Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Monday, 31 October 2016

Monitor Unknown Connections with Currports


Uncover dodgy connections and malicious activity with this handy, free utility.

If you've ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.


You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).

Setting Up
Run Currports and expand the display. By default, the listing is unsorted and doesn't automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.

Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.

If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.

If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling "Process Created On" to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don't require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.

There's another useful column way over to the right of the display. It's the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It's the Binary/xz format you need. You don't have to unpack it; just place it in the same directory as Currports.

To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.


Setting Options
Currports has a range of useful options. Most control what's displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.

To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.

You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.

You can also filter Currports' on-screen output. The format of a filter varies slightly depending on what you filter.

For example, to remove all instances of svchost.exe from the display, enter the following line:

exclude:process:svchost.exe

To only show HTTP and HTTPS traffic and exclude all other connected processes:

include:remote:tcp:80
include:remote:tcp:443

You can use local, remote or both to define which end of the connection you're interested in.  Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).

The include directive means that everything else is excluded, so you'll need to build up the output using multiple include lines.


Nice Touches
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn't recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it's what you need.

Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.

Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn't work, but your mileage may vary.

You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes. 


The next two icons deal with copying the details for one or more processes into the paste buffer for inclusion in another document, and viewing a process' properties (double clicking also displays the properties).

Searching for strings is accomplished with the binoculars icon, which allows you to specify case sensitivity.

Finally, you can export the entire display into HTML format, which is then opened in your default browser.

All pretty interesting stuff, but what can you do with Currports other than satisfy your curiosity?


Using Currports
Currports comes into its own as part of the behavioural analysis of potential malware. If you've downloaded a piece of older, unsupported application, it's immensely useful to see if it's leaking information or calling home.

Depending on the type of infection, several things may happen. A botnet client will try to contact its command server for instructions, a payload and a target list. Ransomware might also call home for an encryption key, but much of it also explores your network looking for other machines with unprotected shares to hold hostage. If it does so, you'll see multiple connection attempts to lots of other addresses on the subnet.

It's not unusual for some forms of malware to open connections to the site router while attempting to find vulnerabilities to exploit. It's easier to attack your router from the inside of the network than from the (supposedly) hardened public side. If it can install a fake certificate or subvert DNS caching, it can redirect traffic to attack servers.

Many drive-by infections need somewhere to download and run their payloads. They can't use the system directories, so tend to use your temporary directory. In a similar vein, much of today's malware likes to masquerade as legitimate system processes, such as svchost.exe. A Svchost with a process path leading to your temporary directory instead of WINDOWS\System32 is clearly not legitimate, for example. Anything out of the ordinary (Excel making connections to Romania?) should be investigated.

There are also times where all hell seems to let loose, but which are completely benign. Windows Update, for example. For this reason, it's useful to install Windows in a VM, download and set Currports running, and just get a feel for what happens during various major operating system events. Also, install an antivirus product and watch the connections fly as it updates itself.

So, there we have it: a simple, useful utility to give you a clear 1,000-foot view of the connections being made. I may have missed one or two options, but if you have any interesting uses for Currports, please feel free to post them in the comments.



Friday, 14 October 2016

Interview With The Bank Manager

Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.


SE: First of all, what's the scale of the online fraud problem from the bank's perspective?


I won’t lie. It's massive. We're always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.




SE: If you're scammed can you get your money back?

  
It all depends. The basic thing is if it's not a transaction you've made, its fraud and we can help. If it's something you've done yourself that's it, the money's gone. Where it gets tricky is when you think you're signing up to a one-off payment but the small print says it's every month and you don't realise. It might be cleverly worded, but it's up to you to read what it is you're buying.  If there's any doubt, don't do it or bring it in for us to check.


SE: How do you protect people's money in general? 

The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they're legitimate. Tell us you're going to France for the week and we'll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It's just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It's a pain for them, but if you tell us what you're doing it's usually fine.



We see a lot of "Make $2000 a month from home"-style spam. What's the scam there?


It's usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It's an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you're being used. Basically, if you're caught acting as a money mule, then you're as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people's accounts. Again, it's one of the things the system looks for that's out of the ordinary.



Can the banks stop people being duped into sending money to scammers abroad?


You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it's their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it's a large amount, we'll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they're doing and where they're sending it. We have had cases where people have lost considerable amounts because they're convinced it's real.



What's the most outrageous thing you've seen?


I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That's all it was. But it prevented the card from being returned, so people walk off thinking the machine's swallowed it. You pull on the wire and the card pops out. It's called a Lebanese Loop.  Simple and easy. Once you've got the card you've got the expiry date and the CVV number on the back and you can go shopping.



What's your personal message to customers?


Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it's still a scam. These people aren't stupid. No one wants to give you free money. You haven't won a foreign lottery, either. There's no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it's very profitable for them. Start with the idea that everything's a scam, ask us to confirm anything you get that you don't understand and you'll be alright.



What other guidance is there for people?


There's lots about but it's a bit scattered. Barclays did a good TV advert about phone scams. We've published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That's the best thing.

Tuesday, 4 October 2016

A Modest Proposal

IoT security is a mess, but who's to blame?
 

The internet of things is quickly becoming every cybercriminal's wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?
 

Last year, Symantec released a damning report revealing security flaws in common IoT devices. Some, like not using SSL to communicate and not signing updates, are shot through with incompetence and hubris. The report also described basic flaws in some IoT web portals. It's uneasy reading unless you're building a botnet, in which case it's pure gold.
 

Many IoT devices call home for instructions and updates but don't bother with chains of trust. Using ARP cache poisoning, an army of devices is yours to update with new firmware, and to then command.
 

So, how big is the coming IoT cyber-storm? According to Gartner, by 2020 there will be a staggering 13 billion IoT consumer items online. Driving this growth is a gold rush that will be worth $263bn to manufacturers by the end of the decade.
 

To put this into context, the recent 1Tb/s DDoS against French hosting provider OVH involved just 152,000 hacked devices. To borrow from Al Jolson, we ain't seen nothin' yet. 


We could simply build stronger defences, such as Google's Project Shield, but this does nothing to address the underlying problem: insecure products.
 

Cybersecurity professionals increasingly spend excessive time and energy defending against those products. And apart from bad publicity, there seems to be little consequence for manufacturers.

Ah, but surely responsible IoT companies provide updates as they become available? Well, yes. Up to a point.
 

Do your parents have any idea how to locate and install a firmware update from a support site? Mine neither. Why should they? They bought white goods, not a system administration course. By now, all IoT updates should just happen automatically, using a chain of trust that begins with code locked securely into the CPU and ends via client and server identity verification with cryptographically signed firmware images.
 

Online safety is at the heart of the problem. Consumers have a right to safe goods. IoT manufacturers have a responsibility to prevent their products harming others online. Do baby monitors that can be accessed by anyone sound safe to you?
 

The lamps in your lounge won't randomly explode and set the curtains on fire. They meet legally enforceable standards. But a smart lightbulb can be hacked. We live in a changed world, and mere lightbulbs serving ransomware is becoming possible.
 

It's not as if good IoT security is difficult to implement. Because of this, there's an obvious and urgent need to enforce legal cyber-safety standards against manufacturers. One potential and very detailed testing methodology comes from the OWASP Internet of Things Project.
 

My modest proposal is that IoT manufacturers be made to implement strong security in their products in order to offer them for sale. For this, we need independent testing bodies. Those products that fail would be denied a safety certificate, just like any other consumer item. Foreign imports would be subject to trading standards examination, with sellers facing prosecution for selling insecure goods just as they do for selling fakes.
 

Maybe then, as older devices fail and are replaced, will the IoT will slowly revert to the consumer paradise it was meant to be.