It Really Was the Lazarus Group, in North Korea with SWIFT

swift

Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.

kimbo

Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.

sectorslide

The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/

Banking on Insecurity

They came for the money, they stayed for the data. There is far more at stake in financial services than dollars and sense. The past twelve months have shown how far attackers are willing and able to go; banks are known for their conservative pace in adopting new strategies, and attackers are literally banking on it.

As the saying goes, “In God we trust”. In banks, maybe not so much.  According to a recent report by Capgemini, one in five bank execs are “highly confident” in their ability to detect a breach, never mind defend themselves against it.  Yet “83% of consumers believe their banks are secure from cyber attack”.  One in four banks report they’ve been attacked, but only 3% of consumers believe their bank has suffered a breach. Never mind the money. How about the data? Survey shows that 71% of banks don’t have a solid security strategy in place, nor do they have adequate data privacy practices. The numbers are not good. Only 40% of banking and insurance companies have automated security intelligence capabilities for proactive threat detection

After following the trail on the SWIFT bank heists last year, I’ve paid close attention to banking malware, threat actors, and points of failure. What worries me is what’s coming as digital payments become the norm, and digital identities take hold in developing nations who lack the infrastructure or regulation to secure or enforce. Given what we already know, what does this recent history of attacks tell us?

Polish Banks
The recent series of targeted malware attacks against Polish banks was identified in January this year, but attackers went after the data, not money. After noticing unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of, and unauthorised files on key machines in the network, several commercial banks confirmed malware infections. Investigations revealed infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body.  This was actually part of a wider campaign that has gone after financial institutions in over 30 countries.  According to researchers from both BAE Systems and Symantec, the malware used in Poland can be linked to similar attacks around the globe, and there are marked similarities to tools used by the cybercrime group Lazarus, although no confirmation has been made.  Targets were led to compromised sites of interest to them, watering holes, which were malicious sites that injected code and directed the targets to a customized exploit kit.  This kit contained exploits against known vulnerabilities in Flash Player and Silverlight. What’s interesting is that the exploits were only activated for certain visitors: those with IP addresses from specific ranges. Per Symantec, “The IP addresses belong to 104 different organizations located in 31 different countries … The vast majority of these organizations are banks, with a small number of telecoms and internet firms on the list.” 15 of these are from the US.  The infection downloaded enables recon on the compromised system. Again, this tool is similar to those used in past by the Lazarus group. Now every major security group has published their opinions and analysis on what was originally all but overlooked as some malware that spread from the regulatory body’s server.

Fileless Malware Attacks
In January of this year, there were reports around the globe of attacks on banks using fileless malware. The malware resided solely in the memory of compromised systems.  This is not signature based malware that can be referenced and detected. According to Kaspersky, 140 enterprises in 40 countries have been hit. And forensics cannot help us:

“ memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible.” 

But the infections are hard to identify so that number could well be more.  Further complicating things is the use of legitimate and widely used sysadmin and security tools  like PowerShell, Metasploit and Mimikatz for malware injection. In a range of incidents, the common denominator seems to be embedding PowerShell in the registry to download Meterpreter. From there, the attack is carried out using the native Windows utilities and sysadmin tools. Per Kaspersky:

fileless1fileless2

The new fileless malware hitting banks is Duqu 2.0, which Kaspersky found on it corporate network in 2014, but only after it went undetected for 6 months because it lives almost completely in the memory of the computers. Duqu 2.0 is derived from Stuxnet. The malware renames itself when an infected computer is rebooted so digital forensics has a tough time finding traces. The calling card seems to be the unusual embedding of PowerShell into the registry to download Meterpreter. Duqu 2.0 is derived from Stuxnet. Reports aren’t saying how the malware spreads.

TESCO Bank Attack
In November 2016, Tesco Bank, a British retail bank chain with 7 million customers, warned its customers to watch for suspicious money withdrawals. Unfortunately, when customers who noticed money was missing from their accounts reached out to the bank, many could not get through. Approximately 20,000 accounts were hit. Tesco briefly halted online transactions in response. The attack seemed to stem from a “systemic failure of security around Tesco’s core database”. Recommendations include having controls in place to alert on changes to key files and configurations. As well, file monitoring integrity and Configuration Management Security ensure that if and when changes are made, they are valid and validated.

Take the Money and Run:  COBALT, ATMs and ‘Jackpotting’
There was a distinct rise in ATM attacks over 2016.  The latest siege, Cobalt, covers a wide swath across the UK, Spain, Russia, Romania, the Netherlands, much of Eastern Europe and Malaysia.  According to Group IB researchers, a large number of machines are attacked at once, and Cobalt appears to be linked to cybercrime syndicate Buhtrap.  The malware used causes infected machines to spit out cash in an attacks known as “jackpotting”.  Noteworthy is how this is being described as “the new model of organized crime”.  The FBI issued warnings to US banks following those ATM heists, taking into account the attacks in Taiwan and Thailand, when thieves grabbed over 260,000 pounds from Thailand’s Government savings bank and $2.5 million from Taiwan. The world’s two largest ATM manufacturers, NCR and Diebold Nixdorf, worked to manage the threat.

Lloyd’s Bank Hit by DDoS Attack
In January the venerable Lloyd’s Bank of London was struck by a DDoS attack that lasted two days.  Attackers tried to crash the Lloyd’s site, causing issues for customers and impacting some access to online banking.  The bank did not lose money, nor data, nor was the impact significant.  Law enforcement is investigating.

Attacks on Banks in the SWIFT System
Banks rely on messenger systems to conduct transfers back and forth. In 2016, a series of targeted attacks on banks in the trusted SWIFT messenger system came to light after a massive heist on the Bank of Bangladesh. Apparently the attacks are evolving, and SWIFT has told member bank, in an undisclosed letter from Nov. 2, that “attacks on its systems have only become more sophisticated in their strategies”.  “The threat is very persistent, adaptive and sophisticated – and it is here to stay”.  This is despite the work by regulators globally to toughen bank security measures. And the word is that “a fifth of them are hitting paydirt for the attackers”, per Stephen Gilderdale, head of SWIFT’s Customer Security Programme. Now the hackers exploit tech support software to gain access. Then send victims phony payment instructions via SWIFT network.  SWIFT emphasizes that all those attacks detected “exploited SWIFT interfaces used by its customers” but that the SWIFT communications network itself was not impacted. In light of this, warnings are being issued to small businesses to realize the threat to them is real.  Scams have become more sophisticated and will continue to evolve. 

Sources:

https://badcyber.com/several-polish-banks-hacked-information-stolen-by-unknown-attackers/
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0
https://baesystemsai.blogspot.sk/2017/02/lazarus-watering-hole-attacks.html   https://threatpost.com/fileless-memory-based-malware-plagues-140-banks-enterprises/123652/
http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/?utm_source=organic%20twitter&utm_medium=news&utm_campaign=WLS   http://economictimes.indiatimes.com/industry/banking/finance/banking/indian-banks-are-waking-up-to-a-new-kind-of-cyber-attack/articleshow/56575808.cms
https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017

My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

Catch of the Day

Here’s my catch of the day for you: Wednesday Jan 25 2017

Microsoft Closes Security Hole in Mac OS X Remote Desktop App : Microsoft has fixed a serious vulnerability affecting users on Mac OS X.  As reported “The Microsoft remote desktop client for Mac OSx allowed a malicious terminal server to read and write any file in the home directory of the connecting user”. Essentially an attacker could trick users into opening a malicious rdp URL, and then access the user’s home directory. The clincher is that Mac OS X apps eg Safari, Mail, Messages, open clicked rdp URLs by default. No questions asked. And we really, really need that “Mother may I?” here. That means phishing attacks are far more successful. http://www.theregister.co.uk/2017/01/24/microsoft_fixes_remote_desktop_app_mac_hack/

Lloyd’s Bank hit by DDoS Attack:  On January 11th, the venerable Lloyd’s Bank of London was struck by a DDoS attack that lasted until Friday January 13th.  Attackers tried to crash the Lloyd’s site, causing issues for customers and impacting some access to online banking.  The bank did not lose money, nor data, nor was the impact significant.  Law enforcement is investigating.  We know there are more to come. Banks & DDoS hmmm
http://news.softpedia.com/news/lloyds-bank-hit-with-ddos-attack-for-three-days-straight-reasons-yet-unknown-512114.shtml

What’s New Yahoo?:  From our “This should come as no surprise” department.  Yahoo has announced its forthcoming sale will be delayed – awww – and completed in the second quarter of this year, not the first.  After the two mega breaches which were reported in the last half of 2016, public confidence dropped. While that is as it should be, it is interesting that although search revenue fell slightly, revenue in other sectors grew and the company reported a $162 million profit.   http://www.bbc.com/news/business-38725812

Benevolent Hackers Warns Users of Cassandra Databases: If you are following the crazy number of ransomware attacks on databases, then you know it ain’t just Mongo. Cassandra users are being alerted via an empty table named “your_db_is_not_secure“. And if you ask Shodan, over 2600 of these databases are open and unsecured.  Some good folks are hard at work tracking and reporting details, like @0xDUDE and @DunningKrugerEffect.

victor3

Databases & Ransomware

mongo

This is what led out of the starting gate for 2017.  A heap of MongoDB databases being pillaged by ransomware attacks. Reports were that one quarter of all those servers with MongoDBs on them (99,000 known instances) had been hit.  According to the tally being kept, the numbers rose from 2000 on January 3 to 8, 542 on January 5. By January 9, the total was over 27,000. And the numbers were rising at unprecedented rates. (image from ZDNet article Jan 9 2016)

MongoDB is wildly popular, but given my observations, it has a less than stellar track record when it comes to security. There have been some major instances cited over the past year.  In this case, the reason was not some code vulnerability but a human one. The attacks were due to an abundant lack of security: admin accounts with no password protection; outdate patches; bad attitude. These databases were pretty much left wide open on the internet. And it’s easy to get plucked when you make yourself low-hanging fruit for attackers.

Then, a few days later, there were reports that attacks had moved onto Elasticsearch clusters.  Elasticsearch is a poplar Java-based search engine used in enterprise environments. It’s good for things like log collection, data analytics, visualization.  Now those clusters were being wiped, with the count 600 as of January 13.  Again, these targets were unprotected and open to the internet. According to write ups by Catalin Cimpanu on Bleeping Computer, the attacks quickly moved onto other database servers. https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

https://www.bleepingcomputer.com/news/security/mongodb-hijackers-move-on-to-elasticsearch-servers/

“For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the stolen files, but in some cases, destroying data just for fun.These incidents come after crooks hijacked and held data ransom from MongoDB databases since the start of the year.Security experts that have witnessed the first wave of attacks against MongoDB servers predicted that other database servers would be hit as well.A week after the initial attacks on MongoDB, ElasticSearch clusters were also hit. At the time of writing, over 34,000 MongoDB servers and 4,600 ElasticSearch clusters have been held for ransom.”

victor

Researchers within our security community, like Victor Gevers, Niall Merrigan, @sudosev and more,  have been following and reporting on this trend.  When I asked him his thoughts, Victor said “it always gets worse before we see a (re)action”. On his Twitter feed, Victor replied to this comment, which pretty much sums things up. Niall has been actively reporting on the situation, and updating the MondoDBs to 40,000 and Elasticsearch to 5000. As well, he commented on the trend for data to not be returned citing it as”ransack ware”.

Databases were being wiped then replaced with an empty one labeled “Wrning. PWNED”. Point taken. Wiped meaning the data was not left there and encrypted. It was gone. Although if you paid the fee, you could have it restored. But is that a chance you’re willing to take? If you leave the front door open, how likely are you to have backups? In an analysis of what went wrong, referencing the ongoing battles with Shadow IT, Tony Baer made these recommendations on what needs to be done right in his piece on ZDNet http://www.zdnet.com/article/should-the-cloud-close-the-front-door-to-the-database/ :

Looking at the recent MongoDB hacks, you need to take the basic measures that might otherwise be taken for granted. And just as you would with on-premise systems, you’ll need to enforce full “AAA” (authentication, authorization, and accounting) to guard entry. Then, of course, there is the basic hardening of the instances, going down to securing and patching the operating system, ensuring only the right people access the management console, and so on. That means all communications — and we mean all — between client, administrator interface, and the cloud target must be strongly encrypted all the way down to passwords and keys.

This past week, we’ve watched the trend ingest Hadoop, Couch and Cassandra. Hadoop is a major concern, given its prominence in many major organizations, including financial institutions.  Victor reported to Bleeping Computer that the attacks on Hadoop, of which there are about 5400 known instances, looked more like vandalism as no ransom demands were being made.  They had started  January 12, with  “an unknown attacker going by the name of NODATA4U has been accessing Hadoop data stores, wiping data, and replacing all tables with an entry named “NODATA4U_SECUREYOURSHIT.” The attacks on Couch, however, were definitely monetary. A group of attackers, known as “r3l4x” may have been exporting the data or deleting it. Victor and Niall have put together spreadsheets to track the attacks. Other researchers who have joined to help are Bob Diachenko from the MacKeeper Security Research Center, Matt Bromiley from 505Forensics, and Dylan Katz from GitPrime.  Hadoop Sheet:  https://docs.google.com/spreadsheets/d/18-zmpzp87TX9oIbLwChJ3Fn0ldCGysSm-aoje_VvSSc/edit#gid=0

Couchdb Sheet: https://docs.google.com/spreadsheets/d/1iO8nINe1Ia2s40byeOj8BRiXZMpiBkKGJR5AuV7EExY/edit#gid=0

This raises more issues than just those about securing the humans. Consider it an overdue cautionary tale of a long-standing problem that was ripe for exploitation. Now – how many more of these are we aware of, festering within our realms? As everything moves to the cloud, we need to consider security procedures must be adapted to that environment. Cloud may be “somebody else’s server” but it gets complicated fast when you start taking it apart, bit by bit. There are layers of software over hypervisors, sometimes involving third party managed support. Determine where data is stored because of privacy regulations. How close are dev and prod environments, and how clean is that demarcation? Oh yes, I’ve been learning from some cloud security audits. You need to ask the right questions to get the right answers, and we like to operate from assumptions. My bottom line here is that as big data gets bigger, and the cloud surface continues to expand, we need to get more than just the basics right. Or we’ll keep growing orchards of low-hanging fruit.

 

 

CyberSec for Everyone

I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity.  For me, it’s a privilege to be asked, and my calling to help others.

I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”.  Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all.  Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.

The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base.   Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.

There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are?  Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.

signbunny

Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:

1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.

2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps.  And I use this on my cell phone. Easy to set up. No more excuses ok?

3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. friends

4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”!  But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/.    As for that attachment, you can use you AV to scan it first.  This article by Lifewire has lots more info to help.

5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.

6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet.  Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.

The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!