Happy New Year 2018 – Let the Dumpster Fires Begin

Just three days into 2018,  two massive security warnings were issued for Meltdown and Spectre. About those names – for an industry that claims to hate FUD, we need to work on this. But all kidding aside, these are perhaps the biggest inherent vulnerabilities to be brought to light that I am aware of. For good reason. When almost every device we use in our online and connected lives contains the problem at hand, it’s a top-tier event. Rather than jump on the “sky is falling” bandwagon, I chose to wait things out and read all that I could. There are far more experienced and knowledgeable people who have been weighing in on this from the start, and I will share links to their excellent insights and explanations. Also, as dust settles we can seee things more clearly, which is very relevant when dealing with a situation as massive and impactful as this. More details come available; facts are verified; information about what to do is tested and shared. Worth waiting for given that there was no immediate fix and panic is never a solution.

Here is the simplest breakdown of what both are by Daniel Miessler.  What everyone is worried about is that both of these enable attackers to access information and processes that we had all thought were inherently secured, like privacy keys we use to protect our data. Daniel lays it all out here:

Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution.  The basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.

In Meltdown that means “any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.” (Miessler) Spectre is worse in that it “works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.” (Miessler)    

What I have been listening for is how this may impact Cloud computing, which we only think we understand, and we need to remember is just somebody else’s server.  Jerry Bell has written a piece on his blog, “Thoughts on Cloud Computing in the Wake of Meltdown”. He happens to be one of my go-to sources as part of the Dynamic Duo on the Defensive Security Podcast. First, the good news.  As managed service providers running largely out of datacenters, these operations will have likely been told to patch ahead of most, and done so in the best interests of running their business. As well, since datacenters are large organizations managing many clients, they will be using automation to help the patching process. And patching is complicated, especially when it comes to these critical issues.

And that brings us to the not so good news. Patching virtual machines isn’t always straightforward or successful.

spec2spec1

As Jerry presents:

Meltdown provided an apparent possibility for a guest in one virtual machine to read the memory of a different virtual machine running on the same physical server.  This is a threat that doesn’t exist on private servers, or is much less concerning for private cloud.  This vulnerability existed for many years

And then there are performance issues. Interestingly, as Jerry points out, not as hard to mitigate on cloud as they would be for physical servers.

One of the big downsides to cloud therefore, seems to the risk of a sudden change in the operating environment that results in higher cloud service costs.  As problematic as that might be, firing an API to increase the execution cap or add CPUs to a cloud server is logistically much simpler than private physical servers experiencing the same performance hit and needing to be replaced, which requires the arduous process of obtaining approval for a new server, placing the order, waiting, racking, cabling, set up, and so on.

Based on this, and what has been occurring across 2016 and 2017, I predict we will see more of these events where something we did in the past comes back to “haunt” us, from a time when we did not have any idea of how technology would develop. We are now uncovering what lies beneath the surface of frameworks we rely on that others laid down before us. Simon Segars is CEO of ARM Holdings, which designs mobile chips. He warned at CES 2018 in Vegas last week that we need to expect more of these discoveries. He states one of my chief concerns here:

“The reality is there are probably other things out there like it that have been deemed safe for years.. Somebody whose mind is sufficiently warped toward think about security threats may find other ways to exploit systems which had otherwise been considered comletely safe.”

We don’t know what we don’t know unfortunately in this case, so we need to be prepared for similar discoveries. More importantly, we need to be ready to assess, then share the information in a controlled and constructive fashion while we mobilize immediate and long term responses to the event. My watchword now is “prudence”, both in terms of patching, and then in terms of vigilance as we watch over all our systems with new eyes and insights. Haste makes waste. Because as time has borne out, and is once again, patches can go sideways very badly. Whether you brick a device or you brick an enterprise, both outcomes are severe.

UPDATE ON PATCHES

Per Steve Ragan’s piece in CSO Online, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

In order to “prevent AMD customers from getting into an unbootable state,” Microsoft  has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)

 

There are some excellent writeups out there. Here are some suggestions:

https://www.csoonline.com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

https://infosec.engineering/thoughts-on-cloud-computing-in-the-wake-of-meltdown/

Advertisements

Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.

 

 

 

 

 

Getting Things Done

Dedication. Vision. Accomplishment. Passion. These are the forces of change within cyber security, and just some of the distinctive qualities about the guests Dr. Gary McGraw featured for an entire year on his Silver Bullet podcast.

We know there is a shortage of women, of diversity, in science and technology careers, particularly in cyber security.  Rather than make that the focus, this series and these women tell stories that resonate. They share their experiences, and their passion for what they do enfuses each conversation.  There are no rockstars or grandstanders here because there is no room for ego when there is work to be done.

These are my role models, my teachers, my heroes. They illuminate the darkness of our own ignorance about medical device security; making security meaningful to those outside our security enclave; understanding the power of digital forensics; crafting not just secure code but a security mindset within development.

This series is so much more than just an homage to women in tech. There is tremendous strength to be realized in our diversity; within our differences are the tools and solutions we seek for what lies ahead. I am so honoured to have been included. Thank you!

A Hunting We Will Go

This weekend, in my midnight forays on Twitter (I do sleep, just not when you think I do), I discovered these graphs. As they say, a picture is worth a thousand words. These are worth far more because they visually represent high-level concepts on attackers and hunting. All credit goes to Jack Crook @jackr on Twitter, whose site is findingbad.blogspot.com.  We know how this game is played, that the attackers have been living in our networks far longer than we realized. Defence isn’t passive. It can’t be. We need to be actively monitoring all the things. We need to be expanding the Cyber Kill Chain past the perimeter and into the depths of our realm, to play this game of cat and mouse.

I’ve been pursuing my love of threat intel over these past months, and shared my learnings via talks at my local DC416 chapter, and then – fireworks and music – at Wall of Sheep at Defcon this year. OMG!  Reading Jack’s work just fires up my urge to learn more, and these depictions show what I want to say so very well.

“Enumeration”. Per Jack

Enumeration is an attacker need. They need to know where they are, where they can go, where’s the data they’re after.

“Credentials”. Jack says

Attackers need credentials if they’re going to move laterally within your network. Here’s some ideas to go digging for.

“Powershell”. Jack adds

Here are some additional things to think about when looking at Powershell

And I saved the best for last! How will they execute?

Process execution is an attacker need. There’s opportunities for developing creative ways to find when malicious.

Thank you, Jack, for sharing this wisdom. And thank you for reading!

Live from Vegas! Hacker Summer Camp is this Week!

3 cons. 4 talks. No sleep. Lol. Well I did get some finally. It has been a whirlwind and I love it. Every glorious second!

BSidesLV has been the best yet. 3rd year for me. Volunteered as speaker liaison, which I love because I give talks. It’s about helping them feel more confident, ready to step up and own that moment. I also had the early bird shift in the lobby as greeter. Since I am a morning person, 6:00 a,m Vegas time was fine with me. Besides, you can’t beat watching the sun come up over the desert hills.

I was a mentor to a terrific speaker. BSides has the Proving Grounds track to encourage and enable folks to give talks. It’s how I got started, and I will forever be grateful.  And mentoring is mutually rewarding. I’ll do a separate post on it because I think it’s so vital.  My mentee, Karolyn Bachelor, gave a great talk on how to ask the right questions for the right answers. Way to go! I’ll post links.  And my other mentee from home, Nitha Suresh, gave her first talk at Proving Grounds as well. I am thrilled for both of them!

womenbsideslv

And I had fun again this year, giving my talk in the Underground Track, picking up where I left off last year on How to Rob a Bank. This year was “Banking on Insecurity”, because the hits just keep on coming. The room was packed and my opening line went something like “Holy sh*t!” lol! We had lots of interactions and laughs about some very serious and even controversial topics in the realm of finsec and cyber security. Honestly, it was better than I could have wished for!

Now, I have two full days ahead of the little con that could. The Diana Initiative is about encouraging, empowering and supporting women in InfoSec and Tech. It rose from the ashes of what was TiaraCon, of which we will say no more.  This event comes from the heart, and what I will say is that we were so moved by the belief in what we were doing by the attendees from last year. Failure was not an option. There were people counting on us to deliver and we have made it happen. Oh my god this community and their support is amazing. Truly. I am grateful beyond words for the generosity shown.  And as being part of this extraordinary team, who pulled together, gave up sleep, work, life to make this happen – I am so blessed. Resilience. Strength. Determination. We are gonna change some lives, make a difference and have a great time doing it. The Diana Initiative – this Con is on!

Petnya Post-Mortem: Wiper, not Ransom

This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.

There was a one-two punch, with the events out of the Ukraine Thursday morning.  Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.

What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:

This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”

This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :

 

 

 

 

 

 

 

 

 

Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure).  As Leslie Carhart says:

Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

 

 

 

 

 

 

There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:

  • Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
  • Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
  • Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
  • Backup and test how those restore. Don’t assume anything. And keep backups off the main network
  • Windows.  Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.

We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:

Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.

And this sums it up:

 

 

 

 

 

 

These blog posts say everything I could ever want you to know, only better. Please read them:

The Grugq: Pnetya: Yet Another Ransomware Outbreak  .

Leslie Carhart @hacksforpancakes:  Why NotPetya Kep Me Awake (And You Should Worry Too)

Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide

TiaraCon 2017 – Alliances!

 

YES! TiaraCon 2017 is a thing and  I will be part of this wonderful event again this year. July 27-28 in Vegas. We want to celebrate and encourage women and diversity in our field. We’ve heard moving stories about how attendees were inspired to go for their dreams, and to feel safe and accepted. This time we are at a new location, to be close to DefCon and where the action is: Caesar’s Palace Hotel.

Updates: Our first CFP was a tremendous success and all the acceptances have been issued. Now I must do the hardest part, which is send out the rejection letters. I’ll be crafting those carefully, because people really deserve to hear thank you.

Funding: It takes a lot to make change happen. Any amount helps us to make a difference. Visit our GoFundMe

Registration: Visit our site and sign up otherwise you won’t be able to get in. And you know you want that tiara 🙂