Friday, October 31, 2014

Cybersecurity Nightmares

It's Halloween, and it's not just trick-and-treaters that scare us, or TK Keanini. Keanini, Chief Technology Officer at  Lancope, has compiled a number of short and horrifying cybersecurity scenarios entitled "Welcome to My Cyber Security Nightmare."

Welcome to My Cybersecurity Nightmare
This past year, we have seen some pretty scary stuff happen in cybersecurity. Being that Halloween is almost here; I thought I would share with you some scenarios that keep me up at night. These are scenarios that we are not ready to battle, and that are well beyond the horrific headlines we read on a daily basis. If you enjoy a good scare, read on.

User Participation in Cyber-Attacks
Most of the resources cybercriminals use to carry out their objectives are acquired through some method that results in compromised computers on the Internet. These resources remain available until the user or organization detects and remediates the incident. But what if the user participated willingly?  Instead of bad guys having to compromise hosts, what if they instead cut other people such as corporate insiders in on the profits? Given crypto currency, the TOR network, and a few other factors, this could be a nightmare scenario, as we are not ready for this type of surge in distributed attacks.

The recruitment for this could be something like the ‘work from home’ signs you see around your town.  The work could be as easy as downloading and installing a package and could earn the host user as much as $10.00/day. That is $300.00/month for someone to simply leave their computer running and connected. The average citizen is not likely to know what type of activity their computer is involved in on a daily basis.

The end result of this scenario would be a massive number of networked computers available for distributed denial-of-service, cryptographic brute forcing, or remote network sniffing. With the cooperation of the host, the capability list is endless, and because they are making money, the host will be motivated to help the cybercriminals persist. Service providers and law enforcement are not ready for this type of attack. This could lead to botnet armies with size and capabilities we have never seen before.

Expansion of Capability Marketplaces
Another nightmare scenario is for cybercriminals to expand their marketplace networks. Today you look at coordination networks like Uber, Instacart,, etc. These services are facilitators connecting a consumer who wants something delivered with a network of people who can deliver it.

Now think of applying this pattern to cybercrime. On one end there is a criminal who would like the login credentials of a Global 2000 executive. Via TOR networking, they go to a site where they can place their request, submit their crypto currency, and a skilled global workforce accepts this objective and delivers it within the terms of the agreement. This lowers the coordination cost for cybercrime to near zero and connects the demand with the supply in ways that have never been seen to date.

Because so many people are motivated by money, a service like this could turn citizens into cybercriminals if they believe they cannot get caught and that they can easily make a few bucks on the side.
The last thing I will say about this type of participation and marketplace networks is that they fragment security events into small, seemingly disconnected pieces where one event might not look harmful, but only when seen as a whole can the impact and significance be evaluated.

The Next Level of Cybercrime: Click to Compromise
Consider a SaaS service that helped a person compute their cybercrime – Cybercrime as a Service.
The power of big data analytics and machine learning can compute amazing insight for businesses, and it can do the same for criminals. A criminal could log in to a website and declare their objective, and the service would compute several attack plans that the criminal could choose from. This would work in the same way that a user is presented with multiple routes to reach a destination when getting directions online.

This Cybercrime as a Service would have social networks mapped, personal information on each individual, language analysis that yields a level of trust between individuals, mapping to various accounts (some of which may have been compromised), etc. All of this would be creating a corpus of data that can lead the criminal through a directed graph leading to the objective (exfiltration of a file, ransomware, etc.).

Remember, cybercrime is a business and profitable businesses only get smarter and more effective.   These are things that keep me up at night because in our current state, there is nothing that makes these types of attacks hard to execute for cybercriminals, and they could easily turn from nightmare to reality.

Thursday, October 30, 2014

How PCI's 6 Objectives & 12 Requirements Overlap with Critical Security Controls

Tripwire has released an infographic that provides a visual layout of how the PCI DSS 3.0 requirements align with the foundational Top 20 Critical Security Controls.

Not to be outdone, we've published PCI Compliance: The Definitive Guide and 
Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0.

Information Security Policy Development for Compliance supplies a simplified way to write policies that meet the major regulatory requirements, without having to manually look up each and every control. It's an essential guide for  policy writers who must meet multiple compliance standards or regulations.

Wednesday, October 29, 2014

New Round of Shellshock Attacks Affecting Email

In response to the news of an emerging round of Shellshock attacks which are tapping hosts over SMTP, Gavin Millard, EMEA Technical Director at Tenable Network Security, comments:

"The interesting thing about SMTP attacks is that, if they are email based, its possible that sending one email could infect many different systems which process the email. In tandem, anything that looks at email, such as spam filters based on Linux, could in turn be vulnerable. What that means is that, this latest vector utilising the Bash Bug, is simple to execute and enables remote code execution which could lead to a worm being created and unleashed - potentially with devastating consequences. If you haven't already, hunt down any system that has vulnerable versions of bash and update immediately. Shellshock will be a favourite vulnerability for malicious attackers for some time so we're bound to see more interesting exploits of this massive flaw."

Wednesday, October 22, 2014

Android Ransomware Spreading via SMS

From Eskenzi PR Ltd:

Following the news that a Koler worm is spreading via SMS and holding Android phones for ransom  Mark James, security specialist at  ESET, explains how the attack works and how to get rid of it:

"The natural progression from desktop to mobile device for ransomware was going to pick up momentum at some point and sure enough, we are seeing more and more cases of malware on the mobile platforms (Android). The biggest factor in this is people's assumption that they are safe on a mobile.
"In this particular case, an SMS is used for the initial contact - which in itself can lure a level of trust that emails do not have - if the masked (truncated) link is followed by a page that will display some kind of tasty treat for free (that may include a free service or free app) which once installed will contain the malware, ransom screens are then presented on your device with no apparent way to get rid of them. These often will use such words as "child pornography" designed to scare the individual into paying the ransom to have it removed.
"Removing these type of infections is often very simple and can be done by either booting into safe mode (internet searches will often yield many results on how to do this yourself) and uninstalling the offending application (or the last installed app if you don’t remember the name) or as a last resort, factory resetting the device and restoring from your last good backup ( maybe 1 or 2  days prior to be safe ). The best advice I can give here is DO NOT install any apps from third party websites or links, both Apple and Google Play are by no means 100% safe but they are a lot safer than using a random website to install apps."

Related Books:

Android Malware and Analysis by Ken Dunham and Friends

Android Security: Attacks and Defenses by Anmol Misra and Abhishek Dubey

Monday, October 20, 2014

Chinese Smartphones a Security Threat

While I'm fascinated by this, it's becoming old news. Of course if it's made in China, it's going to report home.

News would be that Chinese manufacturers were acting like their US counterparts and making it difficult if not impossible to the government to access devices. Hats off to (and I shutter to say these names) Apple and Google.

Some soon to be published books:

Secure Development for Mobile Apps: How to Design and Code Secure Mobile Applications with PHP and JavaScript by J. D. Glaser

Android Malware and Analysis by Ken Dunham and Friends

Wednesday, October 15, 2014

CryptoWall 2.0 Ransomware Moves to TOR Network

Dangerous new ransomware variant storms onto the scene using the anonymous TOR network, taking down systems and networks unlucky enough to be caught in its path

Tampa Bay, FL (October 15, 2014) KnowBe4  issued an alert to IT Managers that a  new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4, received a panic call from an IT admin who was hit this week with CryptoWall. The admin’s workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company’s operations would be severely impacted.

 “The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4’s CEO. “This is the next generation of ransomware and you can expect this new version to spread like wildfire.”

 CryptoWall 2.0 went live October 1st and is now using the anonymous TOR network, making it very difficult to analyze or take down. Earlier versions of CryptoWall were not using TOR but HTTP, which allowed researchers to analyze the communication between the infected machine and the command & control server so they could take down the servers that delivered the malware. This version of CryptoWall has been tested for months and the malware uses innovative ways to propagate itself, like using ads on websites that take advantage of  vulnerabilities in browsers and unpatched plug-ins.

Sjouwerman advises these three steps as something IT admins HAVE TO, HAVE TO do:

1. Make regular backups, and have a backup off-site as well. TEST your restore function regularly to make sure your backups actually work.

2. Patch browsers as soon as possible, and keep the amount of plug-ins as low as you can. This diminishes your attack surface.

3. Step all users through effective training on security to prevent malware infections to start with.

 For end users, Sjouwerman advises, “Think before you click. Don’t open anything from someone unless you are expecting it. Hover over an email address to make sure its from a valid domain, one you know and recognize.”

Tuesday, October 14, 2014

Russian Hackers Spying on NATO: Business as Usual

Following the news of the new Russian 'Sandworm' hack that is exploiting a bug in Microsoft Windows to spy on NATO, EU, Ukraine and others, Tim Erlin, director of IT security and risk strategy for  Tripwire explains why this is no surprise:

"It's a short path from shoe phones to zero days. It's simply not surprising that this kind of activity has been going on. Russia, the United States, Britain and others have long histories of very strong and effective spy organizations. There should be little surprise that these groups have continued their missions through the boom of technology.

"Defending against such a targeted attack is extremely difficult. When the attacker is willing to spend significant resources to compromise you specifically, the playing field can be very uneven. As an industry, we tend to focus on the many broad threats that exist, but these kinds of targeted and sophisticated campaigns may actually do more damage."

Conflict and Cooperation in Cyberspace: The Challenge to National Security, edited by Panayotis Yannakogeorgos and Adam Lowther of the Air Force Research Institute, brings together some of the world’s most distinguished military leaders, scholars, cyber operators, and policymakers in a discussion of current and future challenges that cyberspace poses to the United States and the world. Maintaining a focus on policy-relevant solutions, it offers a well-reasoned study of how to prepare for war, while attempting to keep the peace in the cyberspace domain.

Thursday, October 2, 2014

Ten Strategies of a World-Class Cybersecurity Operations Center

The MITRE Corporation is offering a free book, "Ten Strategies of a World-Class Cybersecurity Operations Center," by Carson Zimmerman.