About Cheryl Biswas

Writer, reader, techie, Trekkie. InfoSec and political analyst. Keeping our world safe one byte at a time.

Live At InteropITX

Just listening to Kevin Mandia live, speaking about global affairs and international cybersecurity. I am in heaven. This is beyond amazing!

Thank you to our friends at DarkReading who made this opportunity possible for Haydn and I to speak at this conference. ALL the learning!

Update: WannaCry Ransomware

 

pewmap

real time botnet tracking map by http://www.malwaretech.com

The number of countries impacted is over 1 00. We are expecting version 2.0 to hit by Monday, because that’s the nature of  these attacks: the attackers know when they have their victims over a barrel, and the maximize the opportunity. Microsoft has issued patches. But what everyone can and must do, over and above applying these specific patches, is this:

  • Ensure you have full, and working backups that are offline and removed from the network.
  • Have a Disaster Recovery/Business Continuity plan that specifically addresses cyber events like this one
  • Be ready with a crisis communications designated spokesperson and prepared statements. If you’ve been hit, and things are going terribly wrong, then you don’t want to be dealing with that and trying to say the right things to press, staff, stakeholders
  • Check in with and listen to your network and sysadmins. They know what’s going on out there. They’ve seen the sh*t that happens, what breaks, and why
  • Don’t evade or deflect this topic. Don’t underplay it, and of course don’t focus on the fear. Have honest discussions with your staff because this is how you creating lasting awareness and create change in behaviours that will better secure your organization

I follow these two experts on the risks to specialized systems, notably ICS or Industrial Control Systems and SCADA, Supervisory Control and Data Acquisition. Note that medical facilities, mass transit, manufacturing and utilities all rely on these specialized systems that are proprietary;  are often set up with hard coded or default passwords that are NOT secure; and with older equipment that just can’t be upgraded so is left to run unpatched until it fails. There is so much more we need to address.

Here is a global snapshot (per CTV news):

russiatrain

Russian Train Control Center Ransomwared

EUROPEAN UNION: Europol’s European Cybercrime Centre, known as EC3, said the attack “is at an unprecedented level and will require a complex international investigation to identify the culprits.”
BRITAIN: Britain’s home secretary said the “ransomware” attack hit one in five of 248 National Health Service groups, forcing hospitals to cancel or delay treatments for thousands of patients — even some with serious aliments like cancer.
GERMANY: The national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to help customers.
RUSSIA: Two security firms — Kaspersky Lab and Avast — said Russia was hit hardest by the attack. The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the “ransomware,” which typically flashes a message demanding payment to release the user’s data. Spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. Russia’s health ministry said its attacks were “effectively repelled.”
UNITED STATES: In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware. Other impacts in the U.S. were not readily apparent.
TURKEY: The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack. Omer Fatih Sayan said the country’s cyber security centre is continuing operations against the malicious software.
FRANCE: French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
BRAZIL: The South American nation’s social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
SPAIN: The attack hit Spain’s Telefonica, a global broadband and telecommunications company.

 

No Accidental Hero Here – Amazing!

There are many in our community of extraordinary souls who do amazing things at the hardest of times. This is one of those stories. Thank you!

And because he tells the story so much better than I ever could, please read his blog post as linked here. You can copy and paste the URL provided in your browser to be extra safe. 

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

It’s THAT Bad

PATCH YOUR STUFF! Ms17-010, that fun little exploit leaked by the most recent ShadowBrokers dump, has been making the rounds in the worst way. WannaCry ransomware is everywhere. Get your backups in place. NOW! And don’t put them on the same network.

Countries around the globe have been hit by a massive ransomware attack  that has already earned 100 bitcoins. It started early this morning when hospitals in the UK were struck. There were confirmations that a telecom and businesses in Spain were also hit. 

Two hours ago, judging by the tweet storm, Russia, Israel, the US and 70 other countries were all infected.

Kevin Beaumont or @gossithedog on Twitter has recommended, in addition to patching your stuff, because Microsoft had this patch available before this happened and we know, WE KNOW, that attacker move this fast:

Make a group policy for the Windows firewall. Block SMB between all endpoint PCs. Limit between servers that need. So that way if you miss a patch in future ( but you won’t after today will you?) or if AV doesn’t work, then you can really make it harder for the ransomware to spread. Buying you time to control and contain.

Which prompts me to ask: How is your IR plan? Is it geared to cyber events like this? And oh yeah, do you have DR/ BCP cuz you sure as heck are going to need that ready to roll out. And – have you set up a policy on who says what for crisis communications? Because you really want to control how that happens too.

If you answered no to any of the above, just get on it now. Because you don:t know who is gonna get hit next on this round of rushin’ roulette.

1 Billion Accounts Breached: Are YOU in here?

pwndedd

If you haven’t heard, there are currently about 1 billion accounts caught in two massive breaches: Exploit.in and AntiPublic. I’m one of that billion, and so was a family member. So are work colleagues. So that’s why I’m writing this – for the people I want to protect.

Security researcher Troy Hunt has been actively working on these breaches and getting notifications out. Among the key concerns raised was credential stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

As Troy lays out -and we need to be reminded of – this matters to us because:

  • It’s enormously effective due to the password reuse problem
  • It’s hard for organisations to defend against because a successful “attack” is someone logging on with legitimate credentials
  • It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  • There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

You can read his site to see more. So what that leads to is stuff like this:

Exploit.in is 111 text files large at 24 GB, a mountain of email addresses paired with passwords Given Troy’s research do far, of the 593,427,119 unique email addresses contained, there are accurate ie valid creds and data that isn’t already compromised so fresh kill. There are only 222 million duplicates between the lists, so that means 63% of the accounts in Exploit are different from the 457,962,538 addresses in AntiPublic.

The numbers are staggering, but what we need to be “impressed” by is what led to this. It’s the same root causes, known failings and weaknesses and bad habits that have accumulated as data has accumulated. We all know how much easier it is to fix a problem in the early stages.

So the AntiPublic tool verifies how legitimate hacked credentials are, and there are data breach services that pop up to buy and sell these credentials. I have contacts who tell me that everytime these dumps happen they find a significant number of compromises in their regions, regardless of how many recycled creds are in there. Troy gathered some explanations on how this works:

the tool itself is for sale here [redacted]
it’s pretty cheap
it’s mostly used in Russia, but he does sell an english version
most common use-case: someone buys a dump on x forum, uses the tool to verify which ones are legit
similar to sentryMBA and account hitman
you will often see a uniqueness score associated with the sale based on output

I really appreciate the work done by security researcher Troy Hunt and his site HaveIBeenPwned .  This is a quick and easy way for anyone to check the status of their email or username, as well as to receive notifications of when they may be caught up in a breach. Because the sooner you can change your passwords, the better.

 

Guess What I Get to Do Next?!

INT16_1611016_Speaker_ABOUT_SECURITY-1200x630

Yes indeedy! I’ll be speaking about one of my very favourite things, Threat Intel, with one of my very favourite people, Haydn Johnson. Let’s just say we’ve put everything into this talk. We’ve finessed and enriched all our accumulated knowledge from previous works into something we are so proud to deliver.  Click here to learn more.

If you want to attend, you still can! Register for #InteropITX with my promo code & save 20% off any pass. Go to www.interop.com and use code: https://l.feathr.co/interop-itx-cheryl-biswas-c