Posts Tagges "platform security"

Analyzing DNS Logs Using Splunk

 

Back in December of 2011 I wrote a post on the ThreatSim blog called “Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now“. One of the controls we recommended that folks implement was to log all DNS queries and the client that requested it:

Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.

Telling people to log DNS requests is super easy. Logging DNS queries is pretty easy too. Understanding how to ingest, analyze, process the data is where you need to bring in some tools. We love Splunk (as do many of our customers).  Splunk is the perfect tool for the job of figuring out what your clients are up to and who they are talking to. You can also set up real-time alerts if Splunk sees a DNS lookup for a known bad domain name.

Let’s implement our recommendation in real life. Here is what we did:

Read More

Strongwebmail.com Contest Analysis

 

If you are in the security industry you probably heard that Strongwebmail.com held a “hacking” contest to promote their “unhackable” authenticated scheme.  In a nutshell, users authenticate with their user ID/password and are then sent via SMS or voice call a one-time numeric string.  Without the numeric string (or PIN), you don’t get in.  If you followed this story you are no doubt are aware that a couple of security researchers (Lance James, Aviv Raff ,and Mike Bailey) were able to bypass the webmail’s input/output validation on email messages and XSS’d the CEO, gaining access to his calendar and claiming the prize.

Some called the contest a failure; others called it a success as Strongwebmail.com had essentially received a $10,000 pen-test.  However I wouldn’t call it a very good pen-test as Strongwebmail.com still has a few remaining problems:

Directory indexing exposes CodeIgniter tree:

strongwebmail1

Directory of misc. scripts:

strongwebmail2

Paypal scripts:

strongwebmail5

Also, I found what appears to be their webmail interface that is reading my cookie as the user “ceo”:

strongwebmail4

Nothing on the interface worked but still, this is functionality that should not be exposed.

The lesson learned here is that if you are going to evaluate the security of an application, you need to start at the lower levels of the stack and go up.  In Strongwebmail.com’s case, they not only had weaknesses in the application layer (XSS), but on the platform as well.