Windows Server 2003 – End of Life

Windows Server 2003 has officially reached it’s end-of-life date. Does this mean that all of your Windows Server 2003 servers will be hacked on July 16th? Probably not. However, it is worthwhile to ensure that your organization has a plan in place to migrate all of your applications and services off of this legacy operating system. This is especially true if you have any Windows Server 2003 systems that are exposed to the internet. It is only a matter of time until a new vulnerability is discovered that affects this operating system.

As a former Windows Systems Administrator, I understand how difficult it can be to convince an application owner to invest the time and resources into migrating a system or service to a new operating system. Despite the fact that these systems have a heightened risk of being compromised, it’s very possible that your organization doesn’t have the financial resources to migrate your applications and services to a new operating system. You’re not alone. I found over 1.3 million servers running IIS 6.0 in Shodan. Over 688,000 of these servers are in the United States. However, there are still ways to reduce the risk of hosting these legacy operating systems until a migration plan is put into place.

A few ways to reduce the risk of hosting an application on a legacy operating system are:

  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Learn about the application – Take some time to learn some details about the application. Is it still even being accessed? Who uses it? Why is it still hosted on an unsupported operating system? Are there other options available?
  • Educate the business users – If financial resources are an issue, take some time to explain the risks of hosting this application to the business users. Once they gain an understanding of the risk associated with hosting their application on a legacy OS, they can help secure funding to ensure that the application is upgraded.
  • Isolate – Segmenting the legacy system can reduce the risk that it is accessed by an attacker. It also can decrease the likelihood that a compromise of the legacy system will spread to other servers.
  • Update and secure – Install all available patches and updates. Not only for the operating system, but the hosted applications as well.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Plan for the worst – Be prepared. Have a plan in place for responding to an incident involving these systems.

Are you hacking!? There’s no hacking in baseball!

My Dad called me earlier this week to ask if I heard about the FBI’s investigation of the St. Louis Cardinals. My initial reaction was that the investigation must be related to some sort of steroid scandal or gambling allegations. I was wrong. The Cardinals are being investigated for allegedly hacking into the network of a rival team to steal confidential information. Could the same team that my Grandparents took me to see play as a kid really be responsible for this crime?

After I had time to read a few articles about the alleged hack, I called my Dad back. He immediately asked me if the Astros could have prevented it. From what I have read, this issue could have been prevented (or at least detected) by implementing a few basic information security controls around the Astros’ proprietary application. Unfortunately, it appears the attack was not discovered until confidential information was leaked onto a pastebin site.

The aforementioned controls include but are not limited to:

  1. Change passwords on a regular basis – It has been alleged that Astros system was accessed by using the same password that was used when a similar system was deployed within the St. Louis Cardinals’ network. Passwords should be changed on a regular basis.
  2. Do not share passwords between individuals – Despite the fact that creating separate usernames and passwords for each individual with access to a system can be inconvenient, it reduces a lot of risk associated with deploying an application. For example, if each member of the Astros front office was required to have a separate password to their proprietary application, the Cardinals staff would not have been able to successfully use the legacy password from when the application was deployed in St. Louis. The Astros would also have gained the ability to log and track each individual user’s actions within the application.
  3. Review logs for anomalies on a regular basis – Most likely, the Astros were not reviewing any kind of security logs surrounding this application. If they were, they might have noticed failed login attempts into the application prior to the Cardinals’ alleged successful attempt. They also might have noticed that the application was accessed by an unknown or suspicious IP address.
  4. Leverage the use of honeypot technology – By implementing HoneyPot technology, the Astros could have deployed a fake version of this application. This could have allowed them to detect suspicious activity from within their network prior to the attackers gaining access to their confidential information. This strategy could have included leveraging MSI’s HoneyPoint Security Server to stand up a fake version of their proprietary application along with deploying a variety of fake documents within the Astros’ network. If an attacker accessed the fake application or document, the Astros would have been provided with actionable intelligence which could have allowed them to prevent the breach of one of their critical systems.
  5. Do not expose unnecessary applications or services to the internet – At this point, I do not know whether or not the Astros deployed this system within their internal network or exposed it to the internet. Either way, it’s always important to consider whether or not it is necessary to expose a system or service to the internet. Something as simple as requiring a VPN to access an application can go a long way to securing the confidential data.
  6. Leverage the use of network segmentation or IP address filtering – If the application was deployed from within the Astros internal network, was it necessary that all internal systems had access to the application? It’s always worthwhile to limit network access to a particular system or network segment as much as possible.

Honestly, I hope these allegations aren’t true. I have fond memories of watching the Cardinals win the World Series in 2006 and 2011. I would really hate to see those victories tarnished by the actions of a few individuals. However, it’s important that we all learn a lesson from this..whether it’s your email or favorite team’s playbook…don’t overlook the basic steps when attempting to secure confidential information.

A Reminder About the IoT Future…

This article has been making the rounds about a researcher who has developed a tool set that can turn a Mattel toy into a “magic” garage door opener for most garage doors. The uses of opening someone else’s garage doors seem pretty obvious, so we will leave that to the reader….

But, this is an excellent moment to pause and discuss what happens when so many things in and around our lives become Internet connected, remotely managed or “smart”. Today, it seems everything from door locks, to watches and from refrigerators to toilets are getting embedded digital intelligence. That’s a lot of hackable stuff in your life. 

I have been doing some research on beacon technology recently, and how they are being used to track consumer behaviors. I have been working with some clients that use TigerTrax™ to track consumer data and some of that work is simply amazing. As vendor knowledge seeps into your home and everyday life, even more impacts, privacy issues (and lets face it…) cool features will emerge. The problem with all of these things is that they are a double edged sword. Attackers can use them too. They can be manipulated, mis-used, invasive, infected and some can be outright dangerous (consider refrigerator malware….). 

Once again, technology is becoming ubiquitous. It offers both benefits and some things to consider. My point here is just to consider both sides of that coin the next time you face a buying decision. The world, and you, could benefit from more privacy consideration at the point of purchase… 🙂 

Privacy vs. Convenience

I’ve lost track of how many useful cloud-based services I have signed up for within the last few years. I can’t picture my life without products like Uber, FancyHands and Gmail. It often surprises people to find out that these products are free or very inexpensive. If they’re giving the service away for free or at a very low cost, how can the companies make money?

Typically, a service provider is able to gain a substantial profit based on the fact that they are able to harvest your data. Imagine what an advertiser could gain just by learning information about your latest Uber ride. When using a service provider, it’s important to ask yourself, is the convenience worth the sacrifice of your privacy? While it’s possible that not all of these service providers are harvesting or selling your data, it’s worthwhile to at least consider your loss of control.

Personally, I have found that there are circumstances in which I am willing to sacrifice my privacy for a cheaper and more effective product. I feel that the convenience of being able to order a cab with the touch of a button on my phone is worth the risk of another corporation learning details about my trip. Another circumstance in which I am willing to forgo a bit of my privacy to gain a convenience would be my use of a “savings card” at my local grocery store. I have no doubt that they are tracking and analyzing my purchases. However, I have always felt that it is worthwhile to share my purchase history with the grocery store due to the discounts that they provide for using the “savings card”.

Despite the fact that I am often willing to forgo my privacy in an attempt to gain access to a service offering, there are products that I do not feel that the offered convenience warrants the loss of control over my personal information. For example, I recently looked into leveraging a service that could automatically unsubscribe me from a number of subscription emails. As annoying as those emails can be, I didn’t feel that the convenience of this service was worth letting a 3rd party parse through all of my emails.

Each time my personally identifiable information (PII) is exposed to attackers as a part of a data breach, I become more likely to voluntarily share my personal information with a 3rd party in an effort to gain a convenience. Next time you prepare to sign up for a free or discounted service, be sure to take a few extra moments to decide whether or not you are willing to expose your private information to gain access to the service. After all, there’s no such thing as a free lunch.

NanoCore RAT

It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.
However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.
We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

How to Make InfoSec Infographics

Infographics are everywhere! And people either love them or hate them.

That said, many security teams have been asking about building infographics for awareness or communicating threat data to upper management in quick easily-digestible bites. To help with that, we thought we would tell you what we have learned about how to make infographics – as a best practice – so you won’t have to suffer through the mistakes we and others in the security field have already made. 🙂

So, at a high level, here is what you need to know about making infographics on security topics:

What are infographics & why are they useful?

Infographics are a visual representation of data and information; it is a quick way to look at a lot of in-depth information and get a clear understanding of it. They are used to communicate data in a way that is compact and easy to comprehend and also provide an easy view of cause and effect relationships. Infographics are visually appealing and are composed of three elements:
– visual (color, graphics, reference icons)
– content (time frame, statistics, references)
– knowledge (facts)

Best practices for building infographics: 

– Simplicity: clean design that is compact and concise with well organized information
– Layout: Maximum of 3 different fonts
– Colors: choose colors that match the emotions you are trying to convey. The background should blend with the illustrations
– Boundaries: limit the scope of your information. Attention span is short so try to answer only one question per infographic

The main best practice we have learned is: Keep It Simple! Focus on just a few salient points and present them in interesting tidbits. Use templates, they are available all over the web for your publishing or office platform. Remember, the purpose of infographics is to peak interest in a discussion, not serve as the end-all, be-all of presenting data to the audience.

Let us know your success stories or tell us what you have learned about infographics on Twitter (@lbhuston or @microsolved). Thanks for reading!

3 Things I Learned While Responding to Security Incidents

Unfortunately, if you work in IT long enough, you’re likely to encounter a security incident. Having experienced these incidents as a Systems Administrator and as a consultant, I felt that it would benefit others if I shared 3 things that I learned while responding to security issues.

  1. Stay calm – If you’ve noticed malicious activity on your network, your first reaction might be to panic. While time is of the essence, you don’t want stress to negatively impact your decision making. If you need to, give yourself a minute to collect your thoughts prior to proceeding with resolving the issue. Once you’re ready to start working on the problem, begin by attempting to gain an understanding of the type and severity of the attack. This information will go a long way towards mitigating the issue.
  2. Don’t be shortsighted – Whether you’re dealing with a targeted attack or a random malware infection, it’s important to consider the long term effects of your decisions. It is likely that you will receive pressure from various business units to bring systems back online as soon as possible. While it’s important that staff regains access to their applications, it could lead to larger problems down the line if that access is restored prematurely. For example, removing network connectivity or isolating affected systems is obviously going to upset some staff members due to the loss of productivity. However, it’s possible that the malware or attacks could become more widespread if the affected systems are not properly isolated.
  3. Hindsight is 20/20 – I’ve seen individuals waste time during incidents pointing fingers at other team members. I’ve also witnessed individuals procrastinate resolving the issue while they agonize over ways they could have prevented the incident from occurring. After the issue has been resolved, it’s important to have a post mortem meeting to take the proper steps to make sure that history does not repeat itself. However, those conversations can wait until the incident has been fully resolved.

I sincerely hope you don’t have to deal with any security incidents.  However, if you need help resolving an issue involving a malware outbreak or targeted attack, do not hesitate to contact us for assistance.

Telnet!? Really!?

I was recently analyzing data from the HITME project that was collected during the month of January. I noticed a significant spike in the observed attacks against Telnet. I was surprised to see that Telnet was being targeted at such a high rate. After all, there can’t be that many devices left with Telnet exposed to the internet, right?

Wrong. Very wrong. I discovered that there are still MILLIONS of devices with Telnet ports exposed to the internet. Due to Telnet’s lack of security, be sure to use SSH as opposed to Telnet whenever possible. If you absolutely must control a device via Telnet, at least place it behind a firewall. If you need to access the device remotely, leverage the use of a VPN. Finally, be sure to restrict access to the device to the smallest possible IP range.

The map below shows the geographical locations and number of attacks against Telnet that we observed last month. If you need any help isolating Telnet exposures, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-02-10 at 11.28.10 AM

 

RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Recently Observed Attacks By Compromised QNAP Devices

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit.  For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices.  If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system.  If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices.  The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system.  These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems.  If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-01-27 at 1.41.31 PM