Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.







Quickhits: Thursday Dec 14 2018

Attacks on ICS:  FireEye has identified a new targeted attack on ICS. “Triton” is designed to cause physically damage and harm operations. Thanksfully, this latest attack failed, but the lessons and warning are huge. Consider the implications of this against water ppurification plants; nublear power plants; major processing plants that cannot sustain downtime. Triton goes after the SIS or safety implemented system controllers. The FIreEye report describes the malware as follows:

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.


While FireEye cannot attribute the actor, they suggest with some certainty this is the act of a nationstate, they back it up with this statement:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

New Banking APT:  The discovery of a new long term attack on banks was revealed this week.  Dubbed “MoneyTaker”, a report issued by Group-IB Security  details how the group has taken over $11 million across 18 months from over 20 targets in the UK, Russia and US, including banks and legal firms. Dmitry Volkov, co-founder of Group-IB and head of intelligence, stated:

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”

The twist here is that MoneyTaker is leveraging pentesting tools like Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire. They used PSExec to propogate across the network, per The Hackernews.   The article reports they are also using Citadel and Kronos banking trojans to deliver a specific point of sale or POS malware known as ScanPOS.

The group has been targetting card processing systems, like the Russian Interbank System AWS CBR and SWIFT which prompted Group-IB to warn that Latin America is a tempting target because of their broad use of STAR. I’ll be writing more about this as a separate piece. Stay tuned.

My First Keynote: Lookout S(h)ecurity Bootcamp Toronto

Lookout Security in Toronto is hosting an exciting event on January 12 2018 for women who are interested in  cybersecurity, and currently in the tech field.  I am honoured to have been asked to be the keynote speaker at this event. This will be my first keynote! I love that this happens with something I really care about: encouraging women in tech, specifically in cybersecurity.

This is what it’s all about.  Encourage learning, growth and opportunity. Events like these grow far beyond the one day they are held, as I can attest from my work with The Diana Initiative. Friendships form, bonds are made, contacts and networking happen. It’s all good!

This is going to be a fantastic and fun day of learning. You had me at reverse engineering! What a great opportunity. Thank you Lookout!

Quickhit: Wednesday Dec. 13

Yesterday was Patch Tuesday. The final Patch Tuesday of 2017. Yay!  Of note: an out-of-band update from MS that was issued a critical flaw in the Malware Protection Engine (yes, part of the Windows Defender and MS Security Essentials. The irony). Read the details in full via Brian Kreb’s site here.  It will roll through automatically via Windows Update, which you SHOULD have enabled. However, those don’t always go through smoothly. I have had some issues with this latest update. Here is the report from when the news came out last week. Critical Flaw in Microsoft’s Malware Protection Engine. Patch Issued.

For those who are still using Flash (because you have no choice) please install the updates and check for updates in your Chrome browser.

Necurs Botnet resumes: November marked a notable uptick in activity with this botnet. Necurs is now distributing Scarab ransomware, and was known for sharing the joy with Locky ransomware and others. Dormant does not mean dead. We need to remember this because it is an ongoing theme, and noticeably during 2017. Case in point will be with the recent takedown of the Andromeda botnet and the expectation that because of code released from the Mirai botnet, something bigger will be forming.

Mirai Botnet Arrests: But there is justice and it does get served. You can read more via Brian Krebs, who has played a major role in bringing this about.

New Variant of Cryptomix Ransomware:  An update on one of the newer strains that are currently active. Remember the rules: Have current backups; don’t open attachments from unknown sources; get confirmation before you open attachments from known sources; scan attachments first. Update your security patches.

Log Files: You Don’t Know What You’ve Got til it’s Gone

Log files. That’s a whole lot of information most people have no idea even exists. But it’s the chronological capture of system events that you are going to need one day, and trust me – you will be so damn glad you have them.

So, two points right now.

  1. Enable logging. Make sure all your devices that have this feature are putting it to work for you. This is how you know what went wrong when something goes wrong. How you find the elephant’s footprints in the peanut butter after there has been an unfortunate incident.
  2. Where possible, make sure logs are backed up and not accessible to everyone. Because bad people happen to good logs. Sorry, I cannot say more. You’ll have to take my word for it.


In my talks on Threat Intel, I reference log files as having a story to tell, if you are listening. Knowing how to use your logs is key to assuming proactive defense posture.

so many logs

Logs are generated by a multitude of sources which can be overwhelming. What do you look at? Where do you start? Automation. There are log viewers and scripts by those who have come before you that will enable you to access and utilize what’s in your log data.

To help you get started, Nasruminallah Zeeshan has written a very good piece for Peerlyst, “How to Build a List of Log Files That You Need to be Inspecting Regularly” that presents the main log files you should know and be inspecting regularly for Windows and Linux. Let me share that here.

Log files in Windows systems

Windows manages and provides an assessment of log files with the help of Event Viewer. The Windows Event Viewer shows logs about application and system messages, errors, information messages, and warnings. You can run the windows event viewer by entering eventvwr.msc into Run box. In the following lines, we are going to list down the necessary log files in windows. You may need to check the following files for improved security, on a daily basis.

  • The %WINDIR%\System32\config or %WINDIR%\System32\winevt\Logs folders contain most of the log files you can see with Event Viewer.
  • The folder %WINDIR%\Logs contains various log files in text format.
  • Microsoft Security Essential stores its Runtime log files in the %PROGRAMDATA%\Microsoft\Microsoft Antimalware\Support folder and Installation log files in the %PROGRAMDATA%\Microsoft\Microsoft Security Client\Support folder.
  • Microsoft Windows system stores temporary installation and Windows defender log files in the %WINDIR%\Temp\*.log and %AppData%\Local\Temp\*.log folders. The first one contains information about MSI installations and Windows Defender scanning log files, and the second folder contains information about MSI installations run by the current user.
  • The %WINDIR%\INF\setupapi.dev.log includes information on plug and play devices and their installation.
  • The %WINDIR%\INF\setupapi.app.log file holds information about application installations.
  • The file %WINDIR%\Performance\Winsat\winsat.log file is composed of information about test results regarding performance.
  • To read Windows update information, the %WINDIR%\WindowsUpdate.log holds information about all events related to Windows Update.
  • To know about software related events and update status reports, focus on the %WINDIR%\SoftwareDistribution\ReportingEvents.log file.
  • To find out changes being made to Windows components and features, you can access the information in the %WINDIR%\Logs\CBS\CBS.log file.

Log files in Linux systems

To keep an eye on log files in Linux, carry out checking activities on a daily basis. As Linux systems contain multiple users, system administrators are advised to keep track of important log files actively. If possible, make a list of log files based on criticality level, and check them accordingly on a routine basis. In the Linux, most log files are stored in /var/log/ directory. To help you make a list of important log files in Linux, considering on picking the ones listed below.

  • The /var/log/messages file contains information about general system activities. The information stored in this file helps you troubleshoot general system errors and messages.
  • The Linux systems use /var/log/auth.log file to save information about authentication matters. This file helps you track activity regarding user authentication, such as failed logins attempts, brute force attacks and other security attack vectors related to user authentication. For the same purpose, the Red Hat and CentOS based systems use /var/log/secure file to track information. It also logs information about sudo and SSH logins.
  • To find out information about system incidents related to shutdown or restarting routines, you can use the /var/log/boot.log file.
  • The Linux systems log hardware devices and their driver information into /var/log/dmesg file. The system logs information to this file during startup, by writing data about device status, hardware errors and other generic messages. If a hardware device is not functioning properly, you can see the file for relevant information.
  • The Kernel information is important to know the system status. To investigate about troubleshooting Kernel level errors, use the /var/log/kern.log file. This file can help you cover the gap between stable system statuses, especially in case of a custom built Kernel.
  • Similar to /var/log/auth.log, the /var/log/faillog contains information on failed login attempts. The auth.log and faillogfiles are used to fingerprint security breaches related to usernames and passwords. These files also play a vital role in gathering information about a brute force attack.
  • In Linux and UNIX systems, Cron allows you to run commands or scripts on a given, pre-scheduled time. The file /var/log/cron holds information about Cron jobs. With reviewing this file, you can find information about Cron jobstatuses such as successful execution or errors in case of failure job execution.
  • The application installation information is logged into /var/log/yum.log file, if the package is installed with the Yum tool. If you have to see for information related to package installation, or you want to look for errors occurred by recent installation activities, focus on yum.log file. In this file, you can find a complete status of the installation of any package.
  • The mail server related logs are stored in Linux /var/log/maillog or /var/log/mail.log files. These files help you track the information about all incoming and outgoing emails, along with failed email delivery information. You can also find information about blocked spam emails within these files.
  • The /var/log/httpd location holds information about Apache server. The Apache server keeps logging information in error_log and access_log files. To track information related to Apache system performance, you can have a look at the error_log, while on the other hand, the access_log file is used to store information about all access requests received over HTTP.

Book Club: Defensive Security Handbook Chapter 2

My apologies. I am overdue on our next chapter review and this is a good one. Asset management.  The best offence is a good defence. Let’s start here.

“You don’t know what you’ve got til it’s gone.” Ain’t that the truth, especially in light of the growing blight of the Equifax breach: all that data, all those victims. Simply put, you can’t secure what you don’t know.  This applies to both tangible and intangible assets, specifically data. While this seems like common sense, for what is a basic fundamental, people do a terrible job or don’t do it at all.


We are told to remember these two things: “ensure there is one source of truth, and that it is a process, not a project.” In addition, classification and ownership play key roles in the success of this process. One source of truth means that whatever software or system you use to keep track of things, there are no conflicts or discrepancies with anything else. This is understood to be the single, definitive source of truth about assets.  Engage a sense of responsibility throughout the company to detect when “one of these things is not like the others”. BYOD is a thing, and unmanaged, it’s why we can’t have nice things. Ideally, get some executives involved to champion the ongoing cause. Because this is a process, not a one-time project.

Let’s talk about classification.  We live in the age of big data. As we keep learning breach after breach, it’s harrrrd to safeguard the ephemeral. Data is our most valuable asset, in digital form.  You need to know what you have, and ensure that this is understood by everyone inside and outside your organization. Most importantly, know what your crown jewels are and where they are. Your critical assets should be as prized by you as they are by attackers. Just ask the guys at Equifax and OPM about that.

Steps to classify data:

  1. Identify the sources to be protected: what they are, where they live, who are the owners.
  2. Identify the information classes: make sure the labels assigned have the same meaning for everyone. There should be no questions around critical or sensitive.
  3. Map protections to set information classification levels: Authentication, authorization, security controls, encryption.
  4. Classify and protect information
  5. Repeat as a necessary part of a yearly audit: Nothing stays the same. That’s why this is a process, and not a project.

Let’s talk about the 4 steps in the asset management process:

  1. Define the lifecycle: easier said than done. There are a lot of stages between delivery and death. It’s new, it’s old; it’s mine, now it’s yours; repair or replace it. Here is a simple set of stages: Procure, deploy; manage; decommission. And that does not mean it just gets thrown out. You need to permanently and responsibly remove all data and its traces.
  2. Gather information: how do you collect all the details on all the stuff? You could use:
    ARP cache or Address Resolution Protocol from routers and switches for a list of all the IP and MAC addresses connecting to the network.
    DHCP or Dynamic Host Configuration Protocol has all IP address reservations and may even have hostnames.
    NMAP is a comprehensive scanning tool of networks that can yield a lot of results.
    SNMP is Simple Network Management Protocol and can provide a lot of information on networked devices. Netdisco is a free automated scanning tool to help you do this.
    WMI or Windows Management Interface can get most the information from a device.
  3. Powershell is a powerhouse command line solution to get information about AD users.3. Track changes: How do you manage all the changes, the additions and deletions that affect your hardware and software inventories, and your personnel? When someone leaves, does something leave with them?
  4. Monitor and report:  You need to track updates and license renewals, or warranty expiration. It can also alert you to the addition of new and potentially unauthorized devices.

Automation: this is your helper. It works for you, with your supervision.  And ensures that routine tasks and monitoring get done consistently. Find ways to put it to work, like barcodes on items.





Getting Things Done

Dedication. Vision. Accomplishment. Passion. These are the forces of change within cyber security, and just some of the distinctive qualities about the guests Dr. Gary McGraw featured for an entire year on his Silver Bullet podcast.

We know there is a shortage of women, of diversity, in science and technology careers, particularly in cyber security.  Rather than make that the focus, this series and these women tell stories that resonate. They share their experiences, and their passion for what they do enfuses each conversation.  There are no rockstars or grandstanders here because there is no room for ego when there is work to be done.

These are my role models, my teachers, my heroes. They illuminate the darkness of our own ignorance about medical device security; making security meaningful to those outside our security enclave; understanding the power of digital forensics; crafting not just secure code but a security mindset within development.

This series is so much more than just an homage to women in tech. There is tremendous strength to be realized in our diversity; within our differences are the tools and solutions we seek for what lies ahead. I am so honoured to have been included. Thank you!