Issue2 Mar2010 | Page-1

Issue2 Mar2010 | Page-2

Issue2 Mar2010 | Page-3

APT1: One of Chinas

Cyber Espionage Units
In the Information Age it wont sound farfetched, if were told that an entity is
involved in Cyber Espionage at a Global
Scale. But its a whole other story if were
told that this Cyber Espionage is funded by
the government of an Emerging Economy.
Mandiant is a Security Company that
investigates Cyber Security Breaches around
the world. Much of these Security Breaches
are caused by Advanced Persistant Threats
(a term coined by the US Air Force in 2006),
meaning that these threat actors have
advanced capabilities and they are obstinate
in the face of Security.

In January 2010 Mandiant published an

interesting theory that these APTs may be
funded by the Chinese Government however
they did not have sufficient evidence to
prove it. In 2013, Mandiant published
another report on APT1 which primarily
blames the Chinese Government to be
involved in funding Cyber Espionage
activities around the Globe and contains the
supporting technical evidence.
Mandiants VP says Weve provided all the
evidence here. This is something our
industry needs to do more of, Mandiant is
proud to participate in this kind of
information sharing. We are not issuing a
one page baseless accusation; were
providing 60 pages of evidence and over
3000 technical indicators like IP Addresses,
domain names and encryption certificates.
We welcome scrutiny and invite other
researchers to take a look at the evidence
and we are confident they will arrive to the
same conclusion.

Issue2 Mar2010 | Page-4

Gist of the Mandiant Report:

There are more than 20 APT Groups

in China, however the report focuses
on one of them (referred to as APT1)
which is the most prolific one.
APT1 has direct Government support
and it is similar in its characteristics
as the PLAs Unit 61398 of the
Chinese Army and has the same
location.
This Unit 31698 is located at Datong
Road, Pudong New Area of
Shanghai.
This building which is estimated to
be inhabited by 1000s of People, is a
130,663 square foot facility and has
12 stories (see figure).

Facts about the APT1:

Figure 1: APT1 Building (Source: Mandiant

APT1 Report)

Special fiber optic Communication

facilities are provided for this unit in
the name of national defense.
Mandiant was able to locate a
scanned China Telecom memo over
the Internet which talked about
approval
for
providing
the

requested channelsince this is

concerning defense construction.
The professionals
inside the
building are trained in computer
Security (the APT1 Actors) and have
proficiency in the English language
(these APT Actors need to carry out
Social Engineering attacks like
formulating a Spear Phishing Email
that requires clever use of the
English language since mostly
English Speaking countries are
targeted). This is a stable day job for
them.

APT1 establish min. of 937

Command and Control (C2) servers
o hosted on 849 distinct IP
addresses in 13 countries.
o Majority were registered to
organizations in China (709)
o followed by the U.S. (109)
In the last several years mandiant
have confirmed 2,551 FQDNs
attributed to APT1
Between January 2011 and January
2013 Mandiant confirmed
o 1,905 instances of
APT1 actors using
their
attack
infrastructure
o from 832 different IP
addresses

Issue2 Mar2010 | Page-5

Figure 2: Noted APT1 Victims over the years (Source: Mandiant APT1 Report)

Figure 3: Industries compromised by APT1 (Source: Mandiant APT1 Report)

Issue2 Mar2010 | Page-6

Figure 4: Global Distribution of APT1 Servers (Source: Mandiant

APT1 Report)

Figure 5APT1 Servers Distribution in China (Source: Mandiant APT1 Report)

Issue2 Mar2010 | Page-7

APT1 Attack Methodology:

Typical APT1 Attack begins by sending a
Spear Phishing E-Mail to the victim. These
Emails seem to have official language and
themes (suggesting their authenticity) and
carry malicious attachment, For Example,
an APT1 backdoor that appears to have a
pdf extension and icon, which is actually 119
spaces after .pdf followed by an .exe.
When the unsuspecting victim opens the
attachment, the backdoor does its job and
gives control to the APT1 actor.

mobile verification before you can

create the account. So now he enters
his country as China and provides a
cell phone number that is located in
the Shanghai in China.
dota then logins to his Email
account, this Email account is used
for Spear-phishing and generating
more Email Accounts.

Installing
Server

Command

and

Control

dota checks a RAT called Ghost on

Figure 6: APT1 Attack Lifecycle (Source: Mandiant APT1 Report)

As the main purpose of APT1 actors is to

steal confidential documents, once access is
obtained to victims systems, documents are
gathered, zipped in a rar file and passwordprotected. Then this rar archive is sent to
the APT1 Actor.

Captured attacker session Video

This video given by Mandiant shows an
active attackers session:

The Hacker makes an operational

Email account on Gmail (named as
dota). First he tries to fake his
location and enters USA but then
notices that Google requires a

his own system in Shanghai. We can

see that this Ghost RAT has a GUI
with features like Keylogger, File
Manager,
Screen
Capture,
Webcam Capture Remote Shell
and Voice Chat.
Another APT Actor uses a web C2
command and control server. This
has a command line interface. The
APT Actor uses this client to list the
incoming connection from a victim
computer.
And
two
victim
computers check in.
APT Actor can be seen using the
stolen credentials to log into a mail
exchange server and lists the Inbox
contents which show the message

Issue2 Mar2010 | Page-8

numbers and the size of the

messages.
APT Actor goes to an FTP Server and
downloads lightbolt, then uses this
tool to steal files from the victim
machine. The lightbolt tool stores
stolen files to password protected
rar archive which is then uploaded
to an FTP.

Case Study
China believed to have copied MQ-1
Predator
Drone
through
Cyber
Hacking
QinetiQ North America (QQ) is a world
leading defense technology and Security
Company providing satellites, drones and
software services to the U.S. Special Forces
deployed in Afghanistan and Middle East.
In 2009, China had almost its complete
control over QinetiQ TSG's computers
stealing 1.3 million pages of documents and
3.3 million pages of Microsoft Excel
containing TSG's code and engineering data.
These Documents were believed to be used
by chinese to build MQ-1 drone.

Is China really doing it? Are they

admitting it?
China says We have said repeatedly that
such attacks are transnational and
anonymous and determining their origins is
extremely difficult. So they are firmly
denying the accusation.
The approach is indirect. First the hacker
would compromise a US server then use
that for further attacking. The security
people would visit that server and then sit
there and trace back the activity. After all
this evidence, theres no way for them to
deny that but they dare not admit the Cyber
Espionage. The thinking may be that
America is doing that all the time, so let us
too.
The most damning evidence against China,
is the attackers infrastructure from which
they launch attacks, 98% of the times they
were logging in from that one block in
Shanghai and 97% of the times they were
using Chinese set of characters in their
systems.
News groups like CNN were stopped from
trying to take pictures of the building and
were chased by Chinese military guards.
Finally the footage was confiscated (see
Figure 8).

Figure 7: MQ-1 Predator Drone

Figure 8: Chinese Military Guards chasing the CNN

News Crew around the APT1 building

Issue2 Mar2010 | Page-9

Skepticism
report

around

the

Mandiant

Some Security Researchers are raising

eyebrows at this report mainly because
there are a lot of ways in which an attacker
of this level of sophistication would hide
his/her location. So why did they not cover
up their tracks better? Some agree that the
attacks originated in China but are doubtful
of their connection with the Chinese
government. The attacker session video
released by Mandiant shows the attacker
use common attack tools like Ghost RAT
that are freely available over the Internet
which is in contradiction to the Advanced
Persistent threats that we are talking about.
Summary
Such attacks are targeted towards private
industries that are not equipped to deal with
threats from the cyber resources of a nation.
So this is government versus private
industries, which is not fair. US President
Obama says America must face the rapidly
growly threats from Cyber-attacks. Now
such attacks are focused on sabotaging our
power grids, our financial institutions and
our air traffic control systems. We cannot
look back years from now and wonder why
we did nothing in the face of real threats to
our security and economy.
We should all be glad that the Virginia
based security firm Mandiant decided to
expose one of the most prolific Cyber
Espionage activity group and make all the
relating evidence public.
This bold activity may be initialized by the
PLA but theres definitely a government
approval. Now that the reports are public, if
the APT1 activity still continues then the

government is definitely involved, even the

top leaders. There seems to be a clear
strategic planning behind this. Chineses
government monitors and censors the
Internet. China is focusing on economic
espionage, stealing trade secrets and
structural
property
and
negotiation
strategies and passing these off to their
companies to compete with other
companies worldwide. This is a Massive
Cyber Espionage campaign.
What are they trying to achieve? It may be
motivated by political reasons. It may be a
kind of security against what USA can do.
Chinese information gathering system has
been morphed into a new kind of mode that
would that would make it very scary in
terms of its effect.

Today such attacks are inevitable but if the

government is alert and vigilant, such
attacks can be nipped in the bud, before a
serious security breach takes place.
However, a casual attitude towards such
advanced threats can have disastrous effects
on a country and its people.
We can boast all we want but the Bottomline is that India is seriously lagging in its
cyber defense capabilities and there are a
handful of actual motivated and driven
computer security professionals in India.
A reason for this can be that no formal
education is being provided to students
interested in security and these individuals
then turn towards certifications which are
either too theoretical and provide no

Issue2 Mar2010 | Page-10

hands-on knowledge or are too costly for

an average Indian student or require a prior
minimum years of experience in the security
domain. Some of these certifications in
India are started by individuals claiming to
be Hackers themselves which take
candidates more towards the glam of
Hacking Emails or Passwords rather than
developing a mature approach towards
security. India desperately needs state
sponsored programs that teach computer
security at masters level to deserving
students who clear a well-designed
competitive screening process. Cyber
espionage is a growing issue and it has to be
dealt head-on.
In India, a higher level of Information
Security Awareness is required. Hacking is
not just a bunch of kids randomly doing
thing for fun and profit. It is now a national
strategy. Important thing to note is that
while in countries like USA, hacking is
considered illegal and immoral, Chinese
government is considering it as a necessity.
What would Indian Industries do if they
face such attacks? Individual companies can
never fight with a nation. The Indian
governments support is indispensable
against such cyber activities. Such Cyber
Espionage is a violation of sovereignty. This
is not a minor issue and will continue to
grow more severe if nothing is done. This
isnt a group of Rogue Hackers, this is a unit
of PLA (Peoples Liberation Army of China).
We need to get smart with each breach.
From knowledge comes power.

On the Web

http://intelreport.mandiant.com/
Mandiant Intelligence Report
http://www.youtube.com/watch?v=
3d2gyydHwmY CNN News Crew
being chased
http://www.youtube.com/watch?v=
6p7FqSav6Ho - Video Showing an
Attacker Session

Pranshu Bajpai
bajpai.pranshu@gmail.com
Pranshu Bajpai is a Computer Security
Professional specialized in Systems,
Network and Web Penetration Testing.
He is completing his Masters in
Information Security from the Indian
Institute of Information Technology.
Currently he is also working as a
Freelance Penetration Tester on a
Counter-Hacking Project in a Security
Firm in Delhi, India, where his
responsibilities include 'Vulnerability
Research', 'Exploit kit deployment',
'Maintaining Access' and 'Reporting. He
is an active speaker and author with a
passion for Information security.

Issue2 Mar2010 | Page-11

BYOD Policy Are you

implementing it
correctly?

Introduction
Bring your own device (BYOD) is the
business policy of letting employees bring
their own devices at workplace for doing
work. The concept has gained popularity in
recent years mainly due to the following
reasons:

Employees are more willing to spend

on their devices as they have the
ownership of the device.
Maintenance and protection of these
devices is taken better care of as the
employees only will be liable for the
losses if they happen to lose them.
Allows employees to be more flexible
and add more productive hours at
workplace since they can contribute
more to the organization growth
from anywhere, anytime.
A correctly implemented BYOD
policy can foster a culture of

eagerness to work, producing

efficient and productive employees
as a result since as their needs are
directly addressed by the company.
This makes the workplace a "fun"
place to work.
Reduces the burden of IT inventory
maintenance
tasks
such
as
commissioning / decommissioning
corporate devices used for work.
Subsequently,
new
hardware
purchase costs are also lowered
down.
A start-up, small or medium size
company, can avoid high purchase
costs for laptops, smartphones, data
cards and tablets for their employees
since employees have the flexibility
to use their own devices at
workplace.
These smart devices often provide
better processing speed and power
for accomplishing the tasks better.
Substantial Savings are made on
carrier/ISP
charges
since
organization
doesn't
need
to
maintain elaborate corporate data
plans but letting the employees use
their own data plans.

Issue2 Mar2010 | Page-12

However, it needs to be remembered that

the corporate data which is residing on
user's own device remains the property of
the company. Hence adequate protection
measures need to be in place for protecting
that sensitive corporate data.

Defining a Strong Business Case

for BYOD
The most common reason which causes the
failure of successful implementation of any
BYOD policy is that senior management and
end users routinely fail to grasp the
fundamental concept which drives the
BYOD policy; it's all about device
ownership. BYOD is fundamentally no
different from corporate-owned device
policy; but just that the device ownership
now resides with end-users instead of the
organization. However, the ownership of
corporate data will still remain with the
company.
There is one important caveat while going
for the BYOD policy. Going for the BYOD
policy is a discretionary judgement which
needs to be carefully made by senior
management with careful planning. Senior
management must not look from only one
facet of cost savings. It is an important
business decision which will directly affect
the growth of the organization. The senior
management should have a clearly defined
and quantifiable goal to achieve the benefits
offered by BYOD. Just by going by the
industry trend "Hey, everybody is doing it,
let's implement this in our organization
attitude can spell disaster for organization's
growth if no advance planning measures are
taken place. For this, a strong business case
is needed to reap the benefits of BYOD
policy implementation.

Senior management must also accept the

risk that by implementing BYOD, more
avenues are opened for the data leakage
from employees devices. Many of these
devices can also share data in the cloud;
increasing the likelihood of data duplication
between cloud and apps. Hence, appropriate
solutions, tools and techniques to prevent
and contain this vital business information
from leaking outside must be implemented
as well.

Defining BYOD Policy rollout

For a successful BYOD policy rollout
generating maximum return on business
(ROI), we must follow these steps:
1.Assess organization readiness and
define leadership:
A well-defined business case with clear cut
goals is a pre-requisite before developing
BYOD policy. Next, the control group
operating and overseeing the BYOD policy
needs to be defined and assigned
responsibilities. The policy needs to be
communicated in top-down order so that no
ambiguity remains in adoption. Penalty
clauses and security mechanisms must be
designed in BYOD policy for giving
adequate security to the devices.
2.Develop BYOD Charter:
A well-defined BYOD charter will ensure
that regular investments for the security of
BYOD devices are required from the
business managers. This helps to determine
a business justification in monitoring and
administration of the corporate data
residing on employee-owned devices.

Issue2 Mar2010 | Page-13

3. Setting up BYOD governing body:

The governing body of BYOD would be
responsible to develop, implement, oversee
and maintain the BYOD program. The
governing body should include business
vertical heads along with HR, legal and
finance domain experts for smooth
implementation of the BYOD policy. The
governing body may start with the rough
checklist assigning BYOD tasks such as:

Which employees will qualify for

BYOD? This should be defined as
per role basis
Written signed agreements with
employees for accepting risks
concerning the device usage
Which OS version will be supported
for devices?
Policies
regarding
wiping
of
personal/ corporate data in case of
device loss
Methods used for separation of
personal and corporate information
on devices
Actions to follow after a security
violation.

All policies must comply with region specific

laws which will automatically be given first
priority while designing the BYOD policy. It
is important to update the policy document
and adjust with the ever-changing
landscape of evolving technology. It is better
that a BYOD program be implemented in a
phased approach. Initial success will
generate enough confidence in senior
management about its successful operation.
Likewise, it can then be applied to other
departments. The users from the initial
phase of BYOD deployment must emerge as
champions for BYOD usage to spread the

culture effectively and securely across the

length and breadth of the organization.
4. BYOD IT Process Group:
This IT processing control group will look
after the required software upgrades, license
implications for mail access from employeeowned devices.
5.Managing BYOD policy:
BYOD programs require strong security
solutions like network access control (NAC),
Wi-Fi routers, Mobile Device Management
(MDM) solutions for organization wide
personal
devices
management.
Containerization tools to separate corporate
data from personal data must be procured.
A technical way to separate the employee
and personal data is by having dual-persona
smartphones; i.e. having one interface for
personal use and another for business use.
High end smartphones such as Blackberry
Z10 currently support this.
6. Post Deployment Support:
High quality help desk support is a prerequisite for successful BYOD deployment.
It
should
provide
assistance
with
diagnostics tools for troubleshooting and
list of manufacturers support phone
numbers for quick reference.

Issue2 Mar2010 | Page-14

Common Pitfalls to Avoid During

Deployment of BYOD Policy
Though adopting BYOD strategy might
seem very attractive proposition at first
glance, it is advisable to exercise caution
and care during its implementation in your
company. Left unhandled, BYOD can act as
a constant fund drain for the organization.
This holds especially true when BYOD
policy is implemented across a large
organization
spread
across
multiple
geographies.
For example, in a traditional setting of
following corporate-owned approach for a
large firm, the firm typically invests around
$200 for compatible smartphones and
$500- $1000 for notebooks/tablets along
with the high end corporate data plan for all
its employees. But here it gets interesting.
The corporate data plans allow these
companies to pool their voice minutes and
their data bucket. If any one employee goes
over his or her allotment limit, the company
can adjust this by taking unused voice or
data from another employees allotment to
make up the difference. That gets rid of
much of the average fees their employees
would otherwise end up charging back to
the company.
Needless to say, carriers offer better
discounts to corporate plans when
compared to an individual. National and
international roaming charges are also
offered at heavily subsidized rates in
corporate data plans. The savings made
from these fixed cheaper call rates
eventually work in favour of the company
which has its international footprint across
its international offices. Now, imagine if
BYOD would replace this system, each user
will typically shell out $1-per-minute voice

costs and $10 per 10MB that many

individual users pay for when abroad.
Multiply this with typical work force of
5000-10000
man-force
of
large
organization. This figure clearly pales in
comparison to the savings made while using
corporate plans.

Conclusion
BYOD policy seems inevitable in coming
years as the technology advancement in
smart devices helps the employees to
achieve better productivity with flexibility at
the workplace. Instead of denying access
citing the security concerns, it would be best
in business interest to embrace this business
policy which allows people to be more
productive in longer run. No doubt, we do
need
clearly
defined
rules
and
accountability factors which should be
enforced via legal and technological means
for protecting the sensitive corporate data
residing on people devices. But as the
nature of doing business evolves with
technological
advancement,
it's
in
everybody's best interest to accept BYOD
policy since it directly addresses the need to
collaborate and communicate at times when
it matters most. After all, when it comes to
business; time is money!

Issue2 Mar2010 | Page-15

References:

About the Author

1.InformationWeek - 8 steps CIOs should

take to maximize BYOD ROI
2. InfoWorld - Buckle up -- here comes the hard
part of mobile
3. COMPUTERWORLD - BYOD, or else.
Companies will soon require that workers use
their own smartphone on the job
4. NetworkWorld - Forrester Research calls
mobile-device
management
'heavy-handed
approach'
5. InfoWorld - The right way to manage BYOD
6. InforWorld - The unintended consequences of
forced BYOD
7. InforWorld - Why almost everyone gets it
wrong about BYOD
8. InforWorld - How a trickle of BYOD costs can
turn into a deluge
9. InforWorld - Message to old guard: Accept
social business
10. CIO.IN - The Dark Side of Today's Hottest
Tech Trends

Manasdeep
manas.deep@niiconsulting.com
Manasdeep currently serves as a Security
Analyst in the Technical Assessment
team at NII Consulting, Mumbai. His
work focuses on conducting Security
Audits, Vulnerability Assessment and
Penetration Testing for NIIs premier
clients. He possesses strong analytical
skills and likes to keep himself involved
in learning new attack vectors, tools and
technologies. He has flair in technical
writing and shares his thoughts on his
blog Experiencing Computing at
http://manasdeeps.blogspot.in. He has
also published information security
paper(s) in International Journal of
Computer Science and Information
Security (IJCSIS) along with various
seminar / conference proceedings.

Issue2 Mar2010 | Page-16

Drupal Scanner
CMS - What's the Fuss all About?
A Content Management System makes your
life easy. It makes the online presence of
your business more accessible and hence the
probability of the success of your business
soars higher. Incredibly, if you are
unfamiliar with CMSes, the best part is, you
need not be a nerdy, high-tech web
developer to give this touch of virtuality to
your ideas and convert them to online
reality. You need not have your armour
flooding with all sorts of programming and
impressive and crisp UI design skills.
Neither do you need to have those 'supernatural'
scripting
and
back-end
management skills. So that's the power you
get when you use a CMS for you websites.
All that you need is some anciently basic
idea about creating websites and you are
absolutely ready to go and get it done.And
what more, you have different flavours to
choose from. So depending on your
requirements and taste you can go for any of
the three major CMSes out there, viz.
WordPress, Joomla or Drupal.

OK...Whats the Catch!

But, like all interesting stories, this one too
has a catch. "With great power comes great
responsibility". These CMSes have their own
guidelines for secure implementation to
safeguard the integrity, confidentiality and
availability of your websites. WordPress and
Joomla have their flaws and to deal with
them, they have their standard counter
attack tools in place. We have Wpscan and
Joomscan for WordPress and Joomla
respectively, that can be used to scan
websites built on these CMSes for security
issues and do the needful to reduce the risk
and diminish the impact of the threat.
As of people who find their taste satisfied by
Drupal, they might not be much in luck on
these lines, as there is no such tool out
there, (at least not one that you can find free
of cost, and accept it, everyone likes free
stuff) that can take care of your Drupal
powered websites as their WordPress and
Joomla counterparts do.

Issue2 Mar2010 | Page-17

The Inception
Enter the idea of creating one such tiny little
tool that can be handy enough to just find
out that exact detail about your Drupal
powered websites tool that could be your
compass to guide you to a more secure
version of your websites. And what better
than making use of an already freely
available web application security tool to
start off with this project. Thus it was
decided that IronWasp shall be the mother
for this Drupal security scanner, which for
now we will term as DrupScan to bein
phonetic sync with its counterparts. So
effectively, once the tool gets made and is
available, it can be easily accessed as yet
another module of IronWasp. So put yet
more simply, you download IronWasp and
you know how to access its different
modules, that's it. You know how to ensure
better security for your Drupal powered
websites.

For once, please be crapless!

DrupScan is based on a very obvious and
simple idea. The idea to identify the version
of a specific module installed on the Drupal
powered website and find thus if the website
is secure or not. The CVE ids database has a
comprehensive list of all the different
vulnerabilities present in the different
versions of the different modules that are
there for a Drupal site. So, if for example,
the website makes use of the 'views' module,
and the scanner identifies that the version
of the "view" module being used by the
website is say 'X.x' and not 'Y.y' Now the
CVE ids database holds the following details
about version "X.x" of the "views" module: "Vulnerable to XSS and SQLi" and the
following about the next version, "Y.y:- "No
vulnerabilities found". So now the scanner

just looks up for the details available for the

module and it's specific version in question
in the CVE ids database and thus decides if
the website in question is vulnerable or not.
Using this simple and obvious technique
saves a lot of time as the web application
does not really need to be tested for security
vulnerabilities from the scratch. We simply
make use of the information that is already
readily available as the result of intensive
research. Thusefficiently delivering the
required solution.
The Technology and Progress so far
The scanner itself since is powered by
IronWasp, makes use of all the APIs made
available by IronWasp. It is majorly being
written in IronPython, again something that
has full-fledged interactive learning support
through the scripting engine of IronWasp.
So far a proof of concept is available for the
DrupScan which works on the same
principle as explained above. The exact
function names that do the respective jobs
are listed down. (For details the function
definitions please refer the script itself).
The processing starts from the main
function named runAsMain().
1. Simply takes up 2 versions of a
specific module, say ver1 and ver2.
2. It lists out all the files in these 2
versions, finds the difference
between the 2 file listings.
Taken care by passDirPath(),
fileLookUp(),
dictComp(),
createDic():passDirPath():- For the proof of
concept 2 instances of the same
Drupal site are installed on to the
localhost. On one of the instances an

Issue2 Mar2010 | Page-18

older and vulnerable version of a

specific module, say the "views"
module, is installed and on the other
instance a newer and patched
version of the same module is
installed. So correspondingly in the
respective paths directories and files
are created accordingly. These two
paths are passed to the function
passDirPath().
fileLookUp():- is a recursive
function. It recursively checks all the
folders for any files present in it.
Each of the files are taken and their
hash is calculated. Now each of these
hashes
along
with
their
corresponding fileis stored in a temp
file.
dictComp():- this function takes 2
text files as input. These 2 text files
contain the list of all the files present
in the 2 versions of the folder. IT
DOES NOT MATTER WHAT
ORDER IS THE CONTENT OF
THESE TWO FILES IN. As long as
the contents of these 2 text files is
in
the
format
"file_path/file_name
\t
hash_key", it does not matter in
which order is the contents being
listed in the 2 text files. And finally it
finds out the difference between the
files and prints out the differences in
a text file called dicDiff.txt
createDic():- is a helping function
for dictComp(). This function simply
creates a dictionary or list and
returns the same.
3. Then sees which of these files (that
were found to be different) are
publicly accessible.

4. Stores these publicly accessible files

in a db.
Taken
care
publicAccessFiles()
requestor():-

by
and

publicAccessFiles():- Send requests for these files present in

dicDiff.txt to the 2 instances, containing the 2 versions of the module,
on the localhost. Depending on the
response code we decide if a particular file is publicly accessible or not.
And
we
populate
the
PUBLIC_ACCESS database table
with the respective details. Later we
make use of this table to determine
what version of the module the live
site is running. The database used is
SQLite.
requestor():- is a helping function.
It simply frames and sends the required requests and returns the response code in case the requestor
method is called with a third parameter as "True", it would indicate that
the body of the reponse also needs to
be saved.
5. Say after all this the db contains 5
files, viz, a,b,c, d and e with its
respective hash.
6. Now when doing a scan on a live
site, a request is sent for each of
these files to the live site.
7. If there is a success response, the
hash of the received file is
calculatedand it is compared against
the hash in the db.
8. Depending on this the status of the
site is reported.

Issue2 Mar2010 | Page-19

Taken
care
liveVersionScan().

by

liveVersionScan():- This function

now makes use of the database of the
publicly accessible files created by
the publicAccessFiles(), and sends a
request for same to the live site that
needs to be scanned for its version.
liveVersionScan() is aided by the
helping function requestor().
Thus the above are the major tasks that are
currently being taken care of by the proof of
concept scanner so far.

Ok. Thats Enough.Shut up! I'll

see if I am interested.
A lot more work still needs to be done.
Majorly incorporating support for as many
modules as possible is one of the major
parts that still needs to be completed. The
scanner as of now focuses only on Drupal
7.x. Later as the project matures other
Drupal versions may also be included. There
are a lot of interesting challenges that we
have at our hand to solve and that is where
community support is needed for people
with interest and expertise to contribute.

Final words
The scanner on completion can help pin
pointedly highlight the security issues with a
Drupal powered website and of course will
be a completing part in the group of similar
scanners :- WpScan, JoomScan and then
why not DrupScan.

Abhinav Chourasia
abhinav.mr.impractical@gmail.com

Issue2 Mar2010 | Page-20

Effective Log Analysis

Log analysis is a responsibility that a
security Analyst need fulfill with at most
conviction in all organizations. If our is
equipped with security devices like firewall,
AV,VPN which is crucial to the organization
and breach in any such devices affects the
reputation which indirectly or directly hurts
the business. Then by performing Log
analysis one can foresee many threats and
prevents early attacks. Log analysis helps to
find the traffic pattern that is occurring in
an organization if there is a deviation in the
trend of logs under observation from
standard trend then it can be considered as
a security Incident and investigation should
be done on such traffics. Log Analysis also
helps to comply some Regulatory standards
like PCI DSS, SOX, GLBA.
Log analysis also enhances and facilitates
the development of new security policies
and detection vulnerabilities. Storage and
management of logs is also very crucial
when we need to do a forensic analysis and
incident management.

There are many tools available in market to

analyze the Logs. Open source tools
(http://www.logalyze.com/ and MindTree
tool).In todays world an SIEM is more
valuable to an organization rather than a
normal
other
log
management
solutions.SIEM has features of correlation
that other solutions dont have. Some of the
SIEM tools that are commonly used are RSA
envision,Archsight,Event Tracker, Juniper
STRM,Splunk etc.SIEM service providers
collects logs based on EPS (the no of events
collected per second) i.e. higher the EPS
value more the number of events it will
collect per second. The pricing of these
devices varies based on the number of
events collected per second or based on the
number of devices sending logs to the
collector or the entire appliance cost.
Storage of logs is also an important feature
that we need to consider while dealing with
log analysis. All the logs in a network device
need to be stored for at least 2years for any
investigation. It is not compulsory that all
the 2yrs data are available readily it is based
cost that can spend on infrastructure and
utility and criticality of device. Old logs can
be backed up in tape and is securely stored.
This type of storage is storage is called

Issue2 Mar2010 | Page-21

offline storage. When we are

in need of the data we can
request the backup admin to
plugin those tapes for log
retrieval.But it should be
noted that logs should not be
tampered. Segregation of duty
control
needs
to
be
implemented here. Whenever
a legal case happen to come to
our
environment
it
is
compulsory to provide logs to
the court.
Talking about Compliance, out of the 12
requirement of PCI DSS, requirement 10
talk about logging and log management.
Logs should be reviewed daily and the
integrity of the logs also should be
maintained. Here I would like to showcase
how we can do log analysis on firewall. Say
the firewall we consider is Checkpoint
firewall.
First thing we need to do is to monitor all
the drop communications in FW.You can
filter the SIEM based on Drop packets only.
After that you need to see the destination
ports of all Dropped communications. When
you monitor internal FW you will find only
internal IPS as the source IPS.There are
some common ports which you will see
always while monitoring dropped logs
(53,445,161,80,123,389,3268)
Whenever we see many drops to a particular
Destination IP with same Destination port
we need to investigate why such dropped
traffic occurred, this could be some botnet
activity that has spread across our network.
I have recently come across such an incident
where one botnet was spread across 10
machines where our end point security was
not able to detect it.During the FW log
analysis enormous traffic to port 80 to a

single destination IP was dropped which we

felts as something suspicious. On detail
investigation of that end machines we were
able to identify a botnet which is connecting
to one C&C Servers.
Above is a sample setup that I have created
in lab.192.168.1.3 is the firewall that we are
monitoring using Event tracker (SIEM tool)
all the logs are pushed to a logging server
192.168.1.2 and from the logging servers
events are pushed to SIEM.So 192.168.1.2 is
the event source which we have integrated
to SIEM.192.168.1.1 is an users machine
infected with a malware which establishes
many http connections to a malicious
IP.You can check the rating of the websites
from (http://safeweb.norton.com/)In this
case if we are using an AV which doesnt
have signature for this particular malware,
then by analyzing the firewall logs we can
see some suspicious activity is happening on
the users machine.Once you find the users
machine then you can go ahead with the
normal static Malware analysis process to
find the exe file which is causing such
traffics. You can use various tools like
Regshot,processmonitor,wireshark,hijackthi
s,rootkit revealer to find the exe file.

Issue2 Mar2010 | Page-22

By default all firewalls will deny all sourceto-destination traffic unless a rule or access
list is given to permit traffic. So there is no
point in investigating accept logs. But in the
meanwhile when you do log analysis on all
the successful communication of a URL
filtering software you can come across many
Websites which your URL filter dare to filter
those contents. Your employee can create a
website that can be used to host contents
and can be used to transfer files from the
organization to the outside world.
In this dynamic world, Security threats are
changing daily from Phishing mails to a
website hack or by logging your managers
account to apply resignation we must be
aware about all the incidents and need to
think about its preventive measures.

Ben Abraham
ben.abraham@xe04.ey.net
Ben Abraham has more than 5 years of
experience in the field of Information
Security and in implementing,auditing
and optimizing SIEM solutions to the
clients. He also has knowledge in reverse
engineering malware to find the
behaviour and has carried out ISO27001
audits, PCIDSS, firewall audits and IT
security policy development.
Ben has got opportunities to work in
companies like Mphasis, Infosys and
Ernst & Young. He wishes to learn more
about various Information Security
domain and conduct training in this
domain.

Issue2 Mar2010 | Page-23