Tuesday, December 20, 2016

What do I do when I’m hit with Ransomware? (Level 2)

What do I do when I’m hit with Ransomware?

You might have noticed that I used the term ‘when’ and not ‘if’. Kaspersky’s research showed that in 2016, one in five businesses worldwide suffered and IT incident involving Ransomware. There’s a 20% chance you were hit last year. What are the odds for 2017?

So, what do you do when you’re hit? Don’t panic. First step is to call in your Chief Security Officer/Director of IT/or your trusted Managed Services Provider (that’s Preferred Business Solutions, right?) There are decryption tools for some of the Ransomware families. Don’t pay the ransom. The Dutch National High Tech Crime Unit advises not to pay the ransom: You’ll become a bigger target,

the criminals have zero motivation to release your data (unless…), your next ransom will be higher, and you’re encouraging the criminals. Remember that Ransomware is a criminal offence, so report the incident.

2016-12-20

MDux

Monday, December 19, 2016

How do I mitigate the risk of Ransomware? (Level 1)

How do I mitigate the risk of Ransomware?

The lifeblood of most businesses is data. Make sure you backup data regularly, and move the backup off the network. Some Ransomware looks at your network and encrypts everything. If you data is backed up on a network share or Networks Attached Storage (NAS), that data may be encrypted as well. Off network backups or archives. Spend some time thinking about your backup policy and how long you can afford to be down and without access. Separate your critical business data and restrict access. Backup everything.
Always.

If you’re unsure, consult with an expert. Call me, ‘I know a guy’.

2016-12-19
MDux

Sunday, December 18, 2016

How do I stop Ransomware? (Level 1)

How do I stop Ransomware?

Preventing Ransomware is a complicated endeavour. As mentioned before, the most common method of becoming a victim of ransomware is opening a file that is designed to look like something you want to open, or clicking on a link on a website, again designed to get you to click. User education is going to be the best solution to prevent Ransomware. Unfortunately, this is also the most difficult.

Ransomware Prevention Checklist:

Use a quality Firewall (I know a guy)

Make sure that Firewall is configured correctly by a security expert (I know a guy)

Keep all software up-to-date

Treat email attachments from people you don’t know as hostile

Stick to websites that you need for business. Don’t follow the clickbait

Share this with your coworkers

The security world is a lot like a chess game, the bad guys find the holes, the good guys build the fixes. There is a software solution right now that is designed to prevent a Ransomware attack and halt the process. It’s at a decent price point as well, especially if you look at the cost of either paying the ransom (don’t do it!) or attempting to recover from backups and the loss of revenue/time in that process.

2016-12-18

MDux

Saturday, December 17, 2016

How do you get Ransomware? (Level 1)

How do you get Ransomware?

Most malicious software utilizes one of the most insecure and insecure-able aspects of the computing environment. The User. Yes, you and your coworkers are the most vulnerable part of your network. Social engineering, in the form of “Phishing” and it’s evil son “Spear-Phishing”. I’ll save the deeper dive on those for another post, but just think of them as attacks designed to get you to click on a file or link that you shouldn’t. An email with an attachment from someone you don’t know is by far the most common Ransomware method of attack. HR departments will get an email with an attachment that is titled “resume.doc”, or Sales will receive an email with an attachment that is titled “PurchaseOrderRush.doc”.

2016-12-17

MDux

Friday, December 16, 2016

What is Ransomware? (Level 1)

What is Ransomware?

Ransomware is not a new term, and it’s certainly become more well known in 2016. You can bet that we’ll see a lot more ransomware headlines. There are two basic forms of Ransomware, and what is most common is the cryptor. This malicious program encrypts data on your device and demand money, usually in the form of Bitcoin, for its release. The more advanced cryptors will scan your network and attack other computers, servers, and drives.. The less common form of Ransomware is the locker. While cryptors actually modify the data on your computer with encryption, lockers simply prevent your access to your data, typically with a large screen coving ransom letter. The more creative locker program claim that your data has been seized by a law enforcement agency or other state agency.

Ransomware most feared in 2015 were CTB-Locker, CyrptoWall, and TeslaCrypt.

Most active and feared in 2016 were Locky, Cerber and CryptXXX.

Thursday, December 15, 2016

Ransomware Data Points (Level 2)

Ransomware Data Points

In the next five days I will walk through some basics of Ransomware. This post lists out some data points from Kaspersky (with a few exceptions). This should scare you.
If you're not at least alarmed, then you definately need to read the next few posts!

Ransomeware Data Points:

Statistics from Kaspersky Labs (Security software company)

2016 gave us:

758,044,650 attacks launched from online resources located all over the world

62 new ransomware families

(most malware will have an original, and several versions. Those together are called a family as they are all related)

11 fold increase in modifications to various malware from Q1 to Q3.

1 in 5 SMBs that were infected AND paid the ransom, never got their data back.

1 in 5 businesses worldwide suffered and IT security incident as a result of a ransomware attack.

42% of SMBs were hit with ransomware from Oct 2105 to Oct 2016

32% paid the ransom

67% of those affected lost part or all of their corporate data. 1 in 4 spent several weeks to restore access
97% of malware is unique to a specific endpoint, rednering signature-based security virtually useless
98% of Microsoft Office- targeted threats use macros (Microsoft, 2016)
600%+ incrase in attachement-based vs URL deliverd malware attacks from mid 2015 to 2015 (Proofpoint, 2015)
6000% increase in ransomware from 2015 to 2016 (IBM, 2016)

Who got hit, by sector?

Education – 23% (23% of the Education sector was hit by Ransomware)

IT /Telcom – 22%

Entertainment/Media – 21%

Financial Services - 21%

Construction - 19%

Government/Public Sector/Defense – 18%

Manufacturing – 18%

Transport – 17%

Healthcare – 16%

Retail/Wholesale/Leisure – 16%

2016-12-15

MDux

Thursday, October 27, 2016

Mirai and the IoT

!3v3! 3 - it might get geeky

One of the first major DDOS attack using Mirai was against www.krebsonsecurity.com. Brian Krebs 's site was hit with a 620Mbs attack and French Telecom OVH was hit with a staggering 1Tbs attack the follow week. Both were record setting in their volume and the reliance on IoT devices. The DynDNS attacks have not be measured, yet. Mirai, leveraging millions of poorly secured devices and the general public's inability to understand that they might have made these attacks possible by not changing the log/pass pairs of retail devices, makes this a threat that we'll probably see quite a bit more of. Last Friday's (2016-10-20) attack on DynDNS, leveraged mostly devices made with components from Chinese DVR and IP Camera manufacturer XiongMai. XiongMai has threatened lawsuits against many accusers, though I think we'll see those dropped or overturned. Expect to see recalls by XiongMai and others as the list of major corporations effected is not group one would like to anger.

The list of downed sites from this latest Mirai botnet is frightening: Airbnb, Amazon.com, Ancestry.com, BBC, Box, Business Insider, CNN, Comcast, CrunchBase, DirecTV, Electronic Arts, Etsy, FiveThirtyEight, Fox News, GitHub, Grubhub, HBO, Heroku, HostGator, iHeartRadio, Imgur, Indiegogo, Mashable, National Hockey League, Netflix, Overstock.com, PayPal, Pinterest, Pixlr, PlayStation Network, Qualtrics, Quora, Reddit, Roblox, Ruby Lane, RuneScape, SaneBox, Seamless, Second Life, Shopify, Slack, SoundCloud, Spotify, Squarespace, Starbucks, Storify, The A.V. Club, The Boston Globe, The Elder Scrolls Online, The Guardian, The New York Times, The Wall Street Journal, Tumblr, Twilio, Twitter, Verizon Communications, Visa, Vox Media, Walgreens, Wikia, Wired, Wix.com, WWE Network, Xbox Live, Yammer, Yelp, Zi

Here's a list of some of the cracked log/pass pairs:

root     xc3511
root     vizxv
root     admin
admin    admin
root     888888
root     xmhdipc
root     default
root     juantech
root     123456
root     54321
support  support
root     (none)
admin    password
root     root
root     12345
user     user
admin    (none)
root     pass
admin    admin1234
root     1111
admin    smcadmin
admin    1111
root     666666
root     password
root     1234
root     klv123
Administrator admin
service  service
supervisor supervisor
guest    guest
guest    12345
guest    12345
admin1   password
administrator 1234
666666   666666
888888   888888
ubnt     ubnt
root     klv1234
root     Zte521
root     hi3518
root     jvbzd
root     anko
root     zlxx.
root     7ujMko0vizxv
root     7ujMko0admin
root     system
root     ikwb
root     dreambox
root     user
root     realtek
root     00000000
admin    1111111
admin    1234
admin    12345
admin    54321
admin    123456
admin    7ujMko0admin
admin    1234
admin    pass
admin    meinsm
tech     tech

Another interesting point was that there, in the code, was a list of 'do not attack' IPs, including General Electric, HP, the US Postal Service, and the DOD. It would seem that the author(s) were hoping to limit the scope of the attack, perhaps to not draw too much attention to the attack? It's noteworthy as well, that some of the language used in the code point to the Russian as the creators native language.

this.conn.Write([]byte("\033[34;1mпользователь\033[33;3m: \033[0m"))

The question that this all leaves us with is, how do we secure retail level devices when people are so apathetic or uneducated about security that 'qwerty', '123456', and 'password' remain on the top 10 of passphrases used?

2016-10-27

MDux

Wednesday, October 26, 2016

Passphrases and DDOS

Level 2

The impact of not having adequate passphrases. I alluded to the 'great internet outage' of 10/20 previously. It's not an understatement to say that the entire event was made possible due to very simple and lazy login/passphrases. On the morning of October 20th a Domain Name Service, Dyn, was overwhelmed with internet traffic. It was quickly guessed that this was a Distributed Denial of Service(DDOS) attack. This type of attack has been in use for over 15 years and most large companies have been hit and have learned to deal with them. To explain a DDOS attack in a different way, imagine a Subway sandwich shop near your house. Let's assume that the normal foot traffic for the store is about 10 customers at a time. If 20 people show up to order sandwiches at the same time, it's pretty busy. If you call everyone you know, and get them to call everyone they know to show up at the same time, you could have 10,000 people trying to get into a Subway at the same time. Regulars that always eat there at this time, would be unable to get their footlong meatball sub. Service Denied, by a distributed group of people. The DDOS attack on Dyn involved over tens of millions of unique requests. Imagine everyone from your home state going to that same Subway at noon tomorrow.

Back to passphrases. Those unique requests were mostly from hacked Internet of Things (IoT) devices that had week security. A malicious program found and hacked DVRs and other home electronics that have internet access and were installed using the default log/pass pairs. "root" and "password" or "admin" and "password" were very common on these devices. Do you have any home electronics hooked up to the internet? IP security cameras perhaps. If so, you could have unwittingly participated with one of three major DDOS attacks in the last month. By the way, the name of the malware that was behind the attacks is "Mirai" and the code was made public last month. I fear that we'll be hearing from this one again.

Last note on passphrases: size matters. The longer the passphrase, the longer it takes to brute force.

For example, the passphrase ‘1234567890’ would take about .111 seconds for an offline fast attack. (one hundred billion guess per second). Using the same method, ‘ 12345678901234567890’ would take about 35.33 years to brute force. This is the concept of entropy, or the randomness and unpredictability of data.

And to prove a point, the ‘Pr8f8]]8dte’ password that we generated earlier would take around 18.28 centuries to crack in an offline fast attack.

2016-10-26
MDux

Tuesday, October 25, 2016

Passwords and Options

Level 1

You might have seen in the news, or experienced, that a good portion of the US internet was down on Friday. I'll get into this event in a few different levels, but I want to talk about security and password in general first.

Passwords. We all have them, most of us hate them. Some of us can even remember a few. As this lovely thing we call technology presses onward, we're having to keep track of more passwords than ever before. In a previous job, I had over 100 passwords for my work computer and various vendor sites. A point of syntax. I will no longer be using the term 'password'. If you're using a word, or string of words, that is found in the dictionary, you are open to a type of attack called a 'dictionary attack'. I'll use 'passphrase' instead, though that's not quite the right term either.

So the question is, how do we maintain a decent level of security with such an overload of things to remember. We don't, well at least we (as a society) aren't doing very well. In 2015 the 10 most used passphrases were:

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

If you're using a passphrase from this list, or even something similar. Stop. Right now. I mean it. This list, and the choices that went into thinking that these were secure are the reason many sites require UPPERCASE, lowercase, Numbers and special characters for every passphrase. Of course, passphrase length is important too.

A Great Passphrase Plan

How do we build more secure passphrases? And better yet, to protect your organization, how do you enforce good passphrase policies for your employees? Perhaps the best way is to deploy a Single-Sign-On(SSO) application. This type of application will allow your end users to log into their device and authenticate against Active Directory. From there, the SSO can grant login/passphrase pairs to nearly any application or site utilizing very secure passphrases that are unique to each site. If you want to learn more about SSOs and how they can help secure your business, reduce the impact on your helpdesk, and improve employee morale and productivity. You know how to find me.

A Good Passphrase Plan

Use a trusted passphrase utility like:

Lastpass.com

Dashlane

Zoho Vault

KeePass

All have good reviews. Do some research and pick one that covers the different platforms that you use.

A Simple Passphrase Plan

For personal use, and for smaller organizations I'm going to through out this little system. Note: This system is NOT SUITABLE FOR ANYTHING THAT DEALS WITH MONEY OR SENSITIVE DATA.

Eh-hem. Let's continue. The goals of a passphrase are:

Generous mix of the four characters:

Uppercase

Lowercase

Numbers

Symbols

Sufficient length to make brute force attacks time consuming.

Step One: Pick a word that is 6+ letters in length. For this example, I'm going to use 'Preferred'.

Step Two: Substitute one or more of the letters with numbers. Do not substitute 0 for O or 4 for A. This is common and too easy to guess. I'm going to select the letter 'e' and substitute it with the number 8. 'Preferred' becomes 'Pr8f8rr8d'. Let's add some symbols in there to mix it up. Avoid the '#' and '!' symbols as there are very common. Let's use the ']' for the 'r'. 'Preferred' becomes 'Pr8f8rr8d' becomes 'Pr8f88]]8d' While there's a bit of repetition in that passphrase, it's complicated enough to be fairly secure.

Step Three: use the first and last letters of the site or program you're logging into to make the passphrase more unique. Let's say you need a passphrase for a site that's requesting you to crate a login so that you can receive an e-mail newsletter, let's say you're interested in tiny houses and went to this site: http://thetinylife.com/tiny-house-plans/

If you take the 't' and 'e' from the beginning and end of the URL thetinylife and add them to the passphrase you get 'Pr8f8]]8dte'. That passphrase is fairly unique and fairly secure.

I'll say it again, because I care, DO NOT USE THIS SYSTEM FOR SITES THAT DEAL WITH MONEY OR SENSITIVE INFORMATION.

As you'll see in future posts, this is a fairly strong passphrase. The problem is with the system. If you're using this system then the core of your passphrases are the same. While this still poses a problem for code based attacks, it wouldn't take long for a human to see two of these passwords and figure out the pattern. With the core being the same, you would be fully exposed on all sites, instantly.

Oh, and don't ever reuse a passphrase. Don't make it easy for the bad guys/gals to be bad.

Bonus alternate "Simple" version (YMMV):

I understand that this might seem a bit too complicated, so I've come up with another version:

Take your favorite quote or poem or song lyric, and remove all the vowels. Replace them with numbers and special characters.

Take "Any sufficiently advanced technology is indistinguishable from magic." by Arthur C. Clarke

Remove all the spaces:

Anysufficientlyadvancedtechnologyisindistinguishablefrommagic.

Replace one of the vowels with a number:

3nysufficiently3dv3ncedtechnologyisindistinguish3blefromm3gic.

Replace another vowel with a special character:
3nysuff&c&ently3dv3ncedtechnology&s&nd&st&ngu&sh3blefromm3g&c.

Need more help? Send me a request.

2016-10-25

MDux

Sunday, October 16, 2016

Project TPM day one.

Yesterday, was my official Day Zero tackling a long held goal. I've wanted to learn how to program for a very long time, but I'm great at finding excuses.

After several false starts, and even some mediocre work, it's time to get serious. I have committed to learning how to code. (AutoHotKey scripting just isn't enough any more)

With the consistent motivation and support from a great friend and Mentor, I've been learning Python. Up to now, most of my efforts have been on the static education side using How To Think Like A Computer Scientist : Interactive Edition. This was a recommendation from my Mentor and I must agree that it is a fantastic resource. The exercises are very much worth doing.

Yesterday represents the first real day that I've sat down in front of my text editor and plodded through code creation on my own. (I've attempted the introduction course through Coursea (Rice University IIRC)) twice. While I believe that course to be exceptional, I could not maintain the cadence required to keep up. It's still on my ToDo list. That might actually qualify as recursion...

I'm not sure where to go from here (writing wise).
Should I outline my project?
Should I walk through my mistakes and how I fixed them?
Would it be useful for me to post actual code?

Most of the mistakes I've made this far were syntactical. Print vs print etc.
Hmm... only 46 lines of code (with about 25% of that psudocode or comments)

Is that a good start, or not?

Enter any 11-digit prime number to continue...
2016-10-16
MDux

Friday, October 14, 2016

Ah, my network is fine.

Written 2016-09-xx

Level 1

Dropbox, Part 1
If you were with Dropbox back in 2012, you might recall the global request for everyone to update passwords. There was quite a bit of speculation at that time as to the reason (there's always a reason) though the prevailing thought was a data-breach of some type. The only question was the method of the breach. This last week, it was confirmed that 68 Million account were compromised including all "secure" file and documents. 68,000,000 user names and password pairs went on sale on the Darknet this week. The take-away, don't recycle your passwords. Using the same password on multiple sites is a significant risk, and Dropbox's breach is the perfect example of why. Password guidelines: Don't use words found in the dictionary and longer passwords are better. 'newpassword' is very week. 'nwpssrd.............' is considerably stronger (though too repetitive to be considered strong).

Level 2

Dropbox, Part 2
IIRC, Dropbox uses an algorithm to identify duplicate documents. If you upload a file that they identify as something they already posses, Dropbox simply places a pointer in 'your' Dropbox to the original file, thus saving them a fair amount of storage space. With 68 million users, I would imagine that the data storage and cost savings is significant. While data-depupe is a regular practice with data heavy organizations, and at first blush it's easy to see how the decision was made to leverage this technology. The greater the number of users, the higher the probability that there will be several versions of the same file in storage. Where things begin to make me nervous, and you should be thinking about this too, is that Dropbox is creating a digital signature of every file that you have. From a high level, your data is being examined. Are they looking at your files, No, but they are poking at them. Where does that sit with you?

The PC (or Mac) is Locked, so it's safe, right?
Turns out that credentials are easily comprised. Circulating this week is an account of how ~ $200 worth of HW and SW, the login credentials can be stolen from a locked Win or Mac machine. Using Hak5 Turtle and USB Armory (both running Linux) its possible to either crack or downgrade pilfered authentication hashes regardless of the complexity of the plaintext password. Essentially, Hak5 Turtle and USB Armory can be configured to present themselves as a DHCP server, making the USB device capable of receiving network traffic. The device can then catch authentication tokens. To be noted that it's possible to create a similar setup with a RaspberryPi Zero, reducing the cost to less than a lunch.

Ransomware - it our new reality. *sigh*
New - Kaspersky has identified a new version of the RAA ransomware and the implications are scary. It arrives in e-mail (like they all seem to), it's written in Jscript, and appears as a password protected zip. The file format slips past anit-virus software and looks legit to end users.

2016-10-14
MDux

Thursday, October 13, 2016

It's official - Winter is coming.

As the first storm rolls into the Pacific Northwest, this is a great reminder to us to check our Disaster Recovery / Business Continuity Plans.

When is the last time the plan was revised?
When is the last time the plan was tested?
Do you know how many hours/days’ worth of data you have at risk?
Do you know how long it takes to recover data?
Do you know the cost per day of disruption?
Are you storing data on multiple media formats?
Are you taking backups of site, either physically or digitally?

Key Terms to know:
RPO - Recovery Point Objective
How much data can be lost - worst case scenario.

i.e. If you perform a full back up on Thursday night, and an incremental on Tuesday night: If a disaster happens right before the backup on Tuesday, all data from Friday, Monday and Tuesday is at risk. Alternatively, if a disaster happens right before the full on Thursday, all data from Wednesday and Thursday is at risk. The RPO in this scenario is 3 or 2 days.

RTO - Recovery Time Objective
How long does it take to actually recover the data? Remember that recovering from an incremental might include a recovery from the last full AND the incremental.

MTPoD - Maximum Tolerable Period of Disruption
Adding the longest RPO and RTO is your MTPoD. Hopefully, this would be the longest period of time that business would be at a dead stop.

I say if you have it, you won't need it, but if you don't have it, you'll need it.

2016-10-13
MDux