Malware Virtual Test Environment: Fail-secure network isolation and VPN routing

There are many reasons you might need to isolate a PC or operating systems from a local network. For example, I often work on live malware and ransomware and I want to minimise the risk to the rest of my network.

Many types of malware (ransomware for example) will attack local network devices. As such, a live malware instance can compromise your internal network. It is essential that you protect yourself from the increased risk from the active infection inside your network.

Malware will also try to communicate with Command and Control (C2) servers. This communication can pass along all sorts of data and because the data comes from your local network, it can also reveal your real-world IP address. Perhaps not such a good idea when dealing with malicious actors.

Fail-secure network isolation and routing

When I do any sort of malware research or network shenanigans, I make sure I’m configured so my home and office networks are not accessible from my testing machines. Christophe Tafani-Dereeper wrote an excellent blog post with detailed instructions on the subject.

To protect my identity from malicious C2 servers, I like to add an extra layer of protection. I use an anonymising VPN provider and a fail-secure firewall configuration. This means if if the VPN disconnects, the test network drops too and my test machines don’t keep spraying network traffic out through my regular internet connection.

The best way to accomplish isolation is to route all anonymous traffic through an intermediate router. For example, a Linux box can be configured to ensure all simulated-network’s access is restricted to the VPN tunnel. Consequently, if the VPN tunnel goes down, the Firewall blocks all traffic to and from the ‘hidden’ machines.

Diagram of virtual machine routing and VPN configuration

Routing a Virtual Machine through a Linux router to direct all internal traffic over an anonymising VPN (click to enlarge)

Virtual machines and network connections

The easiest way to get multiple machines up and running quickly is to use a virtual environment. I find Oracle VirtualBox perfectly fine for this purpose.

The basic configuration is to run-up two virtual machines. A routing and analysis VM running Kali Linux with two network interfaces, and the isolated test machine that connects to the ‘world’ through the Linux instance.

Address, OpenVPN and iptables rules

The magic of network isolation is accomplished on the Kali machine:

  1. The NAT (eth0) interface is allowed to see the world using the default local wired configuration, the Internal interface adapter (eth1) is given a different IP and subnet range.
  2. An OpenVPN link is established on the Kali VM. This starts a new tunnel network interface (tun0)
  3. The ‘hidden’ computer has an ‘internal only’ network adapter.
  4. The ‘internal only’ network has an IP address on the same subnet as the eth1 interface on the Kali VM.
  5. iptables firewall rules are configured to masquerade traffic on the tun0 interface, and allow data between eth1 and tun0 (the isolated machine and the tunnel).
  6. Finally, the rules drop packets from eth1 to anywhere else to stop the isolated machine seeing local resources.
IPTables firewall rules that limit connectivity of internal eth1:
# iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# iptables -A FORWARD -i tun0 -o eth1 -m state \
           --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# iptables -A FORWARD -i eth1 ! -o tun0 -j DROP
# iptables -A FORWARD -i tun0 -o eth0 -j DROP

Bonus capabilities

Because you have a Kali Linux box in between your isolated environment and the rest of the world, you are perfectly positioned to sniff traffic, route data over TOR, or peek at secure connections with mitmproxy.

What success looks likes

A successfully isolated machine showing ping results and apparent IP address

When correctly routed the isolated machine will be able to ping the world but not any local network IP addresses. The apparent ‘real-world’ IP address will also belong to the VPN service provider

With the correct configuration, you should be able to ping the ‘world’ from your isolated machine, but you shouldn’t be able to ping any local network resources. The network is safe, the bad guys can’t see your real-world IP address, and dropping the VPN link will also drop the link to the world.



Gone in 60 seconds: your phone is the Achilles heel of your security!

For many, the security of your online life relies on the security of your phone and phone number.

I’ve recently been speaking about the security of mobile phone numbers, and how losing your number can result in serious identity theft and account compromise.

Email providers, online stores, social media sites and others need to make it easy for us to ‘get back in’ when we forget our passwords, or lose access to our accounts. A common solution to resetting your password is to verify you through another email address, or by sending you a text message.

Phone number porting attack

Related: ABC Local Radio Interview – Louise Saunders interviewing Nikolai about mobile phone number porting scams (Feb 2017)

With phone number porting scams, the bad guys go in to a mobile phone shop or online, and they ‘buy a new phone’ or sim. The scammer tells their provider “hey, I want to port my old number across”. Surprisingly, usually all they need is: account name, date of birth and account number! If they know these things about you, it’s not hard to impersonate you as far as the phone company is concerned!

In Australia, the carrier is required (by law) to release your phone number pretty quickly. If the attacker managed to convince their carrier that they are you, they’ll soon have complete control over your mobile number.

Into Facebook with just a mobile phone

For those who have never done it, here’s a walk through of how easy it is to recover a Facebook account if you have control of a mobile phone. Keep in mind, never do I enter any detail other than the phone number.

Click on the “Forgotten Account” link under the Facebook login. Enter the phone number in to the box:

Recover your account with mobile phone

Now select the phone number as the recovery method.

Sending a reset code to mobile

Sending a reset code to mobile

Here’s the SMS with a ‘password reset code’.

Facebook SMS Reset Confirmation Code

Facebook SMS Reset Confirmation Code

Enter the reset code in to the password recovery page and then enter a new password!

Password Reset Success

Password Reset Success!

Done in one minute!

So if your phone is ported you’re in big trouble. But just losing access to your phone for 10 minutes can be enough. Does your phone display notifications on the lock screen? If so, your attacker just needs to see your screen to reset your passwords.

Codes nabbed from lock screen

Text messages are frequently displayed on the lock screen! No pin, fingerprint or password required!

Other sites are also guilty of weak SMS account reset

Password recovery via SMS is common for many service providers. Even the Australian Government uses SMS to reset logins. They adds one extra layer (a secret question) – but how much have you shared on social media, can someone guess the answer by searching your history?

MyGov Recover Login

Australia myGov “Recover Login”

Australian MyGov Password Reset

Australian myGov Password Reset uses SMS!

Australian Government MyGov - Secret Question

Australian Government myGov – Secret Question

myGov password reset - extra security, a secret question

myGov password reset – extra security, a secret question

Using your mobile phone is indeed convenient for password recovery, but it’s not secure. Even the USA’s National Institute of Standards and Technology (NIST) has declared using SMS for “two factor” authentication a security risk!

Standards body warned SMS 2FA is insecure and nobody listened

What should you do?

It’s difficult! We need to be able to recover lost passwords, but your security is weakened if you provide your phone number to a site that uses SMS to send unlock or 2-factor authentication codes.

Less is best when it comes to what information you put out there. Personally I rarely share my phone number. But that’s not always an option; vigilance is necessary.

Don’t leave your phone laying around, don’t put your date of birth on your social media accounts. Limit what you share and keep an eye out for anything suspicious. Have a plan, think for yourself:

“How should I react if something suspicious happens to my mobile phone, or if my account has been stolen? What do I need to protect, who do I notify?”



Tech explained: Hash puzzles and proofs of work

Following my blockchain Computerworld article, I’ve been getting quite a few questions about how the Bitcoin blockchain is protected by ‘difficulty’.  Mining blocks is hard, so, what are miners doing that uses so much time, effort and power? They’re proving their work, by solving hash-puzzles.

See also: Burning coin – estimating the energy use of the Bitcoin network in 2016.

Puzzles as Proofs of Work

Puzzles come in many shapes and forms: from the common jigsaw puzzle, to number puzzles, and even crosswords. Regardless of the type of puzzle, they all have some similarities: puzzles take time to solve, they have varying levels of difficulty, and most solutions are obvious and easy to check.

With most puzzles, it is possible to alter the difficulty by changing parameters. For example an easy jigsaw might have 100 pieces, while a difficult one has 5000 pieces.

The more difficult a puzzle is, the longer it will take to solve.

 Similarly, hash-puzzles take time to solve, vary in difficulty, and are easy to check. However, unlike solving a jigsaw puzzle, logic doesn’t help. Hash-puzzles are much harder, and they can only be solved by trial and error.

How a hash works

A hash is like a fingerprint. It’s a massive, random-looking number that uniquely identifies a piece of information. Given any electronic data, it is possible to generate its hash (which looks like a very long serial number). Hashes are infinitely sensitive to change, even a tiny change to the input results in a wildly different hash output.

See also: Tech explained: What is a hash, what is brute force and are hashes secure?

While hashes appear random and unpredictable, they are deterministic. For each input, only one hash output exists — every time I use the same hash inputs, the same output value will come out.  Hash-puzzles rely on both the random and deterministic properties of hashes to prove and verify work.

Solve this

If I challenge you to roll a dice until you saw a two: for each roll you’d have a 1/6 chance of throwing a 2. If I gave you two dice and wanted double twos, the likelihood of that is 1/6 X 1/6 = 1/36 (and with three dice, 1/216). The difficulty increases exponentially, and the challenge takes longer to complete.

Solving a hash puzzle, making the hash match the puzzle rules

A short python script to solve hash puzzles. Using random values (a nonce) to make the hash result match the rules of the puzzle. The difficulty of the puzzle is affected by how many letters need to match the rules. The more letters, the more difficult the puzzle – A single letter is easy to match, but three letters starts to take a long time!

I can do the same with a hash-puzzle. I can say “roll hashes until you find one starting with the letter ‘A’” (probability 1/64), or roll a hash that starts with something longer e.g.: “Hi” (1/4096) or “Dog” (1/262,144). The only way to solve the puzzle is to try random input values, perform the hash operation, and then look at the output to see if it matched the puzzle rules. If I want to make the puzzle take longer or require more resources, I just make the rule harder to match.

I can also require that you find a solution where the input starts with some pre-defined content. Your task is to append some random value to my starting content, hash, test and repeat. My input doesn’t affect your effort, but it does ensure you start from scratch.

Bitcoin puzzles

Bitcoin uses the transaction data, and ‘chains’ the previous block’s hash value as a starting input for the next block’s. Miners then race to tack on massive random numbers until they find one that produces a hash that matches a specific pattern with a certain level of difficulty.

The blockchain is protected from modification because the hash-puzzle takes (on average) about a one-hundred-billion-billion attempts to find — it’s more work the any individual is capable of producing. But, the miners work in parallel competing to solve the next puzzle — thousands of miners, rolling the hash-puzzle-dice, over a million-million-million times per second.

Hash-puzzles are an elegant solution that provides security to the Bitcoin blockchain.




Scraping Data with Python and XPath

I decided to write a short post about how I use Python and XPath to extract web content. I do this often to build research data sets. This post was inspired by another blog post: Luciano Mammino – Extracting data from Wikipedia using curl, grep, cut and other shell commands.

Where Luciano uses a bunch of Linux command line tools to extract data from Wikipedia, I thought I’d demonstrate pulling the same data using Python and XPath. Once I discovered using XPath in Python, my online data collection for research became a whole lot easier! Continue reading

Tech Brief: Anonymising sensitive data with entropy and salt.

As researchers or programmers, we will often want to protect our data by anonymising sensitive information like names and addresses. To do this, we can combine pieces of user data to make an ’anonymous’ key that can be used in-place of the sensitive information. Instead of referring to “Jane Smith of Drury Lane”, Jane could have a nonsense identifier like “675AF3C”, which can be used throughout our study.

(Want more info? See security brief: Statistical Linkage Keys and Security)

Anonymising data with hashes and entropy

A common method for anonymising fields such as name and date of birth is to combine them with a hash function. But, because secure hash functions are ’deterministic’, they produce the same identifier for the same set of input data. If we have limited hash inputs, we will have a limited range of possible outputs; if we limit things too far, an attacker can run a brute force search to identify our original inputs. Continue reading

Security Brief: The Australian Census and Statistical Linkage Keys

There have been concerns among security professionals and privacy advocates about changes to the Australian 2016 Census. The biggest concern is how the ABS plans to combine your private data. The ABS will link your Census records across multiple products, services and share it with other government departments.

In the past, this has never been a problem because the ABS never used our individual name and address data. Consequently, people could answer uncomfortable questions honestly, with the knowledge that even if data were to leak, there would be no back to them.

The Census Data Statistical Linkage Key (SLK)

This year that has changed, the ABS revealed plans to assign Australians a unique identification number called a Statistical Linkage Key or SLK. Continue reading

Tech explained: What is a hash, what is brute force and are hashes secure?

Identifying Data

Security professionals often use hashes to represent data – think of it like a unique fingerprint or “key” for the data. While there are many ways to make data keys (we could assign them sequentially, or pick them at random) hashes provide a way to build a unique key from the data itself.

The purpose of a key is to allow us to reference a piece of data. Perhaps we need a key to identify movies; we could define a data key as:

- the first letter of each word in the title,
- directors initials
- and the year of release.

So, Indiana Jones and the Temple of Doom, by Steven Speilberg (1984) would have the key: IJATTODSS1984.

This key is pretty simple and easy to reverse. Because we know the key (IJATTODSS1984) and how it’s made, we can identify the movie by searching the Internet for releases in 1984, and directors with the initials S.S. This key is also not guaranteed to be unique, Continue reading

Security concerns and Census Statistical Linkage Keys explained

An in-depth explanation regarding the security surrounding statistical linkage keys, why they’re important and how their security can be compromised…

The security of the Australian 2016 Census has sparked much debate and consternation among privacy advocates and security professionals alike. At the core of these concerns is a move by the Australian Bureau of Statistics (the ABS) to start linking census records to other data. The mechanism proposed for linking records and data is a ‘random looking’ Statistical Linkage Key. We have been told that the linkage key is secure and will be ‘hashed’ to make it irreversible – but what exactly does that mean, and how does it secure your data?

Introducing the Statistical Linkage Key

Statistical Linkage Keys or SLKs have been used frequently by people doing data research, it provides some very basic anonymity, and a sanity check on the data while retaining a way of identifying an individual throughout a study.

The Australian Bureau of Statistics publishes a standard called the SLK581 cluster. It defines a method for turning “Jane Smith 01/01/2007 Female” in to random looking serial number like “MIHAN010120072”. Continue reading

Your broadband router is not as secure as you think it is

Your broadband router is not as secure as you think it is

Patryk Szewczyk, Edith Cowan University and Nikolai Hampton, Edith Cowan University

Between your home network and the internet sits your broadband router. This humble device is often overlooked, yet it is also your first line of defence against hackers, malware and viruses.

It’s easy to assume that the latest firmware for your router will provide protection against cyber threats. However, our new research has found that even the latest broadband router firmware remains dangerously vulnerable to attack.

A simple overview of what makes your router go.
Nikolai Hampton, CC BY

Firmware is the operating system and software that controls all the features of your router, from the blinking lights and configuration options, to advanced network security features. Continue reading

Is someone watching you online? The security risks of the Internet of Things

Is someone watching you online? The security risks of the Internet of Things

Patryk Szewczyk, Edith Cowan University and Nikolai Hampton, Edith Cowan University

The range and number of “things” connected to the internet is truly astounding, including security cameras, ovens, alarm systems, baby monitors and cars. They’re are all going online, so they can be remotely monitored and controlled over the internet.

Internet of Things (IoT) devices typically incorporate sensors, switches and logging capabilities that collect and transmit data across the internet.

Some devices may be used for monitoring, using the internet to provide real-time status updates. Devices like air conditioners or door locks allow you to interact and control them remotely. Continue reading