talking about passwords, I often hear from other Security Experts about Gigs worth of password rainbow-tables in all sorts of languages, mixed with special characters and how to brute force. Let’s take a step back here.

Why not try the low hanging fruit in a Pentest first? It sounds basic but holds true. So many users simply use the most basic passwords and maybe, yes maybe use a capital letter to start with or append 123.

Whenever we do a Pentest for a client, which involves password brute forcing we always start with the 500 worst passwords. And here some statistics. Out of all Pentests we have done against WordPress Admin panels in 2015, a password out of those 500 worst passwords with the admin user was successful in more than 40% of all tested sites. Yes, for the other 60% you need more sophisticated wordlists and permutations often, but even then another 35% opened its doors. Meaning that only around 25% have real sophisticated passwords where brute forcing doesn’t lead to success in a reasonable timeframe.

For those interested in the 500 worst passwords, take a look here: https://gist.github.com/djaiss/4033452

Maybe you find a password you use? 😉

Share

BYOD Security Problems

Author: Martin Voelk
April 12, 2015

We have recently completed an assessment for a customer who had strong concerns of their BYOD approach. The results were quite shocking. Whilst the technology these days is pretty much there and matured to support BYOD, it’s once again the human user who fails as usual when it comes to basic security.

In this case the client utilised a very well known vendor BYOD solution and whilst the corporate access to BYOD devices was limited appropriately we are able to compromise certain aspects through the human element again.

Too many privileges set

Unfortunately very common and ordinary users could access resources they never should. But Admin misconfigurations allowed that.

Many Users have rooted androids

A lot of the technical staff had rooted Android phones. There are many reasons why people get their androids rooted but none of them add to security and open nice new attack vectors

Even more users had their private iPhones jailbroken

We are surprised that almost 50% of the assessed devices in our recent assessment were jailbroken. Yes people get them jailbroken at the little cell phone store to have certain features available, run non-authorised Apps etc. That they are creating a lot more attack vectors by doing so, is something the ordinary user doesn’t understand.

Private BYOD smartphones not updated

Someone should think that people update phone versions when Apple or Google release new security fixes. Unfortunately not so. Only 20% of all private phones in our assessment were kept up to date. 80% had flaws where users were simply not interested or had no time to upgrade.

Infected private endpoints

This is by far the biggest problem. Employee owned jailbroken iPhones often run infected Apps or non authorised Apps with Spyware, Malware etc. Sometimes installed as part of a legitimate looking App, sometimes on purpose. It seems to be a modern sport amongst couples to spy on each other and silently installing Spyware Apps on the spouse’s phone.

Summary:

As good as the new BYOD solutions seem, the problem relies in the “Own Device”. Own device means it is not company property and if offline Security Policies are not being enforced, they pose a massive threat to the business.

Share

The Dangers of QR Codes

Author: Martin Voelk
April 3, 2015

If you live in the United States or in Europe you will see this very annoying trend with those QR codes. From Pizza flyers to cinema flyers. Every flyer and public Ad in the subways seems to have those QR codes on. The idea is that people scan it with their smartphones and then get redirected to a website where the advertiser will try to offer a product.

Everyone happily scans away and no one is even spending a single thought on the security aspects around those codes. What if a hacker or a malicious criminal organization prints 1000 professional looking flyers with a QR code which says: “Scan the code below and get $50 USD/EUR/GBP on your next purchase at the Apple Store”. 99.9% of all people would scan without reservation. But instead of getting their promised money, they get redirected to a drive-by maleware / adware website specifically optimised to infect their smartphones?

Our advice! DO NOT SCAN QR (Quick Response) Codes at all!!

For demonstration purposes scan our little code below. We won’t infect your device. We help people becoming more secure!

Share

March 29, 2015

Although already a few months old, this little video from the folks at Offensive Security shows that often a system designed to protect the endpoints (like in this case a Symantec solution) becomes the actual entry point for a breach. We had similar experiences with other vendor security solutions.

This highlights the need of proper Penetration Testing rather than just Vulnerability Scanning. A vulnerability scanner only detects vulnerabilities already known, but can’t detect any not-known flaws. This is where the human Pentester thinking out of the box comes in.

Symantec Endpoint Protection Privilege Escalation 0day from Offensive Security on Vimeo.

Share

Breaking iPhone PINs

Author: Martin Voelk
March 19, 2015

We recently had the pleasure to test out a device called IP Box in one of our Pentesting engagements with a customer. It was a shocking experience to find out how easy iPhone PINs can be broken. Good news is that it doesn’t work against the latest versions but it works well against older versions.

The average break PIN time is around 1 – 2 hours. The system making this possible sells for $250 USD. Apple is generally very good on security, but as this IP box shows, there are possibilities for breaches on older iPhone versions as well.

There are features within the iPhone to erase itself after multiple failed login attempts, but users (again the weakest link) need to enable this.

http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/

Share

Adding protection to endpoints

Author: Martin Voelk
March 14, 2015

We often get asked the question: I have a MAC so I am secure right? Well, you are more secure than on any Microsoft OS that’s for sure. Apple implements security a lot better and has far fewer security flaws than Microsoft. However does this make MacOS and iOS invincible? No. Security is a cat and mouse game and clever programmers, exploit developers and hackers always find flaws in any system. What can you do to make it harder? There are good endpoint security suites out there but a bot cost money.

We recommend everyones to use the Forticlient from Fortinet for starters. It’s a neat endpoint security protection suite and is completely free. It exists for Microsoft, iOS, MacOS and Android.

You can download it here: http://www.forticlient.com 

Share

November 30, 2014

Share

November 30, 2014

Share

Apple OSX and Security

Author: Martin Voelk
November 27, 2014

It’s widely known that the security around Apple OSX is light years better than anything Microsoft does. However the security is only as good as the people using them. We did a Pentest recently where the client has given us 100% liberties to do what it takes to test security.

So we coded a variety of nice Apple OSX payloads through the Metasploit framework and distributed them strategically through social engineering. In minutes we had voice recordings of employees, camera screenshots and desktop access. Password hash dumping and mounting back doors afterwards were routine tasks.

The same old problem. Employees in 95% of the time fall victim to plain simple social engineering attacks. They are being told through an email or worst case over the phone to install the little file to enhance security which is coming by email shortly.

Finding a proper exploitable vulnerability in a server or network OS is rare these days. Web Applications are the technical attack vector number 1, followed by employee’s lack of security awareness. BYOD is one of the worst nightmares to security and letting employees use their corporate devices for private use.

This particular client invested heavily in Perimeter security only to find out that an msfpayload generated by Metasploit with handcrafted Anti Virus and MAC OSX threat detection bypass does put the whole organization at risk. It creates an SSL tunnel back to the attacking server and even outbound Firewall filtering wouldn’t have prevented this as the Firewalls are blind to encryption and very few companies do outbound SSL inspection as it’s costly.

Share