## Archive for the ‘Cybersecurity’ Category

### Metron – A Fist Full of Subjects

Monday, April 24th, 2017

Metron – Apache Incubator

From the description:

Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform.

Metron can be divided into 4 areas:

1. A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics.
2. Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the “who” and “where” information that is critical for investigation.
3. Efficient information storage based on how the information will be used:
1. Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility
2. The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent
3. Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection.
4. An interface that gives a security investigator a centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.

Big data is a natural fit for powerful security analytics. The Metron framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With Metron, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats.

Metron (website)

Metron wiki

Metron Jira

Metron Git

Security threats aren’t going to assign themselves unique and immutable IDs. Which means they will be identified by characteristics and associated with particular acts (think associations), which are composed of other subjects, such as particular malware, dates, etc.

Being able to robustly share such identifications (unlike the “we’ve seen this before at some unknown time, with unknown characteristics,” typical of Russian attribution reports) would be a real plus.

Looks like a great opportunity for topic maps-like thinking.

Yes?

### Scotland Yard Outsources Violation of Your Privacy

Monday, April 24th, 2017

From the post:

The existence of a secretive unit within London’s Metropolitan Police that uses hacking to illegally access the emails of hundreds of political campaigners and journalists has been revealed. At least two of the journalists work for the Guardian.

Green Party representative in the British House of Lords, Jenny Jones, exposed the unit’s existence in an opinion piece in the Guardian. The facts she revealed are based on a letter written to her by a whistleblower.

The letter reveals that through the hacking, Scotland Yard has illegally accessed the email accounts of activists for many years, and this was possible due to help from “counterparts in India.” The letter alleged that the Metropolitan Police had asked police in India to obtain passwords on their behalf—a job that the Indian police subcontracted out to groups of hackers in India.

The Indian hackers sent back the passwords obtained, which were then used illegally by the unit within the Met to gather information from the emails of those targeted.

Trevor covers a number of other points, additional questions that should be asked, the lack of media coverage over this latest outrage, etc., all of which merit your attention.

From my perspective, these abuses by the London Metropolitan Police (Scotland Yard), are examples of the terrorism bogeyman furthering government designs against quarrelsome but otherwise ordinary citizens.

Quarrelsome but otherwise ordinary citizens are far safer and easier to spy upon than seeking out actual wrongdoers. And spying justifies part of Scotland Yard’s budget, since everyone “knows” a lack of actionable intelligence means terrorists are hiding successfully, not the more obvious lack of terrorists to be found.

As described in Trevor’s post, Scotland Yard, like all other creatures of government, thrives in shadows. Shadows where its decisions are beyond discussion and reproach.

In choosing between supporting government spawned creatures that live in the shadows and working to dispel the shadows that foster them, remember they are not, were not and never will be “…on you side.”

They have a side, but it most assuredly is not yours.

### Leaking Improves Security – Secrecy Weakens It

Monday, April 24th, 2017

If you need a graphic for the point that leaking improves security – secrecy weakens it, consider this one:

Prior to the Shadow Brokers leak of the NSA’s DoublePulsar Malware, how many people were researching a counter to it?

Same question, but substitute: After the Shadow Brokers leak ….

As the headline says: Leaking Improves Security – Secrecy Weakens It.

Image originates from: Over 36,000 Computers Infected with NSA’s DoublePulsar Malware by Catalin Cimpanu.

Anyone who suggests otherwise wants you and others to be insecure.

### Anonymous Domain Registration Service [Update: 24 April 2017]

Sunday, April 23rd, 2017

Pirate Bay Founder Launches Anonymous Domain Registration Service

Does this sound anonymous to you?

With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

Njalla

Perhaps I’m being overly suspicious but what is the basis for trusting Njalla?

I would feel better if Njalla only possessed a key that would decrypt (read authenticate) messages as arriving from the owner of some.domain.

Other than payment, what other interest do they have in an owner’s actual identity?

Perhaps I should bump them about that idea.

Update: On further inquiry, registration only requires an email or jabber contact point. You can handle being anonymous to Njalla at those points. So, more anonymous than I thought.

### ARM Releases Machine Readable Architecture Specification (Intel?)

Saturday, April 22nd, 2017

ARM Releases Machine Readable Architecture Specification by Alastair Reid.

From the post:

Today ARM released version 8.2 of the ARM v8-A processor specification in machine readable form. This specification describes almost all of the architecture: instructions, page table walks, taking interrupts, taking synchronous exceptions such as page faults, taking asynchronous exceptions such as bus faults, user mode, system mode, hypervisor mode, secure mode, debug mode. It details all the instruction formats and system register formats. The semantics is written in ARM’s ASL Specification Language so it is all executable and has been tested very thoroughly using the same architecture conformance tests that ARM uses to test its processors (See my paper “Trustworthy Specifications of ARM v8-A and v8-M System Level Architecture”.)

The specification is being released in three sets of XML files:

• The System Register Specification consists of an XML file for each system register in the architecture. For each register, the XML details all the fields within the register, how to access the register and which privilege levels can access the register.
• The AArch64 Specification consists of an XML file for each instruction in the 64-bit architecture. For each instruction, there is the encoding diagram for the instruction, ASL code for decoding the instruction, ASL code for executing the instruction and any supporting code needed to execute the instruction and the decode tree for finding the instruction corresponding to a given bit-pattern. This also contains the ASL code for the system architecture: page table walks, exceptions, debug, etc.
• The AArch32 Specification is similar to the AArch64 specification: it contains encoding diagrams, decode trees, decode/execute ASL code and supporting ASL code.

Alastair provides starting points for use of this material by outlining his prior uses of the same.

Raises the question why an equivalent machine readable data set isn’t available for Intel® 64 and IA-32 Architectures? (PDF manuals)

The data is there, but not in a machine readable format.

Anyone know why Intel doesn’t provide the same convenience?

### Shortfall in Peer Respect and Accomplishment

Saturday, April 22nd, 2017

I didn’t expect UK government confirmation of my post: Shortfall in Cypbersecurity Talent or Compensation? so quickly!

I argued against the groundless claims of a shortage of cybersecurity talent in the face of escalating cybercrime and hacking statistics.

If there were a shortage of cybersecurity talent, cybercrime should be going down. But it’s not.

The National Crime Agency reports:

The National Crime Agency has today published research into how and why some young people become involved in cyber crime.

The report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime.

The report emphasises that financial gain is not necessarily a priority for young offenders. Instead, the sense of accomplishment at completing a challenge, and proving oneself to peers in order to increase online reputations are the main motivations for those involved in cyber criminality.

Government agencies, like the FBI for example, are full of lifers who take their breaks at precisely 14:15 PM, have their favorite parking spots, play endless office politics, masters of passive-aggression, who make government and/or corporate work too painful to contemplate for young cybersecurity talent.

In short, a lack of meaningful peer respect and a sense of accomplishment is defeating both government and private hiring of cybersecurity talent.

Read Pathways Into Cyber Crime and evaluate how the potential young hires in there would react to your staff meetings and organizational structure.

That bad? Wow, you are worse off than I thought.

So, are you going to keep with your certificate-driven, cubicle-based, Dilbert-like cybersecurity effort?

How’s that working out for you?

You will have to take risks to find better solutions but you are losing already. Enough to chance a different approach?

### Shortfall in Cypbersecurity Talent or Compensation?

Friday, April 21st, 2017

Federal effort is needed to address shortfall in cybersecurity talent by Mike McConnell and Judy Genshaft.

If you want to get in on cybersecurity training scam business, there are a number of quotes you can lift from this post. Consider:

Our nation is under attack. Every day, thousands of entities – private enterprises, public institutions and individual citizens—have their computer networks breached, their systems hacked and their data stolen, degraded or destroyed. Such critical infrastructure impacts the cyber-sanctity of our banking system and electric power grid, each vital to our national security. We believe systemically developing more skilled cybersecurity defenders is the essential link needed to protect our nation from ‘bad actors’’ who would exploit our vital systems.

In its latest global survey, the Information Security Certification Consortium (ISC²) projects a cybersecurity talent shortfall of as much as 1.8 million professionals by 2022­­. This shortage in skilled cybersecurity professionals means that all data and digital systems are at risk. Closing the cyber talent gap will require sustained and concerted efforts of government, the private sector, and educational institutions at all levels.

If you don’t already know that hacking increases every year, spend some time at: Hackmageddon. Or with any security report on hacking.

Think about it. How does cybercrime keep increase during a shortfall of cybersecurity talent?

Answer: It doesn’t. Plenty of cybersecurity talent, just a shortfall on one side of the picture.

A “shortfall,” if you want to call it that, caused by low wages and unreasonable working conditions (no weed, even off the job).

All calls for more cybersecurity talent emphasize being on the “right side,” protecting your country, the system, etc., all BS that you can’t put in the bank.

If you want better cybersecurity, have aggressive compensation packages, very flexible working conditions. The talent is out there, it’s just not free. (Nor should it be.)

### Leak “Threatens Windows Users Around The World?”

Thursday, April 20th, 2017

Really? Shadow Brokers leaking alleged NSA malware “threatens users around the world?”

Hmmm, I would think that the NSA developing Windows malware is what threatens users around the world.

Yes?

Unlike the apparent industry concealment of vulnerabilities, the leaking of NSA malware puts all users on an equal footing with regard to those vulnerabilities.

In a phrase, users are better off for the NSA malware leak than they were before.

They know (or at least it has been alleged) that these leaked vulnerabilities have been patched in supported Microsoft products. By upgrading to those products, they can avoid these particular pieces of NSA malware.

Leaking vulnerabilities enables users to avoid perils themselves, in this case by upgrading, and/or to demand patches from vendors responsible for the vulnerabilities.

Do you see a downside I don’t?

Well, aside from trashing the market for vulnerabilities and gelding security agencies, neither one of which I will lose any sleep over.

### Who Prefers Zero Days over 7 Year Old Bugs? + Legalization of Hacking

Thursday, April 20th, 2017

“Who” is not clear but Dan Goodin reports in Windows bug used to spread Stuxnet remains world’s most exploited that:

One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab.

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.

A market share of almost 25%, despite being patched in 2010, marks CVE-2010-2568 as one of the top bugs a hacker should have in their toolkit.

Not to denigrate finding zero day flaws in vibrators and other IoT devices, or more exotic potential exploits in the Linux kernel but if you approach hacking as an investment, the “best” tools aren’t always the most recent ones. (“Best” defined as the highest return for mastery and use.)

Looking forward to the legalization of hacking, unauthorized penetration of information systems, with civil and criminal penalties for owners of those systems who get hacked.

I suggest that because hacking being illegal, has done nothing to stem the tide of hacking. Mostly because threatening people you can’t find or who think they won’t be found, is by definition, ineffectual.

Making hacking legal and penalizing business interests who get hacked, is a threat against people you can find on a regular basis. They pay taxes, register their stocks, market their products.

Speaking of paying taxes, there could be an OS upgrade tax credit. Something to nudge all the Windows XP, Vista, 7 instances out of existence. That alone would be the largest single improvement in cybersecurity since that because a term.

Legalized, hackers would provide a continuing incentive (fines and penalties) for better software and more consistent upgrade practices. Take advantage of that large pool of unpaid but enthusiastic labor (hackers).

Wednesday, April 19th, 2017

From the post:

I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.

To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I’m not sure there is any indication of that here. If the compilation timestamps are real, then there’s an interesting observation in this dataset.

A very clever observation! Check time stamps for patterns!

1. Where the Shadow Broker exploits stolen prior to 2013-08-22?
2. If no to #1, where are the exploits post 2013-08-22?

Have dumps so far been far away lightning that precedes very close thunderclaps?

Imagine compilation timestamps in 2014, 2015, or even 2016?

Listen for Shadow Brokers to roar!

### More Leveling – Undetectable Phishing Attack

Monday, April 17th, 2017

From the post:

Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others.

Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001.

This particular hack depends upon variant characters being available within one language set, which avoids characters from different languages (deemed phishing attempts).

To make this work, you will need a domain name written using Punycode (RFC 3492), which enables the writing of Unicode in ASCII.

There’s a task for deep learning, scanning the Unicode Code Charts for characters that are easy to confuse with ASCII characters.

If you have a link to such results, ping me with it.

### Shadow Brokers Level The Playing Field

Monday, April 17th, 2017

The whining and moaning from some security analysts over Shadow Broker dumps is a mystery to me.

Apologies for the pie chart, but the blue area represents the widely vulnerable population pre-Shadow Brokers leak:

I’m sorry, you can’t really see the 0.01% or less, who weren’t vulnerable pre-Shadow Brokers leak. Try this enlargement:

Shadow Brokers, especially if they leak more current tools, are leveling the playing field for the average user/hacker.

Instead of 99.99% of users being in danger from people who buy/sell zero-day exploits, some governments and corporations, now it is closer to 100% of all users who are in danger.

Listen to them howl!

Was was not big deal, since people with power could hack the other 99.99% of us, certainly is now a really big deal.

Maybe we will see incentives for more secure software when everyone and I mean everyone is at equal risk.

Help Shadow Brokers level the security playing field.

A post on discovery policy for vulnerabilities promotes user equality.

Do you favor user equality or some other social regime?

### The Line Between Safety and Peril – (patched) “Supported Products”

Saturday, April 15th, 2017

Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks.

Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson.

Microsoft has responded with: Protecting customers and evaluating risk:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
… (emphasis in original)

You are guaranteed to be in peril if you are not running patched, supported Microsoft products.

Even if you are running a supported product, know that 50% of all vulnerabilities are from failure to apply patches.

Unlike the hackers who may be in your system right now, liability of vendors for unreasonably poor coding practices or your company for data breaches caused by your practices, such as failure to apply patches, would be incentives for more secure software and better security practices.

If you are serious about cybersecurity, focus on people you can reach and not those you encounter at random (hackers).

### Power to the User! + Pull Advertising

Friday, April 14th, 2017

From the post:

An ad blocker that uses computer vision appears to be the most powerful ever devised and can evade all known anti ad blockers.

A team of Princeton and Stanford University researchers has fundamentally reinvented how ad-blocking works, in an attempt to put an end to the advertising versus ad-blocking arms race. The ad blocker they’ve created is lightweight, evaded anti ad-blocking scripts on 50 out of the 50 websites it was tested on, and can block Facebook ads that were previously unblockable.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution.
… (emphasis in original)

How very cool! Putting users in charge of the content they view. What a radical idea!

Koebler does the required genuflection towards the “ethics” of blocking ads, but I see no “ethical” issue at all.

IBM, Cisco, etc., are wasting their time and mine advertising enterprise scale security solutions to me. Promise.

What’s broken is that advertisers, like telephone scammers, must contact millions of people to find those unlucky enough to answer the ad and/or phone.

For example, not this year but in a few years, I’m going to buy a new car. When that time comes, ads and offers on cars of certain types would be welcome.

What if I could specify a time period, price range, model of car and for that relevant period of time, I get card ads, etc. Notice I have pre-qualified myself as interested, so the advertisers aren’t talking about hits out of millions but possibly thousands if not hundreds. Depends on how good their offers are.

Or if generally I’m interested in books in particular categories or by particular authors? Or when cheese is on sale at Kroger? All of which I could pre-qualify myself.

Pull advertising reduces the bandwidth wasted by advertisers who push content never knowing where a mark (sorry, customer) may be found.

Such a system would need to protect the privacy of consumers, so they would not be pestered when they had not opted in for ads. But anonymous ad brokerage is certainly doable. (The opposite of finding a subject with topic maps is concealing it.)

Interested in ending web-based spam/click-bait?

### Happy Easter From Shadow Brokers!

Friday, April 14th, 2017

From the post:

On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft’s Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.

Called “Lost in Translation,” the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.

Cimpanu has a partial list of some of the more interesting hacking tools in the release.

Encouragement to grab a copy of the archive for yourself.

Assuming any, some or all of these tools are genuine, you can now start peeling banks, corporations and governments like eating an orange.

The only thing that’s missing is you.

Transparency anyone?

### MS Patch for Zero Day Leaves 56% Of Office Users Exposed

Tuesday, April 11th, 2017

From the post:

Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan.

Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.

Err, well, except that Tom goes on to say:

However, Microsoft notes “you must have the release version of Service Pack 2 for Office 2010 installed on the computer” to apply the security update. Alternatively, security experts recommend blocking RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center. They also recommend using Microsoft Office Protected View, which they say can help prevent exploitation without user interaction.

A highly unscientific survey of MS Office users at: http://www.msofficeforums.com/versionchart.php?mon=12, shows the patch leaves 56% of Office users vulnerable.

Is that the total you get?

Anyone spreading the Dridex malware need not despair about the MS patch. The majority of Office users remain unprotected.

### Pursuing Cybersecurity

Wednesday, April 5th, 2017

should make you realize hunting and punishing hackers a very doubtful approach to improving cybersecurity.

Even if flaws are fixed in software, users resist upgrading and in other cases, vulnerabilities persist over decades. To put it bluntly, the opportunities for hacking increase with every software release or patch.

Hackers can be and are caught, then tried or plead out with great fanfare, but if security reports are to be credited, cybercrime continues to increase by leaps and bounds.

Using a non-cybersecurity example, what if your locality had a burglary problem? Every month, as new homes are built, the burglary rates go up. Upon investigation you discover that builders are not putting locks on doors or windows of new homes.

1. Hire more police officers and step up patrols to catch burglars, or
2. Require builders to install and test locks on windows and doors.

Option #1, like punishing hackers, requires you to catch the burglars first. A chancy proposition at best, even more so for hackers. The bottom line is you are catching and punishing a minuscule portion of the burglars or hackers. For our example, assume that burglaries continue to increase despite your high conviction rate.

Option #2, well, builders are a lot easier to catch than burglars or hackers. They are selling a commercial product that depends upon repeat business so we can not only set requirements, we can also monitor if those requirements are being met.

Setting the standards for legal liability for flaws in software won’t be easy, but consider that despite the liabilities imposed on pharmaceutical companies:

Last year, five pharmaceutical companies made a profit margin of 20% or more – Pfizer, Hoffmann-La Roche, AbbVie, GlaxoSmithKline (GSK) and Eli Lilly.
… (from Pharmaceutical industry gets high on fat profits)

Vendors can compete to produce more secure software (less liability) or compete to race to market with insecure software (feeding hackers).

Which approach do you think leads to greater cybersecurity overall?

### Targeting Tuesday: 600,000 Windows Server 2003 Installations

Tuesday, April 4th, 2017

From the post:

A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software.

The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request.

The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.

He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).

No patch from Microsoft so this vulnerability will be around for quite some time. Long enough to test your skills at working from a PoC or a CVE (CVE-2017-7269) to develop working code.

Test against your local Windows Server 2003 installation on a VM.

If you are serious about security research, start collecting OS editions and their patches. Refresh your storage media on a regular schedule.

Monday, April 3rd, 2017

The cost of potential future losses from ATMs is baked into every bank fee. Good planning for banks because 95% of ATMs are still running Windows XP. The losses are coming, just not there, yet.

Mail this image to your local bank, ditto for members of board of directors:

I can’t promise your bank will upgrade its ATM software but pass any reduction in anticipated future costs along to you.

However, the staff and directors are likely to give their Errors and Omission (E&O) policies a close review. 😉

Come to think of it, you should pass this along to any insurance agents selling E&O coverage. Great technique to drive their business and perhaps result in better security for banking customers.

### Eroding the Presumption of Innocence in USA

Saturday, April 1st, 2017

You may be laboring under the false impression that people charged with crimes in the USA are presumed innocence until proven guilty beyond a reasonable doubt in a court of law.

I regret to inform you that presumption is being eroded away.

Kevin Poulsen has a compelling read in FBI Arrests Hacker Who Hacked No One about the case of Taylor Huddleston was arraigned on March 31, 2017 in the Federal District Court for the Eastern District of Virginia, docket number: 1:2017 cr 34.

Kevin’s crime? He wrote a piece of software that has legitimate uses, such as sysadmins trouble shooting a user’s computer remotely. That tool was pirated by others and put to criminal use. Now the government wants to take his freedom and his home.

Compare Kevin’s post to the indictment, which I have uploaded for your reading pleasure. There is a serious disconnect between Poulsen’s post and the indictment, as the government makes much out of a lot of hand waving and very few specifics.

Taylor did obtain a Release on Personal Recognizance or Unsecured Bond, which makes you think the judge isn’t overly impressed with the government’s case.

I would have jumped at such a release as well but I find it disturbing, from a presumption of innocence perspective, that the judge also required:

My transcription:

No access to internet through any computer or other data capable device including smart phones

Remember that Taylor Huddleston is presumed innocence so how is that consistent with prohibiting him from a lawful activity, such as access to the internet?

Simple response: It’s not.

As I said, I would have jumped at the chance for a release on personal recognizance too. Judges are eroding the presumption of innocence with the promise of temporary freedom.

Wishing Huddleson the best of luck and that this erosion of the presumption of innocence won’t go unnoticed/unchallenged.

### Wikileaks Marble – 676 Source Code Files – Would You Believe 295 Unique (Maybe)

Friday, March 31st, 2017

Wikileaks released Marble Framework, described as:

Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

Effective leaking doesn’t seem to have recommended itself to Wikileaks.

Marble-Framework-ls-lRS-devworks.txt, is an ls -lRS listing of the devworks directory.

After looking for duplicate files and starting this post, I discovered entirely duplicated directories:

Compare:

devutils/marbletester/props with devutils/marble/props.

devutils/marbletester/props/internal with devutils/marble/props/internal

devutils/marbleextensionbuilds/Marble/Deobfuscators with devutils/marble/Shared/Deobfuscators

That totals to 182 entirely duplicated files.

In Marble-Framework-ls-lRS-devworks-annotated.txt I separated files on the basis of file size. Groups of duplicate files are separated from other files with a blank line and headed by the number of duplicate copies.

I marked only exact file size matches as duplicates, even though files close in size could be the result of insignificant whitespace.

After removing the entirely duplicated directories, there remain 199 duplicate files.

With 182 files in entirely duplicated directories and 199 remaining duplicates brings us to a grand total of 381 duplicate files.

Or the quicker way to say it: Vault 7 Marble — 295 unique source code files for the CIA’s secret anti-forensic Marble Framework.

Wikileaks may be leaking the material just as it was received. But that’s very poor use of your time and resources.

Leak publishers should polish leaks until they have a fire-hardened point.

### 4 Billion “Records” Leaked In 2016 – How Do You Define Record?

Wednesday, March 29th, 2017

The IBM X-Force Treat Intelligence Index 2017 report leaves the impression hackers are cutting through security like a hot knife through butter:

With Internet-shattering distributed-denial-of-service (DDoS) attacks, troves of records leaked through data breaches, and a renewed focus by organized cybercrime on business targets, 2016 was a defining year for security. Indeed, in 2016 more than 4 billion records were leaked, more than the combined total from the two previous years, redefining the meaning of the term “mega breach.” In one case, a single source leaked more than 1.5 billion records.1 (page 3)

The report helpfully defines terms at page 3 and in the glossary (page 29) but never defines “record.”

The 4 billion records “fact” will appear in security blogs, Twitter, business zines, mainstream media, all without asking: “What is a record?”

Here are some things that could be records:

• medical record (1 or more pages)
• financial record (1 or more pages)
• CIA document (1 or more pages)
• Tax records (1 or more pages)
• Offshore bank data (spreadsheet, 1 or more pages
• Presentations (PPT, 1 or more pages)
• Accounting records (1 or more pages)
• Emails (1 or more pages)
• Photos, nude or otherwise

IBM’s “…4 billion records were leaked…,” is a marketing statement for IBM security services. Not a statement of fact.

PS: I haven’t checked the other “facts” claimed in this document. The failure to define “record” was enough to discourage further reading.

### How Not To Lose A Community’s Trust

Tuesday, March 28th, 2017

From the post:

The author of the Nuclear Bot banking trojan has leaked the source code of his own malware in a desperate attempt to regain trust and credibility in underground cybercrime forums.

Nuclear Bot, also known as NukeBot and more recently as Micro Banking Trojan and TinyNuke, is a new banking trojan that appeared on the malware scene in December 2016, when its author, a malware coder known as Gosya, started advertising it on an underground malware forum.

According to Gosya's ad, this new banking trojan was available for rent and included several features, such as:

• Formgrabber and Web-Injection modules (Firefox, Chrome, IE, and Opera)
• A SOCKS proxy module
• Remote EXE file launcher module
• Hidden VNC module that worked on Windows versions between XP and 10
• Rootkit for 32-bit and 64-bit architectures
• UAC bypass
• Windows Firewall bypass
• IBM Trusteer firewall bypass
• Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine

Subsequent analysis from both Arbor Networks and Sixgill confirmed the trojan's deadly features. In spite of these favorable reports, Gosya's Nuclear Bot saw little adoption among cybercrime gangs, as the malware's author miserably failed to gain their trust.

See Catalin’s post for the most impressive list of social fails I have seen in years. Seriously.

More importantly, for hacker and other forums, learn the local customs. Always.

Enjoy!

Monday, March 27th, 2017

You remember the Dilbert cartoon on corporate security where the pointed haired boss asks what Dilbert would do if a stranger offered to buy company secrets. Dilbert responds asking how much is the stranger offering? See the strip for the boss’ answer and Wally’s follow up question.

Danny Palmer reports the price point for employees who would sell their access, maybe less than you think.

From the post:

A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200.

According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who’d sell their credentials to an outsider, nearly half would do it for less.

That’s about $260.00 U.S. at today’s exchange rates. Only you know your time and expense of hacking passwords and/or buying them on the dark web. I suspect the price point is even lower in government agencies with unpopular leadership. I haven’t seen any surveys of US employees, but I suspect employees of companies, suppliers, contractors, banks, etc., involved in oil pipeline construction are equally open to selling passwords. Given labor conditions in the US, perhaps even more so. Not that anyone opposing a multi-generational environmental crime like an oil pipeline would commit a crime when there are so many lawful and completely ineffectual means to oppose it at hand. PS: As recent CIA revelations demonstrate, the question isn’t if government will betray the public’s interest but when. The same is true for environmental, health and other concerns. ### Looking For Installed Cisco Routers? Saturday, March 25th, 2017 News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers. You already know that Nmap can uncover and identify routers. What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap. Consider GovernmentBids.com for example. You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor. If you are routinely searching for IT vulnerability information, I would not begrudge them the$131/month fee for full information on bids.

From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.

How much IT information is your office/department hemorrhaging?

### Attn: Zero-Day Hunters, ATMs Running Windows XP Have Cash

Friday, March 24th, 2017

Kimberly Crawley reprises her Do ATMs running Windows XP pose a security risk? You can bank on it! as a reminder that bank ATMs continue to run Windows XP.

Her post was three years old in February, 2017 and just as relevant as the first day of its publication.

Rather than passing even more unenforceable hacking legislation, states and congress should impose treble damages with mandatory attorney’s fees on commercial victims of hacking attacks.

Insecurity will become a cost center in their budgets, justifying realistic spending and demand for more secure software.

In the meantime, remember ATMs running Windows XP dispense cash.

### The New Handbook For Cyberwar Is Being Written By Russia

Wednesday, March 22nd, 2017

From the post:

One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”

Well, “…testing things out in the field and refining them…” is the difference between a potential weapon on a dry erase board and a working weapon in practice. Yes?

Personally I favor the working weapon in practice.

It’s an interesting read despite the repetition of the now debunked claim of Wikileaks releasing 8,761 CIA documents (Fact Checking Wikileaks’ Vault 7: CIA Hacking Tools Revealed (Part 1))

Frenkel of course covers the DNC hack:

The hack on the DNC, which US intelligence agencies have widely attributed to Russia, could be replicated by dozens of countries around the world, according to Robert Knake, a former director of cybersecurity policy in the Obama administration.

“Russia has laid out the playbook. What Russia did was relatively unsophisticated and something that probably about 60 countries around the world have the capability of doing — which is to target third parties, to steal documents and emails, and to selectively release them to create unfavorable conditions for that party,” Knake told the BBC’s Today. “It’s unsubtle interference. And it’s a violation of national sovereignty and customary law.”

Kanke reflects the failure of major powers to understand the leveling potential of cyberwarfare. Sixty countries? You think? How about every kid that can run a phishing scam to steal John Podesta’s password? How many? 600,000 maybe? More than that?

None of who care about “…national sovereignty and customary law.”

Are you going to write or be described in a chapter of the new book on cyberwar?

### When To Worry About CIA’s Zero-Day Exploits

Wednesday, March 22nd, 2017

Chris McNab’s Alexsey’s TTPs (.. Tactics, Techniques, and Procedures) post on Alexsey Belan provides a measure for when to worry about Zero-Day exploits held by the CIA.

McNab lists:

• Belan’s 9 offensive characteristics
• 5 defensive controls
• WordPress hack – 12 steps
• LinkedIn targeting – 11 steps
• Third victim – 11 steps

McNab observes:

Consider the number of organizations that provide services to their users and employees over the public Internet, including:

• Web portals for sales and marketing purposes
• Mail access via Microsoft Outlook on the Web and Google Mail
• Collaboration via Slack, HipChat, SharePoint, and Confluence
• DevOps and support via GitHub, JIRA, and CI/CD utilities

Next, consider how many enforce 2FA across their entire attack surface. Large enterprises often expose domain-joined systems to the Internet that can be leveraged to provide privileged network access (via Microsoft IIS, SharePoint, and other services supporting NTLM authentication).

Are you confident safe 2FA is being enforced over your entire attack surface?

If not, don’t worry about potential CIA held Zero-Day exploits.

You’re in danger from script kiddies, not the CIA (necessarily).

Alexsey Belan made the Most Wanted list at the FBI.

Crimes listed:

Conspiring to Commit Computer Fraud and Abuse; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging a Computer Through the Transmission of Code and Commands; Economic Espionage; Theft of Trade Secrets; Access Device Fraud; Aggravated Identity Theft; Wire Fraud

His FBI poster runs two pages but you could edit off the bottom of the first page to make it suitable for framing.

😉

Try hanging that up in your local university computer lab to test their support for free speech.

### Pre-Installed Malware – Espionage Potential

Tuesday, March 14th, 2017

From the post:

Malware in the form of info-stealers, rough ad networks, and even ransomware came pre-installed on more than three dozen different models of Android devices.

Researchers with Check Point spotted the malware on 38 Android devices owned by a telecommunications company and a multinational technology company.

See David’s post for the details but it raises the intriguing opportunity to supply government and corporate offices with equipment with malware pre-installed.

No more general or targeted phishing schemes, difficult attempts to breach physical security and/or to avoid anti-virus or security programs.

The you leak – we print model of the news media makes it unlikely news organizations will want to get their skirts dirty pre-installing malware on hardware.

News organizations consider themselves “ethical” in publishing stolen information but are unwilling to steal it themselves, because stealing is “unethical.”

There’s some nuance in there I am missing, perhaps that being proven to have stolen carries a prison sentence in most places. Odd how ethics correspond to self-interest isn’t it?

If you are interested in the number of opportunities for malware on computers in 2017, check out Computers Sold This Year. It reports as of today over 41 million computers sold this year alone.

News organizations don’t have the skills to create a malware network but if information were treated as having value, separate from the means of its acquisition, a viable market would not be far behind.

### New Wiper Malware – A Path To Involuntary Transparency

Tuesday, March 14th, 2017

From the press release:

The Kaspersky Lab Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill. Just like another infamous wiper, Shamoon, it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.

Besides the wiping module, Kaspersky Lab researchers have also found a StoneDrill backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets.

Perhaps the most interesting thing about StoneDrill is that it appears to have connections to several other wipers and espionage operations observed previously. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realised they were looking at a unique piece of malicious code that seems to have been created separately from Shamoon. Even though the two families – Shamoon and StoneDrill – don’t share the exact same code base, the mind-set of the authors and their programming “style” appear to be similar. That’s why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules.

Code similarities with older known malware were also observed, but this time not between Shamoon and StoneDrill. In fact StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten – another malicious campaign which has been active in the last few years.

For details beyond the press release, see: From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond by Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, Sergey Mineev or the full report, same title, version 1.05.

Wipers can impact corporate and governmental operations but they may be hiding crimes and misdeeds at the same time.

Of greater interest are the espionage operations enabled by StoneDrill.

If you are interested in planting false flags, pay particular attention to the use of language analysis in the full report.

Taking a clue from Lakoff on framing, would you opinion of StoneDrill change if instead of “espionage” it was described as a “corporate/government transparency” tool?

I don’t recall anyone saying that transparency is by definition voluntary.

Perhaps that’s the ticket. Malware can bring about involuntary transparency.

Yes?