Tag Archives: security

The Future of Ransomware

Posted on by
Reply

ransom

Ransomware is like like a nasty game of tag: you can try to avoid it but once you’re hit, you’re out. For all we know about doing defence right, following the best practices advocated by NIST and SANS, this particularly malevolent threat has been on an upward trajectory out of the gate since 2016, after trending through 2015.  It’s gone way beyond just phishing for targets and locking down individual files.  Current strains are evasive: like tag, they figure out what anti-virus and security is running on the target system that might detect it and stay hidden. They now go after websites. They lock down entire servers. And they don’t care who the victims are – not even hospitals.

Samsam-ransomware-attack-chain-768x391

If you’ve been reading along with me on Twitter, or happen to be up at 2:00 a.m. like I am, you know that ransomware is what keeps me up at night. Along with some other brilliant minds in our security community who are dedicated to tracking and shutting down this ever-growing threat. These guys really know what they’re doing. Countless hours of research, investigation and analysis have produced this paper:  Ransomware: Past, Present, and Future.   There are definitive pieces that give the lay of the land and map out the course ahead. That is what this piece does. Sincere appreciation for the efforts of  @da_667 @munin @ImmortanJo3 @wvualphasoldier (and others) who put this together. They understand just how widespread the risk is, and time is not a luxury we have. This is essential reading for anyone in tech, security, business, critical infrastructure. Essentially, anyone who needs to safeguard the data and networks their daily business relies on.

From the Talos blog: A fictional Adversary’s workflow of compromise and takeover

dadiagram

Right now, here is what I would advise anyone.  Back you stuff up, frequently, and separately from the network.  Check your patch management situation. Where are your exposures?  How are you handling security awareness, especially around phishing? Do you monitor your systems regularly, so that you have a baseline to compare events against?

And finally, take the time now and please read this: Ransomware: Past, Present and Future by Talos. Because the more people who know about ransomware and where it’s headed, the better we can all work together to secure things.

Thank you for stopping by!

My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

Posted on by
1

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.

tweetsamsa

WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.

NEEDS TO HAPPEN:

Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.

Sources:

Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Back it up! Back it UP!

Posted on by
Reply

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Ransomware: Don’t Get LOCKY’d Out

Posted on by
Reply

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime

 

Watching Your Backdoor

Posted on by
1

It’s a thing. Backdoors. Add no, not the fun kind with screens that keep out mosquitoes. The kind I’m going to reference here are the ones that actually let worse things in.

backdoor

Backdoors in tech aren’t just the stuff of legend, or part of the plot in tales of espionage. They are very real,  and there is nothing secure about them. They exist as an intrusion point, hidden, secret. These deliberate manipulations of code allow access into a network or application and bypass the necessary security protocols.  What matters to me isn’t so much that these are used by foreign governments to spy on us, or for corporate espionage. Rather, it’s the further legitimization of attacks on our privacy.  How do we secure against this mindset? Backdoors are essentially a weakness built into the code. Something unsecured that when discovered can be readily exploited, because nobody is supposed to know it’s there. Until it’s too late.

Several backdoors have recently been revealed just over the past few months.Here’s the rundown of shame by John E Dunn in his article in Forbes:

NSA Clipper Chip, 1993

The most reviled backdoor in history, the NSA’s infamous Clipper chip, endorsed by the Clinton administration, still gets people’s backs up more than two decades on from its heyday. In 1993, encryption was new and strange. Few used it but the experts and Government spooks could, however, imagine a world in which they might. Their answer was to neuter the possibility of unbreakable security with an escrow-based system based around the Clipper chip that would cache keys. Assuming anyone had agreed to use it the NSA would have had a ready means to decrypt any content.

As Whitfield Diffie, creator of the famous Diffie-Hellman key exchange protocol observed at the time, the problem with building in backdoors is that they are deliberate weaknesses. Should a third-party find them they become less a backdoor than an open one.

Borland InterBase backdoor, 2001

This weakness in the firm’s InterBase database was essentially a secret backdoor account that allowed anyone with knowledge of it access to data. Making the serious comic, the username and password in question were ‘politically’ and ‘correct’. At the time, the assessment was that while deliberate the hole was probably put there by one or a small number of programmers as a convenience. But we’ve included it because the fact that perhaps only one person knew about it doesn’t mitigate its seriousness for the seven years until it was discovered.

Huawei v the US, 2011

The huge Chinese equipment maker spent millions trying to reform its image after being accused of building backdoors into its telecoms equipment. In 2012 a US Congressional investigation concluded that the firm (and mobile vendor ZTE) should be banned from the world’s largest market over state surveillance worries. In the UK BT had been installing Huawei equipment since 2007 so it was all too late to do much about it beyond GCHQ setting up a special unit to monitor its systems in cooperation with the company itself.

Irony or all ironies, a Snowden leak then suggested that the NSA’s Tailored Access Operations (TAO) had set up an operation to spy on Huawei to work out how far any collusion went.

The modern (i.e. post-Aurora and Stuxnet era of backdoor scandal began here.

Cisco et al, 2013

Dragged out of Snowden’s famous cache by a German newspaper, this concerned unpublished security flaws in the networking equipment of a group of vendors, headed by Cisco but including Juniper, Samsung among others. These weren’t classic backdoors except in the sense that they allegedly offered a huge amount of surveillance control over the equipment. Very unusually, Cisco’s CSO John Stewart issued a statement denying any knowledge of the compromise.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” he stated. The fact he was even having to say this was a sign of changed times.

More recently in 2015, a backdoor compromise called SYNful Knock was discovered on Cisco equipment. Described by security fir FireEye as a Cisco router implant, already it was clear that the simple idea of intelligence engineers building in massive holes from day one of a product’s life was probably out of date. Why build them in when juicy ones could be found later on?

Juniper, 2015

Discovered just before Christmas 2015, this looked like a biggie in Juniper’s NetScreen ScreenOS from the off. The company finally admitted to suspicious researchers that the Dual_EC_DRBG encryption random number generator contained a backdoor that would allow anyone with knowledge of it to eavesdrop on secure VPN connections. This flaw might or might not have been deliberately put there by the NSA, which was he source of the RNG, but it was exploited at some point, possibly by a third-party government. A backdoor in a backdoor or just weak coding?

Fortinet, 2016

Hard-coded passwords are an absolute no-go for any system these days so it was disconcerting to discover that Fortinet appeared to have one in an SSH interface accessing its FortiOS firewall platform. Researchers looked on this as a backdoor although Fortinet strenuously denied this interpretation. In fairness, this was probably correct although the lack of transparency still bothers some.

CESG’s MIKEY-SAKKE, 2016

Was the revelation that this protocol, promoted by the UKs CESG for end-to-end encryption in VoIP phone calls, a real backdoor or simply part of the spec? According to Dr Steven Murdoch of University College London the escrow architecture used with MIKEY-SAKKE simply has not been fully explained. Was this a way to spy on conversations without anyone knowing? According to GCHQ, that’s exactly what it was. As an enterprise product, escrow was perfectly appropriate and organisations deploying this technology needed a system of oversight.

In fairness to MIKEY-SAKKE setting up end-to-end encryption without some form of backdoor is now unthinkable for large enterprises that need control over their encryption infrastructure. Whether this compromises the system in a wider sense seems over-blown assuming the architecture has been correctly documented.

 

My First ShmooCon – This Time It’s Personal

Posted on by
1

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.

shmoosat

 

With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.

russiahouse

And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!

Embracing the Shadow – wait! What?

Posted on by
Reply

Let me share a few more thoughts about Shadow IT with you as we head into 2016. The good folks at AlienVault were kind enough to ask, and let’s just say that we don’t expect the Shadow to fade anytime soon…

shadow

https://www.alienvault.com/blogs/security-essentials/embracing-the-shadow-wait-what?utm_medium=Social&utm_source=Twitter

There was a time when the IT security lords ruled. Mere mortals only had whatever devices and access they were issued. Companies had “standards” and if you wanted something it had to exist on the approved equipment list. But decisions took time and the lines of business didn’t always get the answer they wanted. Regulating tech was getting in the way of getting stuff done. Security had become an inconvenience.

It was easier to regulate things back then, when there were fewer things. The available tech was enough to get the job done. But that’s the thing. Tech is always evolving, to meet the demands for faster, better, more. And how do you do more better and faster? Shadow IT and Shadow Data.

Welcome to GenMobile, “a flexible, transparent and collaborative presence, ” which actually means folks who don’t follow the rules. Yes, Houston, we have a problem and it’s called self-service IT. Guess what percentage of workers are doing it for themselves? Aruba Networks cites 77%. Hello Shadow.

Be afraid. Be very afraid. Because we can’t see all the stuff, all the time. Easy-to-use devices are everywhere, creating an unprecedented level of end user entitlement. And a little knowledge has become a very dangerous thing by letting people “help themselves” to data and network access.

So what do you do when employees make independent decisions about devices, data storage and transmission? Accept it? Regulate it? Or ban it? Because “keep it secret” definitely does not keep IT safe.

No Idea What They’re Using, No Idea What They’re Losing

We need to start by getting our head in the cloud. Ah, the Cloud. It’s the solution to everything: storage, countless productivity applications, Office 365, Google Docs. Face it. Cloud is accessible anytime, anyplace, anywhere, anywhen. But the truth hurts:

  • 15x more cloud services are used to store critical data than CIOs have authorized
  • IT says 51 active cloud services. Survey says 730
  • Use growing exponentially
  • 1000 external services per company by 2016
  • 30% of business critical info is in the cloud

Here’s where we worry: The combination of Insider Threat plus Shadow IT. What if the interfaces and APIs with which users interact aren’t secure? Attackers are actively searching for these types of vulnerabilities to exploit them. And how do you protect against what you don’t know, because there’s a whole lotta activity going on up there unreported.

Shadow as the New Norm?

What if I said to you Shadow IT isn’t going away. In fact, it’s being heralded as the new norm, the way work is going to get done. Ponemon Institute reports an average of 50% of cloud services are deployed by departments other than corporate IT. And an average of 44% of corporate data stored in the cloud is neither managed not controlled by the IT department. Control over network infrastructure and physical hardware like firewalls is supposed to be the realm of the IT folks in charge of securing proprietary data. But the cloud has a way of making things go all fuzzy.

Twelve years ago technology spending outside of IT was 20 percent of total technology spending. But according to the experts at Gartner, it will become almost 90 percent by the end of the decade. At the Gartner Symposium in Orlando in June this year, the new attitude toward Shadow IT was this: “to empower their organizations to innovate, grow, and succeed, IT departments must embrace and manage this phenomenon.”

Hank Marquis, research director at Gartner, declared:

“Shadow IT looks a lot more scary than it is. Shadow IT is the future happening today. It’s called innovation. It’s happening in the edges where we don’t deliver the solutions. You might not agree with it but you should think that way. You’re not going to stop shadow IT. It’s not going to go away. You’re not going to suppress it. You might as well embrace it, leverage it, use it.”

His is not the only voice out there with that message. Jeanne Ross, Research Director and Principal Research Scientist, Center for Information Systems Research, MIT Sloan School of Management expressed similar sentiments in the HP Enterprise blog for December 10, entitled “Why Smart Companies are Embracing Shadow IT.” She talks about how business is using “demand shaping”, where companies identify their most “valuable and achievable business –change opportunities”, and then use this to select those projects best suited to invest IT dollars in. As for those rejected projects that would find their way into Shadow IT:

“This all comes down to relationships, and to the right conversations happening between people at all levels of IT and business. But if mutual respect exists between IT architects and program managers and their counterparts within the business units, demand shaping and shadow IT can forge an extraordinarily productive partnership.” Read more.

And then world peace can happen?

Ed Macnair, CEO, CensorNet, weighs in with this. “There is a case here for innovation versus risk. By allowing shadow IT, new solutions that will benefit the wider business can be found. However, shadow IT is a security nightmare as those members of staff who are likely to use their own solutions will inherently be from the generation of risk takers and will therefore be less concerned by the need for all encompassing security measures.”

The Innovation Trade Off

The recommendation by Gartner is that Shadow IT not be contained but encouraged and allowedwithin established boundaries to abide by existing compliance, regulatory and security rules. Innovation without peril. Even better, it’s a more prevalent and well-understood aspect of technology management among companies, and leaders might want to take a completely different approach to handling this matter.

As illustrated by IDC Senior Research Analyst Mark Yates, employees are operating with tacit permission, making their own decisions, and nobody is in control. The business environment has become a “Wild West.” Entitlement and empowerment are enabling employees to fake compliance and use what they want.

Simon Mingay, Vice President of Research, Gartner Inc., drives the point home. “For most IT organizations, resistance is futile. Better to embrace it and acknowledge that employee IT and digital skills in the increasingly digital workplace are an opportunity to innovate and create more value from IT and digital investments.”

And there we have the corporate buy-in. Lower IT costs, increased flexibility, speedier task completion and less interference from IT. Yes, it is being echoed from suite to suite. Because innovation leads to profit. But at what price to security?

A New Hope for The Phantom Menace?

Again, there is a collective chorus on the new approach to take. There need to be guidelines and boundaries to help corral Shadow IT without driving it completely underground and out of scope. Mingay advised “bring shadow IT out of the shadows, make it transparent, provide services that support it.” He advocates “Rather than try to eradicate shadow IT, let’s rename it “dispersed IT,” since everyone has a piece of it.” Frank discussions need to happen to identify why Shadow IT is happening, and those users and business units engaging most heavily identified and consulted. Why are existing policies and rules being circumvented when the consequences are known?

Is it possible to construct a mutually viable arrangement whereby IT can assume the role of broker, an intermediary between users and their apps? Gartner recommends IT organizations engage the business as a partner, and ask senior executives what they think IT’s role should be. And the conversation should extend to outliers and users not operating within the daily confines. Marquis reiterates points we’ve all been saying, like the importance of having visible support from the top execs. Of great importance is IT collaborating efficiently with audit and asset management to ensure compliance.

Clearly, the game has changed and there’s no going back. We have to shift gears, project from the rapid developments of Cloud, Everything as a service, and Big Data. It’s going to mean moving out of our comfort zone to get a better handle on what people really need and want. Buy-in comes when we show the CSuites how security is the strategic partner to help them move toward innovation. It’s a different terrain, but we’ve still got to run it faster, better than the guys who are out there waiting, counting on what our end users will do and the rules they won’t follow.

Thanks for reading!

 

The Internet & Wassenaar: This Changes Everything

Posted on by
Reply

reg

Legislation is tricky stuff. Hard to understand, hard to follow. Hard to undo.  Which is why we need to be aware of things that have the potential to impact us be so we can get ahead of them incase there is a problem.  The reality is, time won’t be on our side.

As is the case with the Wassenaar Arrangement, and the proposal to enforce it by the US Business of Industry and Security (BIS).   Wassenaar is a voluntary agreement between 41 countries, with the purpose of regulating the knowledge of how to create “intrusion software,” which is defined as “software that is capable of extracting or modifying data or modifying the standard execution path of software in order to allow the execution of externally provided instructions.”   Their mandate is for controls to be put in place over intrusive software that could become digital weapons, used by regimes to subjugate their citizens, or  spy on their personal lives. While this sounds like a good premise, it’s actually far-reaching and has the potential to create a lot of collateral damage. And the direct recipients of that damage are the very people we need to keep us and our information safe online: those who work with security testing, research and software.

wassenaar-arrangementThe objectives of Wassenaar and the BIS have only been furthered by the recent publicity over the attack of Hacking Team, a cyber espionage outfit that counted governments as clients and whose dealings were kept secret for the benefit of both sides. As per the recent article by Katie Moussouris in Wired,

“Security experts warn that overzealous laws will stifle this vital security research that aids defense. Many also fear these regulations will put legitimate tech companies out of business due to excessive license application burdens and delays in the ability to sell security products and compete globally.”

Here’s the truth of it. By enforcing the broad mandate of Wassenaar as per BIS, we shut down the very organizations and people who can best act as our first line of defence. There is no question that malware and cybercrime are evolving rapidly, and that we do not have full control over our security.  Those who seek to profit from using and abusing technology will continue to do so, and find ways around any legislation, or risk existing penalties in favour of what they stand to gain, be that money, power or both. Wassenaar will not rewrite human nature any more than it will prevent the inevitable from happening.

finfisher

We need to have people finding the bugs in our software that could be exploited and making that knowledge available through vulnerability research and disclosure. But the legislation would control information necessary for research, testing & development. Security researchers and companies must be able to watch over existing traffic and monitor it for threats without fear of reprisal.  To fully appreciate just how BIS and Wassenaar will impede security providers I encourage you to read the full article by Katie Moussouris in Wired here.

“One thing is constant: Those who wish to create tools and use or distribute them to cause harm will continue to do so with the impunity that was revealed in the internal communications of the hacked Hacking Team. No regulation will stop them. It is our job to collectively ensure that no regulation stops defenders.”

BIS has invited public feedback about what they propose but the deadline is today, July 20.  If you can, speak up today. Here are some helpful guidelines:

  1. Give examples of what technology is caught by these rules and what the impact will be.

  2. Explain in detail the burden to organizations and individuals who will have to apply for export licenses under the new rule.

  3. Show how the new rule won’t achieve the stated goal of protecting human rights, but instead will hinder defense of the Internet.

Comments on this rule may be submitted to the Federal rulemakingportal (www.regulations.gov). The regulations.gov ID for this rule is: BIS-2015-0011. Comments may also be submitted via email to publiccomments@bis.doc.gov or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, 14th St. and Pennsylvania Ave. NW., Washington, DC 20230. Please refer to RIN 0694-AG49 in all comments and in the subject line of email comments.

https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19

We all have a stake in how Wassenaar plays out. And today, we all have an opportunity to influence that outcome.

WEEKLY SECURITY BRIEF: July 14 2015

Posted on by
Reply

secmat1

WEEKLY SECURITY BRIEF: July 14 2015

UPDATES: Microsoft Patch Tuesday: Critical Updates for RDP and Explorer

There are urgent fixes required for Internet Explorer, as one more zero day is added to the growing pile of fallout from the Hacking Team hack. This flaw is being actively exploited by hackers, so IE users need to get the patch on ASAP. And there are equally urgent fixes to apply for RDP Remote Desktop Protocol, Office and Windows because of active exploits in play. Other fixes address issues of remote code exploitation and elevation of privilege.

THE BIG STORY: Get the Flash Outta Here!
flashOr better yet – how many zero days can you release in a week? Seriously, the time has come and the time is now to get rid of Adobe Flash Player. After Hacking Team got hacked a week ago Sunday, some of the spillage included several zero day vulnerabilities they had been sitting on. And while Flash seems to be a manufacturing plant of flaws that was no excuse. Hackers have been lying in wait for the good stuff to emerge. When it did, they were ready and jumped all over it. Exploits are booming. If we thought we had problems with folks clicking on stuff they shouldn’t before this, it’s going to be malware-palooza if Flash remains enabled. Mozilla was first to take direct response, and Firefox has blacklisted Flash Player. Who’s next?

Java Zero Day

Adding to all the fun is a zero day for Java, due to an unpatched flaw by Oracle. Note that this is the first Java exploit to be reported in almost 2 years. And users cannot downgrade to earlier versions which aren’t susceptible because of the way Oracle does things. A cybercrime group, out of Russia? Pawn Storm, has been using this nifty little flaw in their attacks on various nation-states and governments & armed forces. Yes, like in “War Games”. The recommendation by security experts is to disable java in browsers for now until it’s patched, especially given the triple-header of Flash zero days on hand.

Oh Windows XP Users … ripwinxp

With all this talk of zero days, folks still using Win XP have not been getting any security patches since April 2014. Just imagine. Today, support for Microsoft’s Malicious Software Removal Tool and updates officially ends. There will be no more. But there are still approximately 180 million users out there, which amounts to 12% of all Windows users. Be warned: an anti-virus product isn’t going to fix Windows vulnerabilities and flaws. If the saying holds true that you get what you pay for, then expect that you will pay for not upgrading to a patchable, safer version of Windows.
And let’s not forget Windows Server 2003. End of Life is also today.

https://grahamcluley.com/2015/07/anti-virus-updates/

The OpenSSL Patch or Much Ado about Nothing

Given all the advance hype leading to this mysterious flaw and its urgent patch, I am happy to report that this issue is not another HeartBleed or worse. Infact, only newer versions of OpenSSL are affected.
Apparently, any application that verifies certificates, including SSL and TLS, could be compromised by this problem: OpenSSL tried to find an alternative certificate chain if its first try to build a chain fails. If an error occurs during the implementation of this logic, an attacker would be able to cause certain checks to be bypassed on untrusted certificates. They would then be able to forge a trusted certificate and then set up Man in the Middle attacks. BUT this won’t have a widespread impact as most web browsers currently do not use OpenSSL and not affected. OpenSSL 1.0.2b/1.0.2c users are urged to upgrade to 1.0.2d, whereas those with OpenSSL 1.0.1n/1.0.1o should upgrade to 1.0.1p.

A New Threat in Corporate Espionage takes Wing

A corporate espionage group dubbed “Butterfly” has been raiding a varied selection of civilian firms for valuable intellectual property. Companies run the gamut from tech, legal, pharmaceuticals, commodities. Most are listed in the Fortune 200 and are publicly traded. Those attacked include multi-billion firms like Microsoft and Facebook.
What sets this group apart from other cybercrime gangs is that they are very well resourced, utilize customized malware tools and zero days, and are not going after credit card or customer data. They were first identified in 2013, then seemingly went undercover, but were actually operating without detection, hitting 49 companies in 20 countries. They track their prey to favoured online “watering holes” – sites visited frequently by people within the target company. Vigilance, anti-virus and intrusion detection systems are as this group is disciplined, and increasing their attacks.

TeslaCrypt/CryptoWall

TeslaCrypt is the newest variant of ransomware, having made its dubious debut in Feb 2015. It likes to target computer game files, like saves and profiles. And has become a chameleon, taking on new identities eg TeslaCrypt, AlphaCrypt and now pretending to be CryptoWall, with a variety of file extensions to match: .ecc, .ezz, exx.teslacrypt
The latest version differs in its enhanced encryption. Bad news for victims because at this time it is impossible to decrypt files hit by TeslaCrypt. And it now uses an HTML page and not a GUI. The methodology: a victim visits an infected website; malicious code uses vulnerabilities in the browser – plugins like Adobe Flash – to install target malware in the system. The best safeguard is backing up data daily, and stored away from systems that could become infected.
https://securelist.com/blog/research/71371/teslacrypt-2-0-disguised-as-cryptowall/?utm_source=dlvr.it&utm_medium=twitter

Thanks for reading! 

My First “Con”: Alice in Security Wonderland

Posted on by
Reply

bslv

This month I did something that is a rite of passage for anyone in InfoSec:  I attended my first “Con”, Circle City in Indianapolis, a Security Convention that is about the community and largely attended by … hackers.

Let’s clear up a big misconception. The hackers I know are definitely not this stereotype found ad nauseum.  Yes, there are hackers who choose to attack our systems, steal data, and threaten our security.  But there’s a whole other group out there who are also hackers, and in the constructive definition of the term.  They “hack” to understand and improve the code and technology we use everyday;  they test networks and programs, finding weaknesses and vulnerable points we need to defend from the attackers. Highly skilled and naturally curious, they understand our systems better than we understand ourselves.  They know what can go wrong because they know how it can be broken, and that prevention is the best fix.

Cons offer a major venue to present new research and discoveries, and to discuss theories about a fascinating range of topics that impact Information Security.  There are a variety, in different flavours, with varying appeal. And they happen throughout the year. Every year in  August, Las Vegas hosts DEF CON, a massive hacker event, alongside the more corporate Blackhat, and BSidesLV, from the popular local BSides series encouraging novice through expert.   We have some in Canada, but the cost of admission and travel are big factors for attendance.  When I asked what first Con should be, Circle City was the resounding choice.  Smaller, new (this was its second year and very successful), it would be well-attended by people I knew, and feature a diverse mix of classes and talks.

To say this was an incredible learning opportunity would be an understatement. There was a constant exchange of information happening on and offline.  I felt like I was back in university- in a very good way- as we worked together in small groups to resolve a given problem and then present to the class.  And there I was, sitting and working with some of the smartest, most interesting people I have ever met, who made me feel welcome and invited my contributions.  It was truly a privilege.

The best connections however, aren’t plugged into the network, but those made within the network of attendees.  This is a community.  There is an open camaraderie as folks who spend most of the year connecting online enjoy this opportunity to connect face to face. Attendees wear t-shirts from the past cons they’ve attended.  Badges on lanyards denote speakers, participants, staff, and trainers.  Tattoos are a walking montage of art and personal expression. Some describe themselves as introverts, but at these Cons they are among friends, accepted and welcomed.  And then there are the parties, when hackers come out to play and the fun lasts all night long.  A series of artful DJs delivered a wicked sound and light show as a wish-list of arcade games beckoned and we talked until we lost our voices. Yes, Alice, welcome to InfoSec!

Closing ceremonies may be worth missing at some conventions, but I’m glad I stayed to take it all in.  It was all good fun watching prizes bestowed on heartily enthusiastic winners.  Raffle tickets were sold in handfuls to keen attendees, for a range of prizes including an extraordinary quilt made by one of the members, the intricate pattern actually an encrypted message. Recognition and thanks were sincerely given to those who had given so much.  And then there was moment that brought many of us to tears, as a fellow hacker fighting cancer was welcomed on stage, and the story about bringing him to the Con was told.  This really is a community.

I’m so glad I fell down this rabbit hole to InfoSec. I started following paths on Twitter, which is an incredible repository of access points for up to the minute security developments, detailed research, knowledgeable blog posts, and of course, people with whom to connect. Now my kids regulate my screen time and tweets. Had you told me a couple years ago that I’d sit in on a talk about digital forensics and devour every word of it, I would have called you crazy.  Instead, you can call me Alice, because InfoSec has become my Wonderland of learning and discovery. Welcome to my excellent InfoSec adventure.  I can’t wait for what comes next – in Vegas!