If you’ve never experienced Amazon Web Services, you’re missing out. Amazon AWS is a penetration testers nirvana. Imagine a plethora of cloud services at your fingertip including storage, virtual machine repository and so much more. And best of all, FREE for the first year. AWS offers free tier services at no risk. You can try before you buy type thing.
AWS leverages Open Source heavily, but for those with weak stomachs Windows is available too. The number of services offered is extensive from Computer power for those hungry applications to Database services, backup and storage services to web applications. There are 19 different services available in the aws management console but I’ll be honest I have not used them all. Some are geared to enterprise markets while other translate well to smaller shops. Personally I’ve used EC2 Virtual Machines and S3 Storage services.
I begun my Amazon AWS adventure with EC2. At the time I needed a Linux host for email hosting, and I needed it yesterday. However I wanted full console access, rather than the typical control panel business most web hosting services offer. Secondly this was a temporary requirement for about a month, therefore it didn’t make sense to sign up for a lengthy contract. After doing some research Amazon AWS free tier was the perfect fit. I signed up and immediately was able to create a virtual machine instance from an AMI image. These are stock VM images ready for cloning. AWS, offers choice and flexibility with respect to Linux flavour, however the free tier is limited to Red Hat Enterprise. If you want a custom Ubuntu AMI, you can have it but not in the free tier. For me it didn’t matter much, I was comfortable with Red Hat. Within literally 10 minutes I had a Linux VM running in the cloud, with full SSH shell access.
I installed reuqired packages, configured everything, assigned a static IP (AWS calls it Elastic IP), updated my DNS MX record and mail started to flow. The overall experience was refreshing and fairly easy. In the end I kept that VM instance online for a few months before moving it to its permanent home. In the end it cost me $0 and I had fun doing it.
Stay tuned, more Amazon goodies next time.
If you recall, in the discovery phase we identified our target, John Smith; however we also learned of a co-worker, Jane Doe. Lucky for us Jane Doe has a LinkedIn account. Therefore in the attack phase we’ll construct a spoofed LinkedIn phishing email impersonating Jane Doe. In this email we’ll request a LinkedIn connection from John Smith. From his office computer, John Smith accepts our fake request because he knows Jane Doe and assumes this is a legitimate connection request. By accepting, he is redirected to an exploit site targeting a web browser vulnerability. Ultimately his computer becomes infected with a custom Trojan his Anti-Virus has never seen before hence is defenseless. Our custom Trojan is instructed to connect with our computer across the Internet and viola we’ve infiltrated XYZ Corp’s network and established a beachhead.
This type of attack is not as farfetched as you may think. Leveraging the information provided to social media sites by legitimate users make these attacks one of the easiest and unfortunately most successful. The information is made freely available and often the level of personal information posted online would raise red flags in other social settings; but it seems because, its online users loose site of that fact and anything goes. While the majority actually utilize these social services as they were intended to be used, a fringe minority are taking advantage of people’s good will and twisting them for nefarious purposes. However, despite the risk it’s not all doom and gloom. Like it or not, Social Media is here to stay and we must learn proper etiquette to stay safe. There are ways we can protect ourselves and continue to enjoy the benefits of social media.
• Adhere to the least privilege principle.
• Think twice or even three times before posting personal details online.
• Scrutinize invitations, tweets and email messages asking for action on 3rd party web sites ~before clicking :-)
• Use common sense.
Many don’t realize the Internet has an unlimited memory, information posted to 3rd party social web sites may be used and retained by these 3rd parties forever. In some cases once you post, you lose control over the information. It may become impossible to remove or delete. Personally, before I post personal information online, I perform the “telephone test”. It goes something like this; If I received a phone call, asking for the information I’m about to post online, would I be comfortable, providing it to the anonymous caller on the other end of the telephone? If the answer is ‘no’ then I don’t post.
While email addresses and home addresses may not seem like much, from an attackers perspective it’s a great start. But before I explain the anatomy of a typical attack let’s look at what motivates would be attackers to expend energy and resources. While motives are as diverse as there are stars in the night sky, the most common include;
• identity theft
• financial gain
• corporate espionage or network penetration
• politically or state motivated agenda
• social or economic movements
• social group bragging rights
In the short history of the Internet you can find many examples of attacks within each of these categories simply by Google’ing. But let me construct a typical, “Corporate espionage or network penetration” attack scenario.
There is a common misconception amongst corporate circles, that a well protected front door mitigates corporate networks from targeted penetration. In my opinion nothing could be further from the truth. In this case the front door being the typical network firewall. Please don’t mis-understand me, I’m not saying firewalls are obsolete or not required. All I’m eluding to, is the fact an attacker will not waste their time at the front door because it is well protected. Instead most will look at alternate corporate network entry points which typically are not well protected and honestly much easier targets requiring less energy and effort to exploit.
Let’s assume I’m an attacker, and today’s target is Corporation XYZ. If I’m not attempting the direct approach, then what are my alternatives? Well, I could exploit badly configured web servers, but again that requires effort and may draw too much attention. Instead I’ll direct my efforts at the weakest link; “corporate users”. And with the advent of social media and social networks the “user” is becoming the preferred target. So, let’s look at the anatomy of a typical social engineering attack using social media.
A typical attack may begin by using public information published by Coporation XYZ to build a profile of the company and attempt to learn more about its employees. This involves XYZ corporate web site and common search engines like Google, Yahoo, Bing and others. Gathered information can later be used to build credibility during the attack phase; at this point we’re simply gathering information. Let’s assume I’m interested in XYZ research and development, and my discovery phase identified the VP of R&D at XYZ Corp. named John Smith. With my target in hand I can utilize legitimate tools like ‘Maltego’ to gather more specific information about John Smith and correlate results with Corporation XYZ. Maltego’s powerful correlation engine will cross-harvest social networks like LinkedIn, constructing an ever more accurate profile of the target. While harvesting information and correlating a range of social media sites can be accomplished manually, tools like Maltego do it extremely quickly with virtually zero effort from the attacker.
Unfortunately, many don’t realize a disturbing characteristic amongst social media is the information contained within one site, can be useful in attacking others. A good example is the social site ‘Classmates.com’. The information available at sites like Classmates.com can be used to hijack accounts at other social and non social sites. To the detriment of many web users, web sites use password recovery or reset questions like “What High School did you attend?” or “Who was your 9th grade English teacher?” This information can often be harvested from sites like Classmates.com and used to gain access to accounts by resetting passwords. From an attackers perspective, imagine the value of hijacking the credibility of a high profile Twitter account. Most followers of said hijacked account wouldn’t think twice about clicking a malware infested link tweeted from the account. Credibility significantly improves the success rate of attacks, and attackers know this well.