Category Archives: security

Quickhits: Monday Dec 18 2018

Posted on by
Reply

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.

 

 

 

 

 

My First Keynote: Lookout S(h)ecurity Bootcamp Toronto

Posted on by
Reply

Lookout Security in Toronto is hosting an exciting event on January 12 2018 for women who are interested in  cybersecurity, and currently in the tech field.  I am honoured to have been asked to be the keynote speaker at this event. This will be my first keynote! I love that this happens with something I really care about: encouraging women in tech, specifically in cybersecurity.

This is what it’s all about.  Encourage learning, growth and opportunity. Events like these grow far beyond the one day they are held, as I can attest from my work with The Diana Initiative. Friendships form, bonds are made, contacts and networking happen. It’s all good!

This is going to be a fantastic and fun day of learning. You had me at reverse engineering! What a great opportunity. Thank you Lookout!

Avast AV & CCleaner Massive Malware Download: How to Help the End users

Posted on by
Reply
ccleaner

Screenshot of CCleaner from Talos Blog

Computers are hard. Ask the average user. They expect technology to serve their needs, not the other way around. Computers are supposed to be instant gratification, entertainment, making life easier, solving problems. They are not supposed to require much more effort than pressing the “on” key and typing. Anything else is our problem – we we were supposed to build security in, right?

We talk increasingly about “the human condition” in tech and security, because more often than not, it is that path of least resistance. Attackers know how we succumb – hence phishing. We opt for free – but you really do only get what you pay for, and buyer beware. Convenience, immediacy, lowest price – these drive the standard of quality in our connected world. It explains the current abysmal state of the IoT. And as we know, we cannot keep doing what we have been doing because – say it with me – it just doesn’t work anymore.

So when things go wrong, which they have been on an almost daily basis it seems, we who are tech reach out to the end users and let them know that they have to do more: remove software, delete files, check for files, run scans. As anyone who has ever worked helpdesk or worked with end users knows, this is not an easy ask. Most people struggle with just setting up their ISP modem/routers. Never mind removing default passwords or enabling controls. People tend to be afraid of technology, because as humans, we are afraid of what we don’t know. So we are afraid of breaking things, just as we are afraid to ask for help. And face it, tech support has earned its reputation for good reason.  People know when they are being made fun of, talked down to. We don’t make it easy for people to ask for help.

It doesn’t help that mega breaches and global ransomware outbreaks have been consistently in the headlines this past year. It’s enough to give anyone breach fatigue. And that’s what brings me to this. The talented team at Cisco Talos have issued a warning in their blog about a massive malware infection being spread by a tool, CCleaner 5.33, that has been shipping with a popular, often free, antivirus product, Avast. This is the statement according to Piriform, who owns CCleaner:

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

There are excellent technical write ups on this latest event and mine is not one of them. Initially, I saw the threat of securing third parties – we all know the perils of supply chain. But then, as I read through it, I realized I could read through it only after months of immersing myself, by choice, in infosec. Choosing to look up and learn what I did not already know (which is still a lot). The average user – that ain’t happening. They may read some of the articles that are more mainstream, but don’t bank on that either. Increasingly, end users are hitting the bar. Some are defeatist, saying they don’t care anymore, it’s pointless, what can they do anyway. Others believe in the power of the megacorps to protect them, so they follow whatever advice is given, like buying credit monitoring. Because that is easier than having to piece together a solution themselves on something they really know nothing about. And others prefer the head in the sand approach – Hear no evil, see no evil. I kid you not.

Some are lucky enough to have the money to pay a tech to fix the problem. Some have tech friends/family who can fix it for them. Most, however, are cast adrift on a sea of increasing peril, without life preservers. And even if we threw them a lifeline, we can’t expect they would be willing to take it. Trust goes both ways.

Before you make fun of the folks who chose Avast because it was free, here’s how I rationalized it years ago, before I arrived in InfoSec. I knew I needed to do something to secure my computer, and a free AV was better then nothing at all. Plus I could use it. And understand enough to use it, to scan. To pay attention if it alerted me. Maybe I even read a bit more to see that it suggested things I could do to clean up my computer and be safer. So, I would have downloaded CCleaner, which I have seen recommended in other places as a safe and free solution to optimizing my performance. And here’s the thing – I would have expected a known AV product, like Avast, would not be endorsing something harmful. Hence, I could trust CCleaner because I could trust Avast.

certsAnd Avast trusted CCleaner enough to promote and bundle them. To download them. So let’s look at that breakdown of trust. The researchers at Cisco Talos flagged a malicious executable file while doing some beta testing for their new product. That file happened to be the installer file for CCleaner v5.33. Now, that file was being delivered as downloads in good faith by legit CCleaner servers to millions of customers. It was legit because the appropriate digital certification was issued and signed to the main company, Piriform.

Enter the attackers. They had managed to intrude this trust worthy process and include a free, unwelcome gift with download.  This was malware, a malicious payload containing the ability to call back to the attackers command and control server, as well as being equipped with a DGA or Domain Generating Algorithm – definitely not a good thing. Obfuscation is a thing. If you can’t find someone was there, how do you know? And, without evidence or proof, trying to analyze this after the fact is problematic. The good news is there was a short window of release between August 15 til the latest version, 5.34 was issued on September 12. In previous attacks I’ve seen, manipulation of digital certificates is often an indicator that compromise is deep, systemic even, and trust in the signing authority may have been misplaced. In this case, Cisco cites:

 “the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code”

Looking through the malware, Cisco found clues that the attacker tried to cover their tracks. Once the infection was in place, the program worked to erase its source data and the memory regions it inhabited. With the legit program now installed, the attacker has the ability to do as they wish in the machine they now occupy. Which means they can gather system information on the machine and send it back to their command + control server. With this link established, other malware could be sent to infect the compromised machines. Here is a high level view of what happens, as written by the Talos crew:talos pic2

As for the DGA, if the key C+C server for the malware failed to respond, the program had a failback to generate some other IP addresses using the DGA and dns lookups. Here’s the good news. Talos used the algorithm and found that the domains it generated had not been registered. Moving on it,  they registered them instead and sinkholed them to keep the attackers out. As well, the malicious version of CCleaner had been removed from the download servers.

talos pic3

What is of concern is how many people around the world apparently use CCleaner.  As of today, Piriform is somewhat ambivalent in its claims of the number of users affected. Are they limited to only 32 bit windows machines? If you go back to Aug 15, would almost 4 million users have downloaded the malware?

cleaner

Talos advises that users need to either rollback to the previous version or install the new one. Which brings me to my earlier point about the human condition:

“according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.”

The team at Talos is seeing a lot of DNS activity around machines trying to connnect with those suspect domains that are no longer available. And the only reason can be those machines are being controlled by malware. Worse, the malware is not being detected using current methods. So far as fixing things goes: if you currently are a Cisco customer then you are covered. As for the rest of us, sigh. We have work to do. Uninstalling will not remove the malware. That is left to you.  If you have a full backup of your system, (and in this age of ransomware you really, really need one)  you can restore from that. Otherwise, I suggest using Malwarebytes.

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

Learning: Reversing Malware

Posted on by
Reply

Have you ever wanted to learn about reversing malware? There is no better way to understand exploits and infections. It’s essential as attacks evolve and we need to understand what’s being leveraged, how and why. It’s fascinating, and yes – you can do this. Dream big! Aim high!

@MalwareUnicorn (Twitter) is one of the best there is at this and she shares her wisdom and knowledge online. I’ll make you a deal – let’s start learning this together. I promise regular progress updates.

Here is her site. Let’s get going!

https://securedorg.github.io/RE101/

Update: WannaCry Ransomware

Posted on by
Reply

 

pewmap

real time botnet tracking map by http://www.malwaretech.com

The number of countries impacted is over 1 00. We are expecting version 2.0 to hit by Monday, because that’s the nature of  these attacks: the attackers know when they have their victims over a barrel, and the maximize the opportunity. Microsoft has issued patches. But what everyone can and must do, over and above applying these specific patches, is this:

  • Ensure you have full, and working backups that are offline and removed from the network.
  • Have a Disaster Recovery/Business Continuity plan that specifically addresses cyber events like this one
  • Be ready with a crisis communications designated spokesperson and prepared statements. If you’ve been hit, and things are going terribly wrong, then you don’t want to be dealing with that and trying to say the right things to press, staff, stakeholders
  • Check in with and listen to your network and sysadmins. They know what’s going on out there. They’ve seen the sh*t that happens, what breaks, and why
  • Don’t evade or deflect this topic. Don’t underplay it, and of course don’t focus on the fear. Have honest discussions with your staff because this is how you creating lasting awareness and create change in behaviours that will better secure your organization

I follow these two experts on the risks to specialized systems, notably ICS or Industrial Control Systems and SCADA, Supervisory Control and Data Acquisition. Note that medical facilities, mass transit, manufacturing and utilities all rely on these specialized systems that are proprietary;  are often set up with hard coded or default passwords that are NOT secure; and with older equipment that just can’t be upgraded so is left to run unpatched until it fails. There is so much more we need to address.

Here is a global snapshot (per CTV news):

russiatrain

Russian Train Control Center Ransomwared

EUROPEAN UNION: Europol’s European Cybercrime Centre, known as EC3, said the attack “is at an unprecedented level and will require a complex international investigation to identify the culprits.”
BRITAIN: Britain’s home secretary said the “ransomware” attack hit one in five of 248 National Health Service groups, forcing hospitals to cancel or delay treatments for thousands of patients — even some with serious aliments like cancer.
GERMANY: The national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to help customers.
RUSSIA: Two security firms — Kaspersky Lab and Avast — said Russia was hit hardest by the attack. The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the “ransomware,” which typically flashes a message demanding payment to release the user’s data. Spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. Russia’s health ministry said its attacks were “effectively repelled.”
UNITED STATES: In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware. Other impacts in the U.S. were not readily apparent.
TURKEY: The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack. Omer Fatih Sayan said the country’s cyber security centre is continuing operations against the malicious software.
FRANCE: French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
BRAZIL: The South American nation’s social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
SPAIN: The attack hit Spain’s Telefonica, a global broadband and telecommunications company.

 

1 Billion Accounts Breached: Are YOU in here?

Posted on by
Reply

pwndedd

If you haven’t heard, there are currently about 1 billion accounts caught in two massive breaches: Exploit.in and AntiPublic. I’m one of that billion, and so was a family member. So are work colleagues. So that’s why I’m writing this – for the people I want to protect.

Security researcher Troy Hunt has been actively working on these breaches and getting notifications out. Among the key concerns raised was credential stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

As Troy lays out -and we need to be reminded of – this matters to us because:

  • It’s enormously effective due to the password reuse problem
  • It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
  • It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  • There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

You can read his site to see more. So what that leads to is stuff like this:

Exploit.in is 111 text files large at 24 GB, a mountain of email addresses paired with passwords Given Troy’s research do far, of the 593,427,119 unique email addresses contained, there are accurate ie valid creds and data that isn’t already compromised so fresh kill. There are only 222 million duplicates between the lists, so that means 63% of the accounts in Exploit are different from the 457,962,538 addresses in AntiPublic.

The numbers are staggering, but what we need to be “impressed” by is what led to this. It’s the same root causes, known failings and weaknesses and bad habits that have accumulated as data has accumulated. We all know how much easier it is to fix a problem in the early stages.

So the AntiPublic tool verifies how legitimate hacked credentials are, and there are data breach services that pop up to buy and sell these credentials. I have contacts who tell me that everytime these dumps happen they find a significant number of compromises in their regions, regardless of how many recycled creds are in there. Troy gathered some explanations on how this works:

the tool itself is for sale here [redacted]
it’s pretty cheap
it’s mostly used in Russia, but he does sell an english version
most common use-case: someone buys a dump on x forum, uses the tool to verify which ones are legit
similar to sentryMBA and account hitman
you will often see a uniqueness score associated with the sale based on output

I really appreciate the work done by security researcher Troy Hunt and his site HaveIBeenPwned .  This is a quick and easy way for anyone to check the status of their email or username, as well as to receive notifications of when they may be caught up in a breach. Because the sooner you can change your passwords, the better.

 

It Really Was the Lazarus Group, in North Korea with SWIFT

Posted on by
Reply

swift

Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.

kimbo

Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.

sectorslide

The ABC’s of APTs: Shamoon

Posted on by
Reply

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/

My Approach to Threat Intel

Posted on by
Reply

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

CyberSec for Everyone

Posted on by
4

I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity.  For me, it’s a privilege to be asked, and my calling to help others.

I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”.  Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all.  Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.

The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base.   Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.

There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are?  Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.

signbunny

Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:

1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.

2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps.  And I use this on my cell phone. Easy to set up. No more excuses ok?

3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. friends

4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”!  But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/.    As for that attachment, you can use you AV to scan it first.  This article by Lifewire has lots more info to help.

5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.

6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet.  Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.

The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!