Happy New Year 2018 – Let the Dumpster Fires Begin

Just three days into 2018,  two massive security warnings were issued for Meltdown and Spectre. About those names – for an industry that claims to hate FUD, we need to work on this. But all kidding aside, these are perhaps the biggest inherent vulnerabilities to be brought to light that I am aware of. For good reason. When almost every device we use in our online and connected lives contains the problem at hand, it’s a top-tier event. Rather than jump on the “sky is falling” bandwagon, I chose to wait things out and read all that I could. There are far more experienced and knowledgeable people who have been weighing in on this from the start, and I will share links to their excellent insights and explanations. Also, as dust settles we can seee things more clearly, which is very relevant when dealing with a situation as massive and impactful as this. More details come available; facts are verified; information about what to do is tested and shared. Worth waiting for given that there was no immediate fix and panic is never a solution.

Here is the simplest breakdown of what both are by Daniel Miessler.  What everyone is worried about is that both of these enable attackers to access information and processes that we had all thought were inherently secured, like privacy keys we use to protect our data. Daniel lays it all out here:

Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution.  The basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.

In Meltdown that means “any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.” (Miessler) Spectre is worse in that it “works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.” (Miessler)    

What I have been listening for is how this may impact Cloud computing, which we only think we understand, and we need to remember is just somebody else’s server.  Jerry Bell has written a piece on his blog, “Thoughts on Cloud Computing in the Wake of Meltdown”. He happens to be one of my go-to sources as part of the Dynamic Duo on the Defensive Security Podcast. First, the good news.  As managed service providers running largely out of datacenters, these operations will have likely been told to patch ahead of most, and done so in the best interests of running their business. As well, since datacenters are large organizations managing many clients, they will be using automation to help the patching process. And patching is complicated, especially when it comes to these critical issues.

And that brings us to the not so good news. Patching virtual machines isn’t always straightforward or successful.

spec2spec1

As Jerry presents:

Meltdown provided an apparent possibility for a guest in one virtual machine to read the memory of a different virtual machine running on the same physical server.  This is a threat that doesn’t exist on private servers, or is much less concerning for private cloud.  This vulnerability existed for many years

And then there are performance issues. Interestingly, as Jerry points out, not as hard to mitigate on cloud as they would be for physical servers.

One of the big downsides to cloud therefore, seems to the risk of a sudden change in the operating environment that results in higher cloud service costs.  As problematic as that might be, firing an API to increase the execution cap or add CPUs to a cloud server is logistically much simpler than private physical servers experiencing the same performance hit and needing to be replaced, which requires the arduous process of obtaining approval for a new server, placing the order, waiting, racking, cabling, set up, and so on.

Based on this, and what has been occurring across 2016 and 2017, I predict we will see more of these events where something we did in the past comes back to “haunt” us, from a time when we did not have any idea of how technology would develop. We are now uncovering what lies beneath the surface of frameworks we rely on that others laid down before us. Simon Segars is CEO of ARM Holdings, which designs mobile chips. He warned at CES 2018 in Vegas last week that we need to expect more of these discoveries. He states one of my chief concerns here:

“The reality is there are probably other things out there like it that have been deemed safe for years.. Somebody whose mind is sufficiently warped toward think about security threats may find other ways to exploit systems which had otherwise been considered comletely safe.”

We don’t know what we don’t know unfortunately in this case, so we need to be prepared for similar discoveries. More importantly, we need to be ready to assess, then share the information in a controlled and constructive fashion while we mobilize immediate and long term responses to the event. My watchword now is “prudence”, both in terms of patching, and then in terms of vigilance as we watch over all our systems with new eyes and insights. Haste makes waste. Because as time has borne out, and is once again, patches can go sideways very badly. Whether you brick a device or you brick an enterprise, both outcomes are severe.

UPDATE ON PATCHES

Per Steve Ragan’s piece in CSO Online, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

In order to “prevent AMD customers from getting into an unbootable state,” Microsoft  has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)

 

There are some excellent writeups out there. Here are some suggestions:

https://www.csoonline.com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

https://infosec.engineering/thoughts-on-cloud-computing-in-the-wake-of-meltdown/

Advertisements

My First Keynote: Lookout S(h)ecurity Bootcamp Toronto

Lookout Security in Toronto is hosting an exciting event on January 12 2018 for women who are interested in  cybersecurity, and currently in the tech field.  I am honoured to have been asked to be the keynote speaker at this event. This will be my first keynote! I love that this happens with something I really care about: encouraging women in tech, specifically in cybersecurity.

This is what it’s all about.  Encourage learning, growth and opportunity. Events like these grow far beyond the one day they are held, as I can attest from my work with The Diana Initiative. Friendships form, bonds are made, contacts and networking happen. It’s all good!

This is going to be a fantastic and fun day of learning. You had me at reverse engineering! What a great opportunity. Thank you Lookout!

The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/

My Approach to Threat Intel

In my role at work as a Threat Intel analyst, I track developments using various media feeds, and put together a succinct daily report of several key items that are pertinent to our clients and business lines.  Of course, I share my findings on Twitter and LinkedIn because that’s how the security community flourishes: collaboration. And to say I love what I do would be an understatement.

I don’t pretend to be an expert at what I do, nor will I say I have the definitive definition of what Threat Intel is. There is so much information to capture and analyze, and the learning is continuous. For me, my love of threat intel is in the hunt: looking for trends, patterns, new developments, things that reappear.  If you seek, you will find. There are many ways to search, and I am always trying to learn from people who have been doing this longer. It’s like fine-tuning a guitar, so I’ll always be looking at how to improve what I do.

I have go-to sources I read regularly, people online I follow specifically. My twitter feed is huge and categorized. But if I want to know something right away, it’s usually on there. I also have other sources to check in with directly. I collate information on malware, Advanced Persistent Threats (my most favourite things), specialized systems and their unique vulnerabilities.  This has helped me develop a baseline understanding over the time I’ve been doing this, so that I can understand who the players are when it comes to exploit kits, ransomware or DDoS.  And I try to make sure I know who the experts are, so that when they find something I am paying attention. That’s the head’s up.

When I’ve talked on Blue Teaming with my awesome pal, Haydn Johnson, we refer to the importance of knowing your baseline, watching patterns, so that you can identify anomalies. Those are your threats. That is your head’s up.  I find the same thing here as I track tweets, stories, advisories, reports and blogs.  I look for evolutions in how malware is delivered, so changes in exploit kits, or for kits to disappear from site. That means those kits are going to reappear with a new twist that our standard levels of detection and protection may not recognize, so attackers can access systems. Or, it could mean a larger scale attack, like Carbanak, when a massive crime gang operates on a global level and banks get taken for $1 billion. I play a lot of “what if” because I find I need to think beyond the normal realm to expect the unexpected. After all, the attackers are going where we aren’t looking.

In the weeks to come, I will be trying to bring in more information to widen my search. I’m researching all I can on what experts think best defines Threat Intel and Hunting. Because to really capture what’s out there, we need to broaden our scope.  I want to be looking ahead of the curve in this chase, anticipating their next move based on the wealth of information we have at hand, and factoring in what we know about human behavior. Next gen tech has spawned next gen threats, and as always, the attackers are ahead of us. And here is the thrill of the hunt.

CyberSec for Everyone

I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity.  For me, it’s a privilege to be asked, and my calling to help others.

I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”.  Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all.  Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.

The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base.   Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.

There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are?  Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.

signbunny

Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:

1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.

2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps.  And I use this on my cell phone. Easy to set up. No more excuses ok?

3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. friends

4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”!  But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/.    As for that attachment, you can use you AV to scan it first.  This article by Lifewire has lots more info to help.

5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.

6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet.  Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.

The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!

Yes Virginia, Dreams Really Do Come True!

securityunicorn

Sorry to have neglected you this past while. Big changes have happened. But that’s a good thing. A really good thing. And something I hope to carry forward.

You may have heard about the lack of talent in cyber security. And the lack of women in tech. And the resulting lack of women in cyber security. I am thrilled to tell you that I have now changed that statistic by one.

Yes Virginia, dreams really do come true. Because  I was offered the role of my life. My dream job.

I now do Threat Intel with the cyber security team at KPMG. As a cyber security consultant.

Repeat after me:

OMG! OMG! OMG!  Now breathe. (that really was fun, wasn’t it!)

Now I can stay up all night, every night, looking for cyber boogeymen and playing what-if til I can’t keep my eyes open. And people actually want to know about what I find. Oh, holy cow – it is amazing!

I have to learn more about all. the. things. Which is fantastic because I like all the things. Networks. SCADA ICS. Mainframes. Web Application Firewalls. And of course my 3 favourite letters: APT or Advanced Persistent Threat. Because the biggie of all those, Stuxnet, is what led me here in the first place.  I get to work with amazing people whose knowledge and skill just inspires me every day to do more.  We plan and build and evaluate things most people have no idea about, but that will actually make the world a better and safer place for everyone. And that is the realization of one of many childhood dreams. I still haven’t walked onto a Starfleet Enterprise class ship yet, but believe me, this is what it would feel like.

And this is where I tell you the really good stuff. That you have it in you to make your version of this happen. I stopped listening when people told me “you can’t do that” or “you  got that all wrong” or “maybe you’d be better at’.  I listened to that voice inside me, that passion pushing me further even when it seemed impossible. Even when I couldn’t understand it the first time, or someone said no, and said no again.  Because something inside of me wouldn’t let it go. I loved it too much.  Listen to that piece of you that won’t let go.  Find that thing you love enough to fight for it – and fight.  You deserve the sweetness of this victory. And oh, if it can happen for someone like me without all the proper degrees and traditional routes, then it can happen for you. Believe.

So come along and join me for my next incredible, amazing adventure. I’m only just getting started!

(Necessary Disclaimer bit that all these posts are my own and not my employer’s)

Back it up! Back it UP!

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!