Ransomware and My Cloud

December 10, 2017

I just reviewed descriptions of sample incidents associated with ransomware outlined in the ‘Top 10″ review by TripWire.

Ransomware attacks — malware that encrypts your data followed by the attacker attempting to extort money from you for the decryption secrets — are a non-trivial threat to most of us as individuals and all financial services enterprises.

Unfortunately for some, their corporate culture tends to trust workforce users’ access to vast collections of structured and unstructured business information.  That ‘default to trust’ enlarges the potential impacts of a ransomware attack.

As global Financial Services security professionals, we need to resist the urge to share unnecessarily.

We need to quickly detect and respond to malware attacks in order to constrain their scope and impacts.  Because almost every global Financial Services enterprise represents a complex ecosystem of related and in some cases dependent operations, detection may involve many layers, technologies, and activities.  It is not just mature access/privilege management, patching, anti-virus, or security event monitoring, or threat intelligence alone.

All of us also need to ensure that we have a risk-relevant post-ransomware attack data recovery capability that is effective across all our various business operations.

So, does the cloud make me safe from ransomware attack?  No.  Simply trusting your cloud vendor (or their hype squad) on this score does not reach the level of global Financial Services due diligence.  It seems safe to assert that for any given business process, the countless hardware, software, process, and human components that make up any cloud just make it harder to resist and to recovery from ransomware attack.  And under many circumstances, the presence of cloud infrastructure — by definition, managed by some other workforce using non-Financial Services-grade endpoints — increases the probability of this family of malware attack.

 

REFERENCE:

“10 of the Most Significant Ransomware Attacks of 2017.” By David Bisson, 12-10-2017. https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/10-significant-ransomware-attacks-2017/​

Advertisements

Pirated Software and Network Segmentation

July 17, 2017

Global financial services enterprises face a complex web of risk management challenges.
Sometimes finding the right grain for security controls can be a difficult problem.
This can be especially problematic when there is a tendency to attribute specific risks to cultures or nations.

A couple months ago I read a short article on how wannacry ransomware impacted organizations in China. Recently, while responding to a question about data communications connectivity and segmenting enterprise networks, I used some of the factoids in this article. While some propose material “savings” and “agility” enabled by uninhibited workforce communications and sharing, the global financial services marketplace imposes the need for rational/rationalized risk management and some level of due diligence evidence. Paul Mozur provides a brief vignette about some of the risks associated with what seems like China’s dependence on pirated software. Mr. Mozur argues that unlicensed Windows software is not being patched, so the vulnerability ecosystem in China is much richer for attackers than is found in societies where software piracy is less pronounced. Because of the scale of the issue, this seems like it is a valid nation-specific risk — one that might add some context to some individual’s urges to enforce China-specific data communications controls.

Again, there is no perfect approach to identifying security controls at the right grain. Story-telling about risks works best with real and relevant fact-sets. This little article may help flesh out one facet of the risks associated with more-open, rather than more segmented data communications networks.

REFERENCES:
“China, Addicted to Bootleg Software, Reels From Ransomware Attack.”
https://mobile.nytimes.com/2017/05/15/business/china-ransomware-wannacry-hacking.html


Code Review Required for JavaScript Too

December 17, 2016

In the course of my professional activity, I have repeatedly bumped into well-meaning individuals (developers, architects, leaders, and more) who believe that browser-hosted JavaScript is not a real security concern (anything important to protecting our systems and data happens back on servers, right?)  This can lead to a certain amount of passivity during code-promotion code reviews.

I was just looking for a current copy of the Automated Penetration Testing Toolkit (APT2), and happen to glance at one of the author’s blogs, and was presented with another reason that JavaScript code review and accompanying risk management is still a core capability.

Much of the automated web application testing that I see day to day does a great job finding bugs.  It does not, though, do such a great job identifying new features that require only a little code to implement.

Professional pen tester Adam Compton offers some keystroke logging JavaScript along with a primitive  to catch & log the output.  Adding a keystroke logging “feature” to one of your JavaScript modules could involve only a few lines of code, but could result in any number of abuse cases — and resulting in harm of varying scope & impacts.  Monitoring for “feature” additions to your JavaScript is just another reason to keep that language on your code review radar.

REFERENCES:

Automated Penetration Testing Toolkit (APT2)
https://github.com/MooseDojo/apt2

New Script/Tool: KeyLogging in JavaScript
http://blog.seedsofepiphany.com/2015/04/new-scripttool-keylogging-in-javascript.html

 


Protect Your USB

September 19, 2016

Physical and logical PC controls still matter.

Just one more reason to resist the shared madness of “bring your own device” and/or “anywhere/anytime/any-endpoint” in global Financial Services.  We hold trillions of dollars for our customers (under the guise of a broad and evolving range of relationships)!  To add value to those relationships, we turn that money into units that are inter-business (and Internet) friendly to enable complex webs of financial transactions and services.  The concentration of “cash” and its transformation into bits results in an attractive target for hostile parties of many types.  How could endpoint anarchy ever be a risk-appropriate behavior for any but a microscopically few roles within our ranks?  It seems like something we should expect to fail the “reasonable person” test.

I was just catching up on some of my random reading and bumped into this demonstration of Windows credential stealing with just 15 seconds of access to a PC’s USB port.

15 seconds of social engineering is not that hard to pull off, so all you have left are serious controls administering the use of your USB ports, physically destroying your USB ports (yes, that is a serious option), along with multi-layer physical & logical security to the location of the PC at any given time.

Take a look st the video below along with the supporting paper.  Then voice your professional opinion and conscience wherever appropriate to resist elevated risk endpoint behaviors.  And if your role permits, ensure that your Financial Services organization has the goals and resources to effectively deal with attacks like the ones enabled by this automated, USB enabled assault.

REFERENCES:

15 Second Password Hack, Mr Robot Style
Video:
https://www.hak5.org/episodes/season-21/hak5-2101-15-second-password-hack-mr-robot-style
Supporting Paper
https://www.hak5.org/blog/15-second-password-hack-mr-robot-style


Verizon Says Passwords are Not Enough

April 25, 2016

Lately, I’ve been spending a lot of time performing static code security assessments of web applications. That leads to working with developers and those who work around them. One thing many of them share with me is their faith in authentication infrastructure — infrastructure that generally sits “in front” of their applications and protects them from unauthorized users. Sometimes I still hear Architects talk about “security” as if it were really just authentication… In that context, the latest Verizon Data Breach Investigations Report (DBIR) reviews their 2016 dataset of over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries.

The full paper is worth a read, but in the context of my comments above I wanted to highlight Verizon’s recommendations concerning passwords:

“…passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”

“63% of confirmed data breaches involved weak, default or stolen passwords.”

The top 6 breaches included the following steps: “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials”

Recommendaton:
“If you are securing a web application, don’t base the integrity of authentication on the assumption that your customers won’t get owned with keylogging malware. They do and will.”

REFERENCES:
Verizon Data Breach Investigations Report (DBIR)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/insiders/

 


Another Demonstration of How Mobile Phones & their Supporting Networks are Vulnerable to Abuse

April 17, 2016

Some continue to hype “bring your own device” (sometimes just BYOD) as near-term technology and business goal for global Financial Services enterprises.  At its most shrill, the argument hammers on the idea like ‘we all have a smart phone and it has become the center of our lives…‘  In this industry we are all responsible for protecting trillions of dollars of other people’s money as well as digital information about customers (individuals & companies), partners, and deals, all of which must remain highly secure, or the foundation of our business erodes.  That responsibility is wildly out of alignment with most BYOD realities.  In that context, this blog entry is an offering to help risk management teams educate their Financial Services organizations about some of the risks associated with using mobile phones for work activities.

Here is some content that may be useful in your security awareness campaign…

Financial Services executives “private” communications could be of high value to cyber criminals. So too could be your Finance staff, Help Desk, Reporting Admin, Database Admin, System Admin, and Network Admin communications. There are a lot of high value avenues into Financial Services organizations.

Under the title “Hacking Your Phone,” the 60-Minutes team have security professionals demonstrate the following in a 13 minute video:

  • Any attacker needs just their target’s phone number, to track the whereabouts, the text traffic, and the details of phone conversations initiated or received by their prey. Turning off your “location status” or other GPS technology does not inhibit this attack. It depends upon features in the SS7 (Signalling System #7) network that have been overly permissive and vulnerable to abuse for decades. These SS7 vulnerabilities appear to remain after all this time because of nation-state pressures to support “lawful interception.”
    They demonstrate their assertion in an experiment with U.S. Representative Ted Lieu, a congressman from California.
  • Attackers can own all or some of your phone when you attach to a hostile WiFi. Never trust “public” or “convenience” (for example “hotel”) WiFi. Attackers present look-alike WiFi (sometimes called “spoofing”) and then use human’s weakness for “trustworthy” names to suck targets in.
    They demonstrate this approach by stealing a target’s mobile phone number, account ID, and all the credit cards associated with– with that account, along with their email.
  • Attackers use social engineering to get their software installed on targeted devices. One outcome is that they can also monitor all your activity via your mobile phone’s camera and microphone — without any indication from the mobile device screen or LEDs, and the attacker’s software does not show up via any user interface even if you tried to find it.
    They demonstrate this approach with the 60 Minutes interviewer’s device.

Remember, not everyone employed throughout Financial Services enterprises understands the risks associated with performing business activities via mobile devices.  Use materials like this video to augment your risk awareness program.

REFERENCES:
“Hacking Your Phone.” aired on April 17, 2016
http://www.cbsnews.com/news/60-minutes-hacking-your-phone/

SS7, Signalling System #7 https://en.wikipedia.org/wiki/Signalling_System_No._7

Lawful interception.” https://en.wikipedia.org/wiki/Lawful_interception

 

 


Can Financial Services Explain How Mac OS X Security is Good Enough?

April 29, 2015

After years of attempting to generate love by claiming that a Mac “doesn’t get PC viruses. A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.” (apple.com 2012)”, Apple has introduced technology for at least 4 different approaches to strengthening OS X resistance to hostile malware.

These features include:

  • gatekeeper
  • xprotect
  • OS X sandbox
  • code-signing

Each of these features is an attempt to compensate for and overcome software architectures, designs, and implementations that are overly-permissive — resulting in software that too easily “trusts.”  They represent the type of “bolt on security” that Financial Services enterprises are expected to implement throughout their secure software practices.  “Secure-enough” software needs to be created or adapted with that goal in place throughout the entire SDLC and/or acquisition process and must not treat risk management as something that is applied to software only after it is finished.

There is a lot of evidence that these features are still far too little, too late. In a recent presentation at RSA, Patrick Wardle, Director of Research, Synack, described the current situation as “lots of Macs, feeble anti-malware protections, os x malware, and limited detection/prevention tools.” He then walked the audience methodically through exploits against each of the Apple OS X anti-malware protections, and then outlines a range of approaches to Mac malware persistance. Finally, he mentions a couple tools for detecting OS X malware: knockknock (ui) & blockblock.

Wardel’s presentation references OS X malware/exploit work by fG!. In one relatively recent talk at SyScan15, after 165 slides outlining OS X threat vectors and their exploit he concluded that “Apple product security strategy is reactive not proactive. If they have any strategy at all…”

These guys don’t represent an isolated fringe of the the professional risk management world.  They are serious professionals, attempting to help others “get it.”  Their work seems to be a shout for recognition that OS X malware-enabled exploits represent a foundational and (for most Financial Services enterprises) critically-important risk.

Why is this such a big deal?  Remember, each of our organizations needs to be diligent and effective at resisting attack along all vectors, while attackers need only be successful against one of them.  Attackers know that Macs are vulnerable via a number of vectors, that Mac security products are not great, and that Mac users are finding ways to “plug them into” corporate environments.

For many Financial Services enterprises, request by request, exception by exception, members of the workforce have been hosting an increasing range of business activities on Macs (on both unmanaged, and under-managed endpoints).  They are granted remote access.  They are plugged into our “trusted” internal networks.  And they get the same “trusted” access as heavily-managed, standard Windows endpoints.  Sometimes an organization has a fog of “managed” or “secured” and authorized Macs that mask this core risk management issue — which, for the most part, remains the same.

As a result, we need to help our leaders carefully think through:

  • Whether this is risk-appropriate for any given Financial Services use case,
  • What alternatives to current Mac-enabled practices exist, and should we migrate to them? Are isolation techniques “good-enough?”
  • How we are going to protect our assets and operations from the threat vector Mac endpoints pose?
  • How are we going to tell our Mac endpoints risk management story to all relevant stakeholders?

REFERENCES:

“Malware Persistence on OS X Yosemite” by Patrick Wardle (http://www.rsaconference.com/speakers/patrick-wardle).
Thursday, April 23, 2015
Session: https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite

Presentation: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf

“BadXNU — A rotten apple!.” by fG!/@osxreverser (https://reverse.put.as/about/)
https://reverse.put.as/wp-content/uploads/2015/03/SyScan15-BadXNU_presented_slides.pdf

 

 


%d bloggers like this: