Category Archives: UTM

Seqrite UTM : Security Weapon Against Man In The Middle Attacks

Estimated reading time: 6 minutes

As implied in the name itself,

Man In The Middle Attack is a type of attack where a illegal person tries to intercept the communication between two parties.

Either to secretly overhear or to steal the critical data being exchanged, with the intention to spy or to destroy the communication & corrupt the data.

Basically, when you try to overhear any conversation between two entities without letting them know, it itself is a kind of MAN-IN-THE-MIDDLE-ATTACK.

SO, WHAT EXACTLY IS A MAN-IN-THE-MIDDLE-ATTACK?

But Before going further into Man-In-the-Middle attack, I want you to look around !

look at your smartphones, devices accessing internet, all the software applications you are using.

What do you think? What is driving all these things?

DATA! Right?

Well, all this data travels around ourselves with no bounds. From one source to another destination, data has no limitation at all. This unobserved traveling of data raises a huge question on the privacy and security of the data.

Have you ever given any thoughts about maintaining this privacy?

What if someone is already seeing all your data in your phone or using your private information to benefit his/her needs?

While data transmission takes place between client & server, attacker places itself between two endpoints of communication and interferes with the data transfer, while trying to acquire the critical information which is being exchanged.

Meanwhile the client and the server thinks that they are interacting with each other but they are actually dealing with the attacker.

Explanation :

Let’s Suppose A & B are two entities and C is the Man-in-the-middle. Now if A & B want to share information with each other, A will ask for a public key from B, so that A will send Encrypted data accessible with only that public key and only B will be able to open that information using that key. But, as soon as B sends its Public key to A, C present in the middle takes that key and sends its own public key to A.

A now assuming that key is of B, encrypts the required data and sends it to B again. Now C will decrypt that data using its own public key, read that data and alter the information as per requirement and send it to B with its Public key so that B will be able to decrypt the information, assuming that this information is directly coming from A and likewise this process continues. Both A & B doesn’t even get to know that they are actually not talking to each other.

Technically, whenever two party speak with each other, TCP connection gets establish. So what an attacker does is, it will divide that connection into two parts where 1 connection is between attacker and client and another one is between attacker and the server and attacker works as a proxy between them. Another way this attack can happen is through Man-In-The-Browser attack where an attacker put its Bot onto your system which collects all credentials and important information from your daily web browsing and eventually sends it to the attacker.

HOW DOES THIS ATTACK WORK?

Attackers are always in search for any vulnerable network, where they can breach the security and access the data transfer. Attack is performed in two phases: First phase is ‘Interception’ or ‘Encryption’ and the second one is ‘Decryption’.

‘Encryption’ & ‘Decryption’

For Interception, public places like Railway Station, Airport, etc. are the most favorable one, as there are FREE WiFi n/w (People Just Love Free things). Attackers try to find a poorly secured network and search for any vulnerability. Attacker is between victim client computer and server to intercept the data, placing necessary tools to acquire the critical information exchanged, which victim is thinking to be secure. Data is intercepted now , it needs to be decrypted. Now comes the role of decryption, where data is been decrypted and further acted upon.

Too short right? Well it’s a brief explanation after all to get minimal idea. Now let’s understand it step wise.

There are few more ways to carry out network security attack. Let us discuss some of these attacks in brief:

Examples ~

1. Sniffing:

It is a process of analyzing and capturing the data packets containing sensitive information flowing from one network to another. Data flows from source to destination in the form of small data packets and the attackers manage to access these streams of data and pill out the private information needed to carry out the attack.

2. Packet Injection:

It is a technique where attacker disrupts the established network, by inserting his/her own packet with the regular flow of data between trusted entities, to avoid malicious activities to be over looked or ignored. This type of interference of packets process is used in DDoS and Man-In-The-Middle attacks.

3. Session Hijacking:

Whenever a user logs into a website, it sends a request through a browser to the server of the requested website. The request gets analyzed and a response is sent over the network to the user and a session is establishes for the user to get into the website. Meanwhile, the attacker tries to hijack that session and is in a position to intercept that session and is able to pull out the private information required to initiate the attack successfully.

4. SSL Stripping:

Attacker use this process when it strip off the SSL/TLS encryption used for secured connection, Switches user network connection from HTTPS to HTTP. Victim is vulnerable shifting from secured connection to un-secured connection, it is easy for attacker to push victim to its own environment, where attacker extracts information provided by the victim. KRACK, MITM are few of the attacks carried out by SSL stripping method.

HOW TO GET SAVED FROM THESE ATTACKS?

Following are some of the steps we can follow in order to prevent such cyber-attacks :

  1. Use HTTPS connection over HTTP as HTTPS is more secured and a reliable way to connect to any network.

  2. Keeping Browser Cookies and cache cleared in order to prevent attacker from stealing information from those resources.

  3. Use of HSTS over HTTPS. This web server directive forces any Web-App to connect to HTTPS and block all other content that uses HTTP protocol.

  4. Do not click on un-necessary emails and advertisements.

  5. Do not use un-secured Public Wi-Fi access or make payments over it.

  6. Always keep required security tools updated to protect your system.

  7. Always keep your working network secured.

  8. Don’t ever download any pirated data.

SEQRITE Unified Threat Machine: IPS

Intrusion Prevention System

IPS is a network security system that protects your organization’s network from external attacks, intrusion attempts, malware and threats. It observe the incoming network traffic and identify the potential threats and responds according to the rules specified. This drops the packet that it determines to be malicious and block all further traffic flowing from that IP address or Port.

Seqrite UTM has a feature called Intrusion Prevention System. It monitor as well as block the vulnerability exploit that attackers use to interrupt and gain control of an application or machine. It consist of pre-configured set of signatures embedded, which are matches with the signatures of the entering data packets. If any incoming signature matches with an existing signature, the IPS either drops the packet or sets up an alarm.

Feature Explanation

Image below shows the status of IPS and various settings that comes under IPS and the relevant information such as

  1. Designated action to take.
  2. Alert or Drop the suspicious packet.
  3. Count of Occurrences & the Description.

You might need to add new signatures to your existing signature list. In Seqrite UTM IPS you can add your own custom signatures. You can do this using the advances tab on the IPS page.

Your organization may require to monitor all inbound, outbound, as well as intranet traffic. This feature allows you to monitor all or individual traffic types.

REFERENCES

a) thesslstore.com

b) veracode.com

c) securebox.comodo.com

d) Man-In-The-Middle-Attack Prevention Using HTTPS and SSL, IJCSMC, Vol. 5, Issue. 6, June 2016, pg.569 – 579

The post Seqrite UTM : Security Weapon Against Man In The Middle Attacks appeared first on Seqrite Blog.

Hackers bypass UTM user credentials with simple Shell Scripts

Estimated reading time: 2 minutes

Everyone loves shell scripts! No wonder then that in most of the Linux-based security products, shell scripts are heavily used. Most of the times, they are easy to develop as compared to C/C++ programs as there is no compilation headache and they are easy to prototype.

However, apart from having endless applications, shell scripts have many hidden dangers in the context of security – it is often overlooked when writing shell scripts.

For example, consider a shell script, which simply uses the ping command to check connectivity between two hosts.

#!/bin/bash

ping –c1 “$1”

 In this use case, $1 is an input that might be derived from some CGI or some other script. If an input is not properly validated, a hacker can easily exploit the command substitution.

ping –c1 “8.8.8.8 && command”

 In this example, a shell script will treat arguments passed to ping as a separate command when executing. However, there are several other ways to achieve this command substitution.

ping –c1 “8.8.8.8`command`”

ping –c1 8.8.8.8|command

ping –c1 8.8.8.8; command

 In most of the gateway-level security products such as Unified Threat Management (UTM), firewalls provide portals for the end-users. Portals facilitate many services including remote access tool download, retrieval of quarantined emails, change of user preferences, and so on.

These services expect some form of user inputs and may invoke a shell script in the backend of the software product.

Due to such exploits, an attacker can gain root permission with remote command execution on a vulnerable device by sending malicious inputs. Once a vulnerable device is accessed, an attacker can jump in the network of an organization.

Although user inputs are validated most of the times, there is always a possibility that some validations may be missing time and again.

This command substitution attack is also known as ‘Pre-Authentication Remote Command Execution’ as an attacker can run this exploit without any valid credentials.

Very recently this flaw was discovered in a firewall appliance of a reputed brand. 

In Seqrite UTM, we explicitly focus on such areas during development so that devices are not vulnerable to such common exploits.

Following are some guidelines for writing secure shell scripts:

  • Use absolute or relative paths for commands used in scripts.
  • Set correct values of PATH variable in scripts.
  • Use proper quoting for variables passed as arguments.

The post Hackers bypass UTM user credentials with simple Shell Scripts appeared first on Seqrite Blog.

3 Ways for MSPs to Increase Their Managed Security Footprint

Managed service providers looking to increase their business often face the choice of whether to focus on finding new customers or expanding their existing base. But there’s a growing opportunity making the latter option especially appealing.

The small and midsize businesses that comprise the bulk of the MSP customer base have a limited understanding of cyber attacks–an ever-escalating threat that can cause millions of dollars in remediation, recovery and reputational costs. SMBs need guidance to strengthen their cyber defenses, and MSPs are best positioned to address this need by delivering affordable managed security services.

Moreover, adding services for existing customers costs less than client prospecting. Existing customers don’t need to be pitched: If an MSP effectively deploys their services right, customers will trust them to deliver value and support their business goals, making them more willing to adopt the provider’s services.

With that in mind, here are three security services opportunities MSPs can explore with their existing customers:

1. Managed Email Services

Businesses increasingly rely on cloud-based applications such as Office 365 and Google Drive services to run operations. These services have built-in cyber protection, but it’s not enough to fully safeguard businesses against the previously unknown digital dangers that make up 95% of threats in the wild.

MSPs can deliver added protection for email and file-sharing platforms as a managed service, supplementing it with awareness and training programs that educate employees on cybersecurity. Cyber attacks frequently succeed because many end users have a poor understanding of security risks–for example, unwittingly clicking infected URLs or attachments that cause security breaches. With proper instruction on cyber dangers, users are much less likely to make these mistakes.

2. Protection Beyond the Endpoint

Endpoint detection and response remains a critical need, but only addresses part of the problem. Threat actors have become savvier at breaking into networks to disrupt operations and steal data in various ways–a lot of threats hide in the network unnoticed, waiting to strike.

Addressing these threats requires a multilayered approach to security that includes visibility and quick incident response capabilities. MSPs can help businesses via managed security services that are administered from a central console and deliver multiple layers of protection at the endpoint and beyond–servers, cloud workloads, email and the network itself.

3. Perimeter and Network Protection

Managed unified threat management (UTM) services with comprehensive security capabilities is another area where MSPs can play an essential role. Managed UTM further strengthens a company’s defenses against cyber attacks with features such as managed firewall, HTTPS scanning, URL filtering, intrusion detection, and protection against malware, email-borne threats and distributed denial of service (DDoS) attacks.

The ideal managed UTM solution should provide easy deployment and simple management from a single location. MSPs that deliver UTM services add significant value to customers by enhancing their security posture against cyber attacks that can disrupt operations and incur significant costs.

MSPs can increase their customer footprint by taking advantage of Trend Micro’s MSP Program. It helps providers add managed security services to their portfolio, boosting their business prospects and fortifying their clients against the cyber threats of today–and tomorrow.

The post 3 Ways for MSPs to Increase Their Managed Security Footprint appeared first on .