Skip to content

What’s New Pandora FMS 761

Let’s check out together the features and improvements related to the new Pandora FMS release: Pandora FMS 761.

What’s new in the latest Pandora FMS release, Pandora FMS 761

NEW FEATURES AND IMPROVEMENTS

New “Custom Render” Report

A new item has been included in Pandora FMS reports, Custom Render. With this report you can manage in a more customized way with SQL queries, module graphs and HTML output customization. It allows users to create fully customized reports visually, including graphs.

 

New TOP-N connections report

A new item has been included in Pandora FMS reports, TOP-N connections. With this report you will have a summary table with the total data from connections and with connections of the interval by port pairs.

New Agent/Module Report 

A new item has been included in Pandora FMS reports, Agents/modules status. With this report you will be able to have in a table the state of agents/modules with the last data and the timestamp of this last-received data.

New Agent/Module status Report

It allows users to show a list of agents/modules along with their state, filtering previously by group. 

New SLA services Report

A new item has been included in Pandora FMS reports, SLA services. With this report you will be able to see the SLA of the services that you wish to configure, combining data from different nodes in a single report.

New alert templates

If you want to use the new group, you have it available in our module library:

Alert templates (2022)

New Heatmap view

A new view has been added, that of Heatmap. In this view you can see all Pandora FMS information organized by groups and module or agent groups. It is a view that is permanently refreshed and that allows you to see at a glance all the monitored information.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

Learn How to Protect Your Company from Insider Threats.

Imagine yourself in a dining room in your company with colleagues and friends enjoying a meal. Suddenly, the lights flash and everyone’s belongings mysteriously disappear. The only suspects are those in the environment, including you. But how to find the culprit?

As much as the introduction of this text sounds a bit dramatic and the plot seems taken from an Agatha Christie book or a Sherlock Holmes tale, the feeling of having a threat within the company is very similar. An insider attack happens when least expected, while everyone involved in this compromised environment goes from innocent workers to suspects in a moment, and identifying the culprit is a challenging task.

Insider threats may be represented by careless or inexperienced employees, dissatisfied employees, third parties, partners, undercover spies, or any internal component that exploits or intends to exploit their legitimate access to assets to do something unauthorized.

According to a study by Verizon, 57% of information leaks involve insider threats and 15% of leaks are a consequence of the misuse of privileges.

As with detective cases, where a thief or a neighbor who does not live in the house is the primary suspect in crimes, many companies focus on threats outside the organization, such as cybercriminals and malware, while a dishonest employee may have been working among others for a long time without being identified, stealing information, and damaging business.

By having legitimate access and often unrestricted permission, these internal agents, malicious or not, can cause incidents within the organization without drawing attention, as they are somehow trusted by others while doing their job.

Disclosing confidential information, facilitating third-party access, and breaking equipment vital to a system are some of the incidents these bad employees may have. 

In addition, careless professionals who do not know the company and its processes are also insider threats, as they can cause errors when deleting important information or downloading infected files, for example, just because they are not prepared.

We invite you to continue reading the text and learn what you need to do to protect your business from insider threats.

Who Are Considered Insider Threats?

Insider threats can come from employees and even partners or third parties who have access to your systems, as detailed below.

  • Employees: They are above suspicion, are considered part of the organization, and are the last suspects.
  • Service Providers: These people are underestimated and they can take advantage of their access.
  • Partners and Third Parties: They are always under contracts and therefore receive access with high privileges, so the contract offers false protection to the company.

Former employees are also a threat. According to Deloitte, 59% of employees who leave a company voluntarily or involuntarily take data with them.

What Are the Main Motivations for Insider Threats?

In most cases, what motivates these internal malicious agents to cause an incident are financial and ideological issues, as well as the desire for recognition, loyalty to family, friends, or country, and even revenge. 

Regardless of motivations, malicious internal agents seek to leak sensitive data and disrupt processes, as these are the events that can most damage an organization. This fact is clearly corroborated by cases reported in the media, such as:

  • Edward Snowden Case: Snowden leaked nearly two million NSA files in 2013.
  • Ricky Mitchell: After he found out he was going to be fired, he restarted EnerVest’s servers to factory settings and discontinued operations for a month.
  • Zhangyi Liu: Chinese programmer working for Litton/PRC Inc. who accessed sensitive Air Force data. The contractor copied the credential passwords that were allowed to create, change, and delete any file on the network and posted them on the Internet.
  • Christopher Grupe: After being fired from the Canadian Pacific Railway, he accessed the system again to delete files and change passwords, preventing administrators from authenticating.
  • Paige Thompson: Former software engineer at Amazon Web Service, she accessed credit card information from more than 100 million Capital One customers. Amazon’s cloud environment configuration was not secure. Paige was aware of this incorrect configuration and abused her privileges to access data and share these methods in online chats.

Preventing an internal agent from stealing information can be more challenging than preventing an external agent from having access to assets, as internal agents have unrestricted access to endpoints and the network, and these are the components that correspond respectively to the means used to carry out attacks on an organization.

Other assets used to cause incidents internally are BYOD devices, which are increasingly accepted in companies today, even though their use is often uncontrolled.

Through these assets, attackers reach their real targets – databases and file servers -, as they keep the most valuable information for internal and external attackers, such as customer data, financial data, intellectual property, and privileged account data (credentials and passwords, for example).

This type of attack increases due to insufficient strategies or solutions to protect data, as well as a lack of training, employee expertise, and risk awareness at the administrative level of the organization.

What Are the Cyber Risks Associated with Insider Threats?

As we saw earlier, insider threats are not always exclusively from people who work directly for your organization. We can include consultants, outsourced contractors, suppliers, and anyone who has legitimate access to some of your resources.

To understand more about the subject, we have selected five possible scenarios in which insider threats may arise

  1. An employee or third party who performs inappropriate actions that are not intentionally malicious, they are just careless. Often, these people look for ways to do their jobs, but they misuse the assets, do not follow acceptable usage policies, and install unauthorized or dubious applications.
  2. A partner or third party that compromises security through negligence, misuse, or malicious access or use of an asset. For example, a system administrator may incorrectly configure a server or database, making it open to the public instead of private and with controlled access, inadvertently exposing confidential information.
  3. An agent bribed or requested by a third party to extract information and data. People under financial stress are often the main targets.
  4. A rejected or dissatisfied employee is motivated to bring down an organization from the inside, disrupting business and destroying or tampering with data.
  5. A person with legitimate privileged access to corporate assets, who seeks to exploit them for personal gain, usually stealing and redirecting information.

Whether the damage is caused intentionally or accidentally, the consequences of insider attacks are very real.

One of the ways to mitigate the risks of the scenarios above is to implement monitoring tools to track who accessed which files and alert administrators about unusual activities.

In addition to these actions, the management of privileged accounts also helps to reduce damage caused by insider threats and contributes to proactive cybersecurity behavior.

How to Reduce the Risks Associated with Insider Threats?

Any corporation is subject to some type of cyberattack, and it is essential to have a system that defends and maintains data integrity.

According to a report by Fortinet Threat Intelligence, Brazil has suffered more than 24 billion cyberattack attempts in 2019, a fact that reinforces the need to have efficient solutions against this type of threat.

Preventing external attacks is already very common within companies, and according to the Verizon Data Risk Report, 34% of data breaches involve internal agents and 17% of all confidential files were accessible to all employees, which turns on a big alert for companies to protect themselves from internal threats as well as external ones.

For this, it is recommended that some technology be implemented to efficiently monitor the privileged access of employees. To help you with this task, we have separated 5 practices on how to protect your company from insider threats, check them out:

1- Know Who Has Access to Privileged Accounts

One of the biggest mistakes of companies is making privileged credentials available to many users, which directly affects data breaches and the risk of leaks through internal threats.

You need to find out which people have access to protected environments, and ensure that people who do not need to access such environments have some kind of administrative credential, limiting the number of privileged users.

Ideally, credentials with a higher level of privilege should be controlled by those responsible for IT, so that there is no type of breach.

2- Ensure User Traceability

With the use of some technologies, you can know who, when, where, and what actions were taken by the user to perform a privileged session, in addition to limiting the actions that can be performed in the environment.

Some solutions alert and block the user who performs any improper action and provide session recording for analysis.

3- Third-Party Access

If any type of service provided to your company is outsourced, there must be some type of protection.

Ideally, any type of access to company environments should be monitored through a VPN dedicated to a specific application for a predetermined time.

The best way to ensure that there are no loopholes for internal threats in your company is by having a complete PAM password vault, which ensures protection from possible threats, monitors privileged sessions, and automates tasks.

4 – Password Culture

Even if it seems ineffective, implementing a strong password culture is a great way to avoid insider threats.

By memorizing a simple password, for example, a malicious employee can easily infiltrate privileged access and move around in environments that do not suit them, allowing possible attacks on the corporation.

In addition to protecting companies against insider threats, strong passwords also help to protect against external cyberattacks, therefore, ask your employees to use passwords with uppercase, lowercase letters, numbers, and symbols.

It is also important to change these passwords constantly, so that there are no future problems.

5 – Backups

Even using every possible way to reduce the company’s security breaches, it is essential to have a way to recover the data in case of any leak or access block.

A good option is automatic backups in critical and strategic systems, which allows the company to refuse to give in to any type of threat by the attacker.

6 – Extra Practice

Obviously, this type of attack is the most difficult to predict and prevent. These are malicious agents who may be working alongside you right now.

However, some measures can be taken to make it difficult for a new internal attack to occur:

  • Checking Employee Background Before Hiring
  • Applying Mandatory Vacation and Work Rotation.
  • Monitoring Employee Behavior.
  • Educating and Training Employees.
  • Encouraging Employees to Report Abnormal Activities and Strange Behaviors of Their Colleagues if They Notice it.

Even With the Risk This Type of User Poses, They Are Necessary for the System. So, How to Control Them?

In another Haystax study, 60% of privileged IT users/administrators represent the greatest risk. They have large permissions within a system to execute infinite commands and view a large amount of information.

Privileged users are like stewards in suspense stories. They are the ones who have unrestricted access to various rooms in the house, perform important tasks, and are extremely trustworthy to members of the house, so it is no surprise when they are revealed as the guilty ones.

That is, privileged accounts are those with elevated access permission that allow account holders to access critical systems and perform administrative or privileged tasks. Like ordinary user accounts, privileged accounts also require a password to access systems and perform tasks.

Privileged accounts can be used by people or be non-human when used by applications or systems. The latter are also called service accounts. Privileged accounts, such as administrative accounts, are often used by system administrators to manage applications and hardware, such as network assets, and databases.

The problem with these accounts is that they are often shared, used on many systems, and can use weak or standard passwords, making it easier for insider agents to work.

Thus, when these accounts are not properly managed, they give insider agents the ability to access and download the organization’s most sensitive data, distribute malicious software, bypass existing security controls, and delete trails to hide their activities in audits.

One of the most secure ways to manage privileged accounts is through PAM (Privileged Access Management) solutions. This solution consists of cybersecurity strategies and technologies to exercise control over privileged access and permissions for users, accounts, processes, and systems in a corporate environment.

PAM As a Solution to Manage Insider Threats

As mentioned, privileged accounts represent high-value targets for insider agents. 

Organizations need to adopt a Privileged Access Management (PAM) solution and also provide data on access to privileged accounts for this solution in their monitoring systems.

Privileged Access Management – or simply PAM – consists of the technology and processes that control privileged access, store all access records for auditing purposes and analyze the actions taken by users in real-time, generating alerts about unusual activities. Using this technology can make the identification and mitigation of insider attacks much faster and more efficient.

Therefore, we selected 7 resources present in the PAM solutions that are strategic for those companies that seek to reduce the possibilities of insider threats.

  1. Use of effective policies for all employees, whether remote, service providers, or third parties.
  2. Protection for the credentials of your most confidential assets (confidential applications, databases, privileged accounts, and other critical systems) in a central and secure repository.
  3. Limitation of privileged access to confidential information, such as customer data, personally identifiable information, trade secrets, intellectual property, and confidential financial data.
  4. Least privilege procedures and resources to provide employees with just the access they need. That is what we call a need to know.
  5. Limitation of local administrator rights for all employees’ workstations; and implementation of permission, restriction, and denial policies to block malicious applications.
  6. Implementation of workflows for the creation and governance of privileged accounts.
  7. Monitoring and recording of privileged access to confidential information, data, and systems.

The first steps to better protect yourself and your customers from insider threats consist of applying at least some privileged access management best practices.

Start by learning more about how the principle of least privilege works, then it is important to establish and apply the best password management practices and, finally, invest in a comprehensive PAM solution that has all these resources at your disposal.

Learn About the senhasegura Solution

Senhasegura is one of the largest PAM solutions in the world according to Gartner. In addition to preventing data leaks and abuse of privilege and avoiding internal threats, the solution is complete to guarantee protection against external threats. 

The solution has granular access controls, credential management, detailed logging and session recording, and the ability to analyze user behavior. The senhasegura solution has several security locks that guarantee data protection from insider and external threats, such as logging, auditing, SSH key management, modules for secure DevOps, among others.

In addition, the implementation of senhasegura helps your organization to:

  • Apply the Security aspect to your DevOps pipeline, ensuring DevSecOps.
  • Carry out the proper management of digital certificates.
  • Comply with LGPD and GDPR.
  • Ensure security in your Cloud environment.

Request a demo now and discover hands-on the benefits of senhasegura to limit the damage caused by insider threats.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.

John the Ripper Pt.4

Intro

In this article – the last in our John the Ripper series – we would like to focus on how we can use John to crack SSH keys, as well as mention some basics of Custom Rules.

SSH

What is SSH? When do we use it (or should)? How does it work, and what are some encryption techniques/technologies that SSH has to offer?

Let’s answer all of these questions briefly (it is a very big topic), before delving further into how john can leverage some of its functionalities to crack the SSH private key password of the id_rsa files.

SSH stands for Secure Shell, and is a remote administration protocol, which gives us the ability to access, control, or modify our remote infrastructure (usually servers) over the Internet. You might want to remote to your clients server to troubleshoot something, or to deploy some code.

Historically, SSH was created as a replacement for the much more insecure protocol called Telnet, which, even though with the same purpose, doesn’t offer encryption. You can see why that might make some of us feel quite awkward. SSH encrypts all of our communication to and from the remote server, by the virtue of encryption. With SSH we can authenticate a remote user, for example.

To use SSH, we can simply pull up the terminal (for MacOS/Linux) and type:

ssh <username>@<ip_address> -p(port_number)

Where the username is the name of the user we wish to connect as, and the IP address being that of our server we are connecting to. For Windows we can use a SSH client, the most known one being PuTTY.

For example, if we were to connect as a user called john to our remote server at 184.121.23.43 at the default port (for SSH its port 22), we would give a command like this:

ssh john@184.121.23.43 -p22

Regardless of our platform, once we’ve issued our command, we will get a prompt asking for a password for the user we specified, in order to authenticate us. If the credentials are correct, we will be shown a command-line, that of our server we just got into.



SSH and John the Ripper

As we’ve already mentioned, we can use john to crack private key passwords of our id_rsa files. If our target has configured key-based authentication – which just means they are using their private key – id_rsa – as their key to authenticate against the server and to log in using SSH. Since this will generally require a password, we can once again use John to help us crack that password, so that we can authenticate over the SSH (by the usage of the said key).

Another tool (as zip2john, and rar2john previously – sound familiar?) john leverages, is a tool called ssh2john. The logic remains the same – ssh2john converts the id_rsa key to a hash that John can work with. The syntax is virtually the same as before:

ssh2john [id_rsa_file] > [output_file]

ssh2john – command to call our converter tool

id_rsa_file – path to our file that we want to convert to a hash

output_file – here, we will store our output e.g. the hash that we’ve created

One small thing of note, before we look at our example. If your terminal tells you that ssh2john can’t be found (command not found – meaning ssh2john is not installed – like in the image below)


Please note that you can still use ssh2john.py, which is basically the same thing, wrapped inside a Python script. Usually, ssh2john.py is located in /opt/john/ssh2john.py or, in case you’re using Kali, you can find it in /usr/share/john/ssh2john.py. Just remember to invoke your Python scripts by adding python/python3 to your command line first. (as shown in the image below)


This also brings us to our example.

In order to do the cracking, we’ve first created a new private/public key-pair using ssh-keygen (image below)


(Spoiler alert! We’ve used the passphrase banana)

All that’s left now is to do some john magic.

First, we run our Python version of the ssh2john conversion tool – as shown below (which is the same image as above)


Simply, we’ve asked Python to run the script called ssh2john, which can be found in the /usr/share/john/ssh2john.py path… again, if you’re not on Kali, this would be /opt/john/ssh2john.py, and then we’ve given the path to our newly created (banana-protected) private key – /root/.ssh/id_rsa – which we’ve redirected to an output file on our Desktop, called KeyHash.txt.

Now we are ready, and should have all we need in order for John to crack our private key password for us.

We invoke John, using our trusty rockyou.txt wordlist, and let it do its thing:

 

Lo and behold, 29 seconds after, John has returned to us with the correct output – banana, cracking our password successfully!

Custom Rules

Similarly to the single crack mode that we’ve covered in part 2 of our series (word mangling, or variations of a word, where we change the letters to capital letters, numbers, etc.) we can also define our own sets of rules in similar fashion. John will then use our newly created rules to create passwords. This can be quite useful if we know (or suspect) the password structure of whatever it is that we’re attacking.

With this we can integrate capital letters, numbers, symbols… same as for the single crack mode. Also, this can prove to be rather useful for us, since organizations sometimes enforce password policies in order for them to be a bit less susceptible to dictionary attacks.

This is exactly what an attacker might leverage to their advantage! As we all know people tend to make similar passwords, or even reuse them, and adding numbers and capital letters, or symbols can make it so they meet the password policy’s requirement (complexity). Still, Babyblue1! is not an example of a secure password by any means!

So, if an attacker knew about the password structure, used a bit of Social Engineering on the target they’ve picked (some employee of the company perhaps), they could then easily connect the dots and compromise the system – gain a foothold into your now compromised organization.

Password rules are usually located in the /etc/john path, in a file called john.conf. Another path could be /opt/john.

To create our rule, the first line is used to create a name for the rule, which we can later invoke with John. It looks something like this: 

[List.rules:Babyblue]

Then, we need to use a regex style pattern in order to define our rule further:

A0 – prepends the word with characters we defined

c – capitalization of the character (position based!)

Az – appends the word with any characters we defined

u – convert to uppercase

Now we just need to decide where and what we want to be changed. To define what’s going to be prepended or appended, we put that in square brackets [] – in the order of usage!

We end up with something similar to this:

cAz”[0-9] [!@%$]”

After that, all that’s left is to add our rule to our usual command, by adding this flag: –rule=Babyblue.

We would end with a command like this:

john –wordlist=/usr/share/wordlists/rockyou.txt –rule=Babyblue target_file_path

Of course, there are many resources out there, and we would suggest first checking out these two, if all this talk about custom rules has piqued your interest.

Conclusion

Some finishing thoughts before we close out this series about John the Ripper. As we’ve seen from some of our examples and stuff that what was mentioned in the series, John offers a lot of flexibility and versatility, but, as always, in order to leverage this great tool to its maximum potential, there’s a lot of ground to be covered – this does not mean you need a PhD in Cryptography, of course, just a lot of trial and error!

We wish you happy (& safe) password cracking!

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×