ذا ميستيريوس كيس اوف الشركات اللي اتنصب عليها في ملايين

على مدار السنة اللي فاتت ، اشتغلت مع كام شركة اتنصب عليهم في كام مليون حلو كده ، الشركات كلها اتنصب عليهم بنفس الطريقة و نفس الاسلوب ، و للاسف رغم انه الخدعة بسيييييطة جدا الا انها صعب جدا كشفها و فعلا جهنمية ، خلينا نشوف

خطوة رقم 3: يوزر بيكون مش راجل تيكنيكال ، بيكون في العادي بيبعت و بيحول فلوس للخارج ، بيجيلو ايميل تقليدي جدا من شركة هو بيتعامل معاها لاوردر جديد و كل حاجة ، الايميل من ايميل الشركة

خطوة رقم 4: بتفضل الايميلات رايحة جاية عادي ، لحد وقت الاوردر بيجي طلب تغيير الحساب اللي بيتحول ليه الفلوس و تفاصيل التحويل الجديد

لحظة ، هو فين رقم واحد و اتنين ، اتقل…

او في وسط الكلام العادي بيجي ايميل من المورد بطلب تغيير الحساب اللي حاتتحل عليه الفلوس ، طلب عادي من ايميل شركة المورد ، و هنا اليوزر الغلبان بيبص على الايميل ، فعلا من ايميل الشركة ، فيبعت يرد عليه يقوله ممكن تأكد التغيير ، فعلا يجيله التأكيد و هوب يحول الفلوس و بخ

في شركة اعرفها اتنصب عليها في مليون و نص ، و واحدة تانية في 2 مليون ، و في شركة كان حايضيع منها 5 مليون

بس فين المشكلة…..ازاي ده بيحصل….تعالى نشوف

لو شوفت الصورة الاولى ، ده ايميل تقليدي بسيط من ايميلي على الاوتلوك لايميلي على الاوتلوك ، الايميل شكله عااااادي جدا ، بص و راجع كويس

طيب حدوس

Reply

الايميل شكله عادي برضو و تقليدي في الصورة التانية ، ب بص تاني كده ، ستوووووووووووووووووووووووب

بص كويس في الصورة التانية ، في حرف متغير في الايميل ، واخد بالك

بدل

Outlook

بقت

Outluok

و هي دي الثغرة اللي اليوزر الغلبان مش بياخد باله منها خااااااااااااااااااااااااااااااالص

تعالى نبص تاني كده للسيناريو بشوية تفاصيل:

خطوة رقم 1: بيكون حصل اختراق للكومبيوتر في مكان ما اما عند الشركة او المورد و حد شاف الايميلات بين الشركات و عرف طريقة صرف و تحويل الفلوس و الاوردر و فضل لابد في الذرة

خطوة رقم اتنين ، فضل مستني لحد ما اوردر معين حايتحط او تحويل فلوس حايتم و هنا الهاكر يبتدي شغله ، يبعت ايميل من الايميل سيرفر بتاعه بس يضيف في الايميل اللي بيتبعت

Header

بسيط اسمه

Reply-to

في الصورة التالتة حتشوف اني ضفت الهيدر

هنا اما بيجي الايميل في الخطوة 3 ، فهو بيجي شكله من الشركة و طبيعي بطلب تغيير الحساب او تحويل فلوس او او او ، و هنا الراجل بيرد عادي و يطلب التأكيد ، هنا يشتغل ال

Reply-to

و بدل ما يروح الايميل على الايميل اللي في ال

From

بيروح على ال

Reply-to

اللي فيه حرف بسيط متغير اليوزر غالبا مش بياخد باله منه ، ده مش حاجة معقدة لانه ده دور ال

Reply-to

انه بتقول انه الايميل ده جاي من ايميل ، بس الرد يروح لايميل تاني ، بتلاقي الكلام ده كتير اوي في الكساتمر سبورت و الكول سنتر

يبتدي بقا النقاش يتم على الايميل الجديد و الراجل مش واخد باله من حاجة و يجيله التأكيد و كله في السليم و الفلوس تتحول و كل سنة و انت طيب

هل الموضوع ده مؤثر ، فشخ ، و اكتر من شركة اعرفها تم النصب عليها بالشكل ده في ملايين….

طب و الحل يا مرسي ؟!

الموضوع ده معقد اوي لانه ال

Reply to

من ضمن الحاجات التقليدية و الستاندارد بتاعت الايميل هيدرز ، يعني منقدرش نقول انه اي ايميل فيه

Reply-to

يبقا سبام ، مش صح ، ففي عامل مهم جدا على اليوزر ، اضف انه لازم تعمل بروتكشن محترم بيعمل

Anti Spoof

و ان كان الانتي سبوف كان شغال في الحالات دي كلها و مقدرشي يمسكها

مراجع:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide

a Slick Way to to bypass Terminal Services Remote Apps/ Citrix XenApp to gain access to command line from Internet Explorer

Today, a friend of mine who works in our security team, shared with me a slick way to bypass published applications (in our case IE) to gain command line and PowerShell access.

Although users will have access based on his permissions; so if he is a user he won’t be able to do much, yet , in my opinion it bypasses the hall point of Remote Apps/ Citrix XenApp and gives the user access to execution capabilities on the server, if he is a knowledgeable enough, he will be able to compromise the server.

Setup:

XenApp 6.5 Server on Windows Server 2008 R2 with all patches installed, Only IE published.

How to:

Since IE is published only, we assume that user has no execution capabilities on the server, to gain access to PowerShell or command line, do the following:

• From IE open help.
• Within help, search for notepad.
• click on How I can How can I use my devices and resources in a Remote Desktop session?



• Scroll down and click open notepad

• once note pad opened (note that we have access to another application now), type in the file PowerShell and save the file as filename.bat.
• once you saved the file, from Internet Explorer choose, file, Open and open the saved file and voilaaaa, you have powershell and cmd access.

although we can discuss for years if this is a security issue or not, I believe it is for some organizations and it sheds some light on a area where people can bypass a specific published application and gain execution mechanism on servers, Any thoughts ?!

Thoughts on DLP in modern business…

What does it mean to implement DLP?? So far as I have seen; each vendor has his own view on how to enforce DLP within the organization and how to manage it.

The reason of what brought DLP to the surface is that I had a discussion with one of my customers on DLP enforcement and how to manage it within his infrastructure. While reviewing Email encryption solutions by Sophos and Symantec last week; I found that each vendor has his own concept “if we may call it like that” on DLP and how to manage and enforce it.

First, let me state my own view of DLP; DLP is a technology that helps the organization to own the information/data and prevent leaking those information/data out.

Modern information/data is stored in different locations now, some examples:

– ERP/CRM data.

– Email, Office files, PDF documents.

– SharePoint and similar portals.

– Laptops, USB memory sticks, and portable hard disks.

Helping any organization to control data on the above sources is not easy and could be done in several manners and ways, based on my findings; I will share some thoughts with people thinking about rolling out DLP in their infrastructure:

– DLP is not controlling physical ports (USB, serial, firewire ports..Etc).

– DLP is not DRM nor Encryption.

– Permissions help in controlling the data access, but when the data is accessed; a malicious consumer of the data could share them with 3^rd parties or leak them out either intentionally or unintentionally.

– Internal users do most of the hacks/leaks.

– Encrypting the data might help in DLP, but will not help in controlling what happens if a malicious user decrypted them or encryption algorithm is broken, Also encrypting the data might not help when the organization need to share All/some data with authorized 3^rd party.

– If the IT department secured physical ports/access, what about leaking the data out using corporate emails or worst, personal emails.

– How you will classify data as corporate and how you will classify data as none-corporate.

– Data classification is suitable for data stored in shared folders, but what about data in SQL/Oracle databases or data copied from documents and sent as emails.

– How data will be shared with 3^rd party and secured outside the organization’s control circle.

– Monitoring, logging and alerting, and feeding other 3^rd party security applications that are used by the security team.

– What about endusers experience, do we need any input from users?

– What about data in the cloud?!

As you can read from the above, DLP will never be a single solution/technology, DLP is a mix of solutions, technologies and processes that govern the data inside the corporate.

Hope that the above thoughts will shed some light and ring some bells in your head when thinking about DLP.

How to configure RSA SecureId 130 Appliance to integrate with Active Directory

In this lab we will configure the RSA SecureID 130 appliance to integrate with AD and allow users to login using their tokens to AD, here are the steps to setup the appliance:

Setting up the Device:

the RSA appliance can be setup either as primary or secondary, the primary mode if either standalone or used in conjunction with the secondary one to provide HA, in our setup we will setup the primary device.

setting up the device is fairly simple, connect the device to the network, it comes pre-set with the IP 192.168.100.100, you will connect to that IP and set it up:

the wizard walks you through the initial setup wizard, where you import license file that came with the appliance, set the date and time, set the OS password, set the superadmin password, configure networking, after that it will take around 10 minutes to setup the device and reboot to start with the new configuration.

once rebooted, you can login to the operations console, you can access it using any web browser and browse to: :7072/operations-console">https://<IP Address>:7072/operations-console

once you login and to integrate with AD, you need to configure identity sources, to do so go to Manage Identity Sources .

Click on add new identity source

the add new identity source wizard opens, and it allows you to add your identity source, in our case we are using Microsoft Active Directory, enter the AD information including a dedicated username and password to connect and manage AD (in this lab I am using the administrator account please make sure to use a dedicated account in production environment), and click on test connection to verify your settings.

once successfully, you will be prompted with map wizard, this wizard will allow you to map AD attributes to AD (make sure not to include user base DN or Group base DN if you are adding a global catalog) confirm the attribute mapping and click next

now you will have your identity source configured

now you will login to the security console, and configure the realm,

now go to Realm management and create a new one for the AD or choose edit and include AD in the existing realm

now from the security console, you can go for token management and search for your tokens that you have imported you will find them in the console

now you can search for a user and assign the token to him

the final step is to install the RSA client on the machine the user will login (local machine or XenApp Server for example), once the client installed it will disable the AD password login and will require the user to login using the token, these settings can be set using GPO or registry.

Note: for some reasons the latest version of the client didn’t work with me so I used the previous version which worked great, but it requires registry editing to enforce RSA login GINA.

hope that this quick guide helped you out.

Your Social Presence and Community responsibilities in relation to scams

Social Media usage is increasing dramatically, it is a fact and no one can deny it, even a lot of corporates encaurages Social Media use during work with a lot of recent studies that proves major losses within corporates that ban the use of SM.

But with increased use of SM usage there are lot of security threats that comes within that, a lot of recent scam messages appeared lately on Facebook, and last week I started noticing same scam messages on LinkedIn as well.

not mentioning the security threat associated with those scams for stealing your personal infomration, there are 2 factors captured my attention, 1) your social image, 2) your community responsibilities.

A lot of us uses the social media to enhance his image and demonstrate his expertise within the perimeter of his friends/colleagues and cross the barriers to reach other organizations and professional through out the world, but what will happen to this image and efforts when your friends or connections see you sharing sexual contents, posting inappropriate contents or worst inviting them to do the same or visit specific page that displays those contents.

Of course you are not the one who is posting or sending those messages, it is the damn scam who tricked you to click somewhere and “baaam” all of your contacts and connections are receiving these messages, but don’t you see the risk?.

What will happen if you are trying your best to be a celebrity within your fields and your fans, followers, friends and worst boss gets those, all of your efforts will be gone in vain.

What will happen if you are considered a trustworthy person and started sending those messages and posting those links and your friends and followers started to get infected as well because they trusted you.

In my opinion, there is a specific but unmeasured responsibility for your usage for social media either for fun or professionally, you should be aware that not every message you can post and not every received link you can click, again this is not measured but definitely it is there and you should be aware of that.

I am posting this to all of my friends who are unintentionally sending and posting those spam messages, because it damages your social image and online credibility.

stay safe…

#Lync #OCS #ucoms Restricted OCS Deployment ports requirements and firewall rules details

we have been working with the OCS PG last week in preparing a detailed table for ports requirements and firewall configuration for restricted OCS deployments.

the difference in this table that we have detailed as much as we can the different communication ports and firewall requirements for all of the segmented including internet, internal and enterprise voice communications.

we also detailed the ports and communication paths so it can be reader-friendly for the Security/Firewall engineers.

the wiki assumes that servers are deployed in the same VLAN and separated by a very restricted firewall configuration, Edge is deployed in the DMZ and again restricted firewall configuration is required.

currently the document still being reviewed, but if you are interested in following it you will find it on the wiki, here http://social.technet.microsoft.com/wiki/contents/articles/ocs-2007-r2-firewall-port-settings.aspx, we will be publishing another one for Lync as well linked to the wiki.

we will validate the wiki this week at a customer location and we will publish the updates later.

Reference: http://www.shudnow.net/2009/08/29/office-communications-server-2007-r2-audiomedia-negotiation/

Thanks to Tom, Rick and Rui for their support during creating this wiki.

well done ya kimooooooooooo