Digital Security Resources for Parents

Internet Safety 101 site: Enough Is Enough® understands that Internet safety is a shared responsibility between the public, the Internet industry, and the legal community. However, parents remain the 'first line of defense' in protecting their children against Internet safety dangers. Unfortunately, parents, educators and other caring adults are ill-equipped, uninformed and often overwhelmed when it comes to Internet safety issues, and they need credible outside help. As the nation's leading Internet safety organization since 1994, EIE has responded to this call for action by creating Internet Safety 101SM, in partnership with the U.S. Department of Justice. Internet Safety 101SM is a widely-renowned resource and teaching series that paints a comprehensive picture of the dangers children encounter online. Through the Internet Safety 101SM program, EIE strives to educate and empower parents, educators and other caring adults with the information they need to effectively protect children from Internet dangers.

 Link: https://internetsafety101.org/parentsguidetosocialmedia

A Parent's Guide to SmartPhone Security: with this guide you can make your smartphone safer for your kids in just 11 easy steps. 

Link: https://internetsafety101.org/objects/Parents_Guide_to_Smart_Phone_Security.pdf

FBI Parents Resources: Get advice and information to help protect your children from dangers lurking in both the online and offline worlds.  

• About Protecting Your Kids: Learn how to Contact The FBI; Report child abductions or abuse
• FBI Child ID App: The FBI's Child ID App provides parents with an easy way to electronically store their children’s information and identity.
• Get advice and information to help protect your children from dangers lurking in both the online and offline worlds.

Link: https://www.fbi.gov/resources/parents

KidsHealth - Internet Safety Guide: The Internet can be wonderful for kids. They can use it to research school reports, communicate with teachers and other kids, and play interactive games.
But online access also comes with risks, like inappropriate content, cyberbullying, and online predators. Using apps and websites where kids interact, predators may pose as a child or teen looking to make a new friend. They might prod the child to exchange personal information, such as address and phone number, or encourage kids to call them, seeing their phone number via caller ID.

Link: https://kidshealth.org/en/parents/net-safety.html

Family Online Safety Institute (FOSI): Need help talking with your kids about online safety? Want to know about parental controls? Looking for a simple set of rules to use with your children? FOSI’s Good Digital Parenting provides you with videos, tip sheets, resources, blogs, and more.

Link: https://www.fosi.org/good-digital-parenting/

National Cyber Security Alliance/Stay Safe Online: Here are helpful links from the National Cyber Security Alliance's sponsors, partners and friends to help you and your friends and family be safer and more secure online.

Link: https://staysafeonline.org/stay-safe-online/related-links/

Tom's Guide: Best Parental Control Apps 2019: The best parental-control apps for smartphones can help you track your kids, see whom they are communicating with, block kids from viewing objectionable or dangerous websites, and even help kids understand the value of limits while preventing them from accessing adult content or communicating with strangers.

Link: https://www.tomsguide.com/us/best-parental-control-apps,review-2258.html

PCMag.com - The Best Tracking Devices for Kids: Kids get lost. GPS and Bluetooth trackers can help find them and keep them safe. With the help of our own children, we've tested clips, smartwatches, and wearables to determine what type works best and which one is right for you.

Link: https://www.pcmag.com/roundup/362044/the-best-tracking-devices-for-kids

OpenDNS - Basic Web Filtering and Protection: OpenDNS is the name of a Domain Name System (DNS) service as well as of the company that provides that service. The OpenDNS service extends the DNS by incorporating features such as content filtering and phishing protection.  Get OpenDNS Family Shield

Link: https://www.opendns.com/setupguide/#familyshield

Open Source Intelligence Gathering - Excellent OSINT Site

If you are looking for the one-stop shop for gathering information about people, companies, and the information that surrounds them. Then hop on over to Michael Bazzell's consolidated OSINT search site. Michael is a former Government employee where has was involved in a number of critical criminal cases. He is now retired, but still working to entertain us as an advisor on "Mr. Robot" and mostly to help us understand what information is available on the Internet about us. His site is broken down into specific search areas; like, how to search search engines, searching social media (Facebook, LinkedIn, Twitter, Instagram, etc.), IP addresses and domains and who's behind them, Email addresses, videos and images, and a number of grouped search forms that make looking for information very easy. https://inteltechniques.com/menu.html Click above for access to the site. If you are interested in more information, he has an excellent book "Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information" Paperback – April 29, 2016 - -

Windows XP Password Encryption and How Tools Like Mimikatz Work

Summary:  Microsoft states that they encrypt passwords in memory with "reversible encryption”.  However, we know that this encryption is easy to overcome as the operating system itself allows for decryption to occur when tools are allowed access to the memory storage locations and automatically retrieve, and the operating system automatically decrypts, the encrypted password.  Mimikatz accomplishes “cleartext” password retrieval by invoking a windows sub module called “LsaUnprotectMemory”, which is available to the Mimikatz and other credential harvesting programs when they have access to the debug features of Windows. 

Suggested Mitigation: If we remove the wdigest and tspkg support in Windows XP (and later versions of Windows) and limit access to the debug function that allows for the system call that enables the reverse decryption of the encrypted kerberos, wdigest, and tspkg password entries, then we essentially have mitigated most of the risk.

Windows Authentication FAQ:

Q:  Does Windows store credential information in memory?

A:  Yes, Windows stores multiple copies of credential information in the LSASS (Local Security Authority Subsystem Service) portion of memory for each authentication protocol used on the system.  In a typical XP system there are authentication protocols for wdigest (older IE6 based), tspkg (Terminal Services), and Kerberos (normal Windows authentication) services.  In all there could be up to 5 copies of windows credentials for each user logged into a system stored in LSASS.

Q:  Does Windows Encrypt Passwords in Memory?

A:  Yes.  All Windows credentials stored in LSASS are encrypted – but in a “reversible” way.

In “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" from Microsoft (attached), on page 34.

"Note: Windows operating systems never store any plaintext credentials in memory or on disk, only reversibly encrypted credentials. When later access to the plaintext forms of the credentials are required, Windows stores the passwords in encrypted form that can only be decrypted by the operating system to provide access in authorized circumstances.”

So, technically it is encrypted, but it is the decryption process, which is embedded in the OS that allows mimikatz and other credential harvesting tools to work.  This feature cannot be disabled or isolated in XP (it is how the operating system works) and the best approach I’ve found so far is to limit the debug mode of the local users (including Administrator and SYSTEM) and domain users and removing support for the other, less commonly needed, credential handling protocols; wdigest and tspkg.  

Q: How do tools like Mimikatz and Windows Credential Editor extract “cleartext” passwords from systems?

A: By taking advantage of a flaw in Microsoft OS that allows the automatic decryption of passwords in memory.

Specifically, when tools like Mimikatz and Windows Credential Editor (WCE) are used to extract “cleartext” passwords from a Windows operating system they do it by establishing a session in LSASS (the area where authentication is brokered and credentials are stored in Windows) and:

• Query the LSASS process for active (or recorded since last reboot) logon sessions in the memory.  The commands used for this is lsasrv!LogonSessionList & lsasrv!LogonSessionListCount, included in the query results are the LUID's (locally unique identifier) generated by the Operating system to represent the various forms of authentication and users logged into the system.
• The output information is searched and the various authentication protocols (wdigest, kerberos, tspkg, etc.) are parsed out.
• The output of that search is queried for User identifiers, tokens, and “reversably encrypted” password values.
• The tools use a Windows LSASS command called LsaUnprotectMemory, which automatically calls a windows LSASS function called LsaEncryptMemory, which has access to the symmetric encryption keys (also stored in memory), to automatically decrypt the data that the tool gathered.
• The result is “cleartext” passwords.

From Benjamin Delpy author of Mimikatz. 

The encryption used for each authentication protocol vary, but in Windows XP they are going to be based a combination of RC4 and DESx.  In newer Windows operating systems 3DES and AES are utilized.   This is a minor point because in un-patched and unsupported versions of Windows (as is Windows XP), there is no separate subsystems where authentication and decryption occurs, the keys are kept in the same memory as the encrypted files.  It’s like sending a .zip file along with the password.

Q: Are Token Authenticators more secure?

A: For the most part.  Although token values and PIN codes are stored in LSASS, they have a much shorter time to live as they change constantly and the credential will only be valid as long as the login session remains logged in.  PIN Codes are exposed, which means physical security of the token devices is critical.

Q: How about certificate based authentication?

A: Not as secure as tokens.  Although the same vulnerability exists for SmartCards, it is not a password that is stored but and NT Hash value of the certificate that is stored (along with the plaintext PIN), from the article:

"If the user logs on to Windows using a smartcard, LSA will not store a plaintext password, but it will store the corresponding NT hash value for the account and the plaintext PIN for the smartcard. If the account attribute for smartcard required for interactive logon is enabled, a random NT hash value is automatically generated for the account instead of the original password hash. This password hash that is automatically generated when the attribute is set does not change.”

In “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" from Microsoft (attached), on page 75.

"Will using smartcard logons mitigate the risk of the problem? 

No, not significantly. While smartcard logons can enhance security to mitigate credential theft by removing the need for a user to know their account password, underlying password hashes and Kerberos tickets can still be stolen and re-used for network connections” 

To mitigate this threat, the toggling off and on of the “Smartcard Required” user attribute changes the NT hash value.

Mitigation against Mimikatz, WCE, PTH, PTT, Etc.

Mimikatz and Active Directory Kerberos Attacks

https://adsecurity.org/?p=556

Nice Overview of Mimikatz and the many ways it can be used to steal, mimic, create, and bypass credential management in Windows.

Password-Stealing Tool Targets Windows; Evades Antivirus

https://www.duosecurity.com/blog/password-stealing-tool-targets-windows-evades-antivirus

To protect against pass the hash attacks, Microsoft recommended two methods that aren’t viable or practical, from Aorato.com’s perspective:

• Implement smart card authentication (smart cards are expensive and difficult to deploy throughout an enterprise)
• Remove the weaker encryption algorithm from the systems (this requires removing its use throughout the enterprise, which can prevent users from accessing older systems)

Malware Lateral Movement: A Primer

https://www.fireeye.com/blog/threat-research/2015/08/malware_lateral_move.html

What can you do to detect and contain the threat actors creeping around in the dark space of your network?

First, you need to be able to shine a light into that dark space and get visibility into what you are missing. Below are some recommendations that will help you do just that:

• Gathering Threat Intelligence about the tools, tactics and procedures of the malicious actors and their campaigns
• Have a threat analytics platform to identify and consolidate the information that will give your analyst the ability to do more proactive hunting for these types of techniques 
• Proactively perform forensics and sweeping of endpoints for indicators of compromise 
• Harden the devices that are on your network by removing any non-required applications or services and preforming proactive application and system configuration management and logging 
• Implement tighter controls and proactive monitoring of credentials and applications, utilizing whitelisting and multifactor authentication methods. 
• Perform data exfiltration identification and monitoring by utilizing full packet analysis and monitoring tools.

Defending Against Pass-The-Ticket Attacks

http://www.identityweek.com/defending-against-pass-the-ticket-attacks/

Pass-the-Ticket Countermeasures 

In general, Pass-the-Ticket exploits can’t be blocked by standard cyber security defenses because compromised tickets aren’t invalidated when local or domain passwords are changed. And while multifactor authentication is typically a sound verification practice, Pass-the-Ticket exploits bypass it altogether.

Instead, protecting against Pass-the-Ticket requires a different approach on the part of IT. Here are three steps in a Pass-the-Ticket defense process:

1. Stabilize the IT Environment: As stated above, Pass-the-Ticket attacks exploit the default authentication in Windows domains, allowing hackers to impersonate users or processes to gain lateral movement on a network. To counter this attack, you need to reduce the attack surface of your network. That involves enforcing frequent,  automated credentials updates and secure escalation to impede lateral movement. Start by removing weak, shared local administrator logins. Replace them with cryptographically complex and unique credentials that are frequently changed. And then audit access to the credentials.

2. Enforce Secure Privileged Escalation: Further reduce your attack surface by minimizing the presence of highly privileged logins that attackers can use to gain control of your network. Consider a privileged identity management solution that grants users delegated privileged access, and gives authorized administrators temporary membership in pre-defined groups with elevated privileges. These measures limit the ability of cyber attackers to access additional network resources after they’ve exploited a computer or impersonated a user through Pass-the-Ticket.

3. Rapid Remediation Process: Establish, in advance, a process to remove attackers’ access to compromised systems. This can be accomplished through a system that changes passwords twice on potentially compromised machines. The two password resets force immediate replication of changed credentials everywhere on the domain to block the use of compromised tickets.The password resets can be used in conjunction with automatic, chained reboots of managed machines after user escalation, or after changes to systems are implemented using escalated credentials. Privileged access management vendor Lieberman Software calls this process a Security DoubleTap™. It clears the system memory of hashes and passwords on compromised machines to curtail further access.

Lieberman Software’s Security Double-Tap™ Defeats Golden Ticket Cyber Attacks

http://www.liebsoft.com/Security-Double-Tap-Defeats-Golden-Ticket-Cyber-Attacks/

While PTH is a more widely known threat, the related PTT attack is just as dangerous. PTT attacks target Kerberos, the default authentication protocol in Windows domains. These attacks exploit Kerberos by hacking the server that stores a secret key protecting authentication. Once the attacker obtains this secret key, he gains unrestricted access throughout the IT environment – essentially a “Golden Ticket”. The attacks are launched using tools freely available online, such as WCE and Mimikatz.  

Removing Pass-the-Ticket Access from Compromised Machines

ERPM now provides an automated double password reset specifically designed to combat the Golden Ticket attack. The two password resets – a Security Double-Tap - force rapid replication of the changed credentials throughout the domain, to block the use of compromised accounts. In conjunction with this process, ERPM can also force an automatic chained reboot of target system to clear memory of hashes and passwords, and prevent memory scraping.  

Practical Attacks Against Multifactor

http://www.irongeek.com/i.php?page=videos/derbycon5/stable22-practical-attacks-against-multifactor-josh-stone

"Multifactor authentication will keep the bad guys out" is the hue and cry of hardeners everywhere, so what is the pen-tester to do? This talk will present a variety of practical attacks against multifactor authentication, ranging from basic configuration oversights to attack strategies that might work forever even if they configure it right. Multiple technologies will be presented. Many people trust their MFA implicitly, as if it's a magic talisman of keeping hackers out, but there is much a pen-tester can do (and thus, much the other kind of hacker can do), and it's important to discuss and illustrate the risks. This talk should be useful for you if you're a pen-tester, but also if you are a defender trying to get the most out of your MFA.

Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1

https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/

The Windows patch that corrects the wdigest issue of storing passwords in clear text, and how to bypass it.

Microsoft’s Local Administrator Password Solution (LAPS)

https://www.praetorian.com/blog/microsofts-local-administrator-password-solution-laps

Microsoft networks remain amongst the most vulnerable and exploited due to the way in which Active Directory is typically deployed: A base image is created with a standard local administrator password, which is duplicated on all workstations in the environment.  When an attacker compromises any workstation, the local administrator password hash can be obtained and used to access every other workstation using the classic Active Directory exploit Pass-the-Hash (PtH). This methodology is described in detail in FireEye/Mandiant M-Trends 2015 case studies.  

On May 1 Microsoft released a new tool, Local Administrator Password Solution (Security  Advisory 3062591), which provides a solution to the Pass-the-Hash exploit. Local Administrator Password Solution (LAPS) changes each local administrator password to a unique value, preventing reuse. LAPS also provides complementary end-user software to  manage local administrative accounts from a centralized server.

Why You Want Two-factor Authentication

http://l.avala.mp/blog/why-you-want-two-factor-authentication/

Most importantly, 2FA is a tool to ameliorate the security pandemic that is the password. Password re-use, weak password complexity, and insecure credential storage are the harbingers of doom for corporate networks. If you’ve never had the pleasure of using Mimikatz then give it a whirl and enjoy the sinking feeling in your stomach as you realize how your passwords are rarely adequately secured. Even if you use a password manager with long, unique passwords for everything that you log into, you stand to benefit by requiring 2FA as well. 

Geek Squad Has A Great Video on 5 Tips to Protect Your Kids Online

Just a quick post:  From homework to video games, school-aged children are connected to the online world now more than ever. In this 2 Minute Miracle video Geek Squad Agents Josh Musicant and Eric Irish offer five simple tips to protect your children online.  They cover the following tips:




1.  Use a trusted filtering software software: Cyber Patrol, Norton, and Spysweeper
2.  Maximize your current software.  MS Windows and MAC OS controls.
3.  Use of your wireless router.  Blocking websites and protecting the Access Point
4.  Controlling what kids access via online gaming by using the rating system.
5.  Social networking.  Keep the computer in a place where you can watch your kids online.


I posted a guide to protect your kids online HERE.

Who's Behind All this Hacking - Pt. 1 - Organized Crime

Who would want to break into my home computer?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.  Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send email to friends and family, your computer may be a target.  Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

Many of today's intruders are sponsored by organized crime and most of the exploits we're seeing are geared to gaining control of many thousands of machines at a time through which your computer becomes part of an online neighborhood of sorts.  Once control is gained your computer can be bought and sold to the highest bidder.  Your system becomes a commodity, not unlike our own homes. In fact, this online transaction is often referred to as buying and selling  "Electronic Real Estate."  Today it is estimated that many millions of computers are part of this underground market and that there are whole "armies" of computers, under someone else's control, ready to wage cyber war against countries, organizations, and other online communities.

Organized Crime Hacking Intel Sheet

Motivation:  Support illegal/underground activities, cartels, & other activities like; human trafficking, drug trade, terrorism, bank/credit fraud.

Funding: Funded primarily with illegal sources (stolen credit card info, personal info, selling hacked computer bot networks.) Often government involvement is “two-way”.

Capabilities: Well funded/staffed efforts underway, mostly geared towards theft of financial information of direct targets, communication with actors, transfer of monies, and the masking of activities.

Advanced Hacking Techniques.  Infected websites, malware development, botnet creation, system cracking, USB flash drive infections, hard disk encryption cracking.

Data Harvesting Capacity.  Open source data gathering and correlation, system cracking and data extraction, use of keyloggers, password stealers, data capturing services, and website redirection.

Use traditional espionage techniques with hacking.  A majority of today’s botnets are designed and maintained by organized crime.  It is estimated that up to 75% of computers are infected with a virus.  Most virus’ today come from organized crime.

I believe that it is NOW time to take our systems back. We need to do all we can to seize control of our systems and provide a barrier between our systems and those intent on taking them from us.  This really is a primary purpose of this site.  I want to give you the tools, links and practices that will help you fight the bad guys.

Great Online Safety Guide for Families

Ran across this today.  It's a great source for online safety information for families.  It covers such areas:
Different Age Levels - Elementary School Children (ages 5-7), Tween Children (8-12), Teens (13-17), and college age and beyond.
Basic Subjects - Safe browsing, Protecting passwords, wireless networks, parental control software, and online faves.
Specific Risks - Internet Predators, Plagiarism and cheating, Cyber bullying and stalking, Filesharing & music/video downloading, Private information & ID theft, Social networking sites, Porn, gambling, racism, Teen online privacy, Email and instant messaging, blogging, Viruses, Worms, Spyware, and digital photography.

It's well written and is a great resource for families.  It has a great resource section too..

A must read for any family with kids on the Internet.....

CLICK HERE for the Guide

The 9 Most Useful Computer Security Blogs

UPDATED
I currently read many blogs and have a bunch of RSS feeds directed to my blackberry via viigo software so I can keep up on what’s going on in the cloud we call the Internet.  It is rare, however, to find blogs that are consistent and thorough with their postings and content.  The following is my list of the 9 most important and useful blogs related to Computer Security:
1.  The Microsoft Security Response Center (MSRC).  The MSRC blog was launched in February 2005 and provides a real-time way for the Microsoft Security Response Center to communicate with customers.  Topics include day-to-day “behind the scenes” information that helps customers understand Microsoft’s security response efforts, updates during early stages of security incidents.
2.  Fraud, Phishing and Financial Misdeeds blog.  Having worked around financial crimes for a number of years, Ed Dickson noticed they seemed to be on the rise, one reason for this is technology, which grows more rapidly than the laws designed to protect us from it.  Ed’s blog is a resource to educate people on Identity Theft, it also strives to educate the common person on the rapidly growing problem of crimes enabled (made too easy) by technology and the Internet.
3.  TaoSecurity blog.  Richard Bejlitch is the author of one of my favorite books on Information Security, “The Tao of Network Security Monitoring.”  His blog focuses on digital security and the practices of network security monitoring, incident response, and forensics.
4.  Wired Magazine’s Threat Level.  This excellent blog is dedicated to dissecting the news to find some really interesting gems related to computer, government, and general security information.
5.  SANS Computer Forensics, Investigation, and Response.  A team of GIAC certified forensics professionals share their thoughts on fighting crime and unravelling incidents “One Byte At A Time”.   This is an excellent source if you really want to get into the guts of your computer.
6.  Avira’s Tech blog.  Avira, the maker of antivir (one of the most highly rated, free for home use, virus scanners) keeps its readers up-to-date on the latest virus news.
7.  Krebs on Security.  This is Brian Krebs security blog.  He offers excellent commentary on computer security related topics.  Much of what he covers surrounds cybercrime, vulnerabilities, and hacking groups with established footholds.
8.  The Museum of Hoaxes.  This blog is dedicated to examining dubious claims and mischief of all kinds.  If you’re checking into an email you received from a prince in Nigeria, this is an excellent place to start.
9. Hoax Slayer.  Tracks many of the email hoaxes and other Internet based hoaxes.  Great site, with quick navigation and search.