Ready for Ransomware?

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Thanks to Columbus State Community College & Get Involved

On Tuesday, I spoke at Columbus State Community College to a group of high and middle school teachers about digital crimes, black market economics and cyber-ethics. We had fantastic discussions and as teachers, they were amazingly engaged with myself and my content. I have never taught a more enthusiastic group of folks.

They asked a lot of questions; mostly about crime, motivation and the techniques of criminals in the digital world. But, they also asked for critical lessons that they could take back to their students and use in their own classrooms. Kudos for that!

If you want to get involved in the program, please contact @sempf on Twitter for more info. They are always looking for great speakers, excellent content and especially women with experience in STEM related careers. Thanks so much to Columbus State for having me. I was honored and thrilled to participate in the GenCyber program. Thanks to @sempf for the photo!

Co3J RfW8AAem8l

Getting Smart with Mobile App GeoLocation to Fight Fraud

If your mobile application includes purchases with credit cards, and a pickup of the merchandise, then you should pay attention to this.

Recently, in our testing lab and during an intelligence engagement, we identified a fraud mechanism where stolen credit cards were being used via the mobile app in question, to fraudulently purchase goods. In fact, the attackers were selling the purchase of the goods as a service on auction and market sites on the dark web.

The scam works like this. The bad guys have stolen credit cards (track data, likely from dumps), which they use to make a purchase for their client remotely. The bad guys use their stolen track data as a card not present transaction, which is standard for mobile apps. The bad guys have access to huge numbers of stolen cards, so they can burn them at a substantial rate without impacting their inventory to a large extent. The bad guy’s customer spends $25 in bitcoins to get up to $100 in merchandise. The bad guy takes the order from the dark net, uses the mobile app to place the order, and then delivers the receipt and/or pickup information to the bad guys customer. The customer then walks into the retailer and shows the receipt for their mobile order, picking up the merchandise and leaving.

The bad guy gets paid via the bitcoins. For them, this is an extremely low risk way to convert stolen credit card info to cash. It is significantly less risky for them than doing physical card replication, ATM use or other conversion methods that have a requirement for physical interaction.

The bad guy’s customer gets paid by picking up the merchandise. They get up to $100 value for a cost of $25. They take on some risk, but if performed properly, the scam is low risk to them, or so they believe. In the odd event, they simply leave the store after making their demands for satisfaction. There is little risk of arrest or prosecution, it would seem, especially at the low rate of $100 – or at least that was how the bad guy was pitching it to their prospective customers…

The credit card issuer or the merchant gets stuck. They are out the merchandise and/or the money, depending on their location in the world, and the merchant agreement/charge back/PCI compliance issues they face.

Understanding the fraud and motivations of the bad guys is critical for securing the systems in play. Organizations could up their validation techniques and vigilance for mobile orders. They could add additional fraudulent transaction heuristics to their capability. They could also implement geo-location on the mobile apps as a control – i.e.. If the order is being physically placed on a device in Ukraine, and pick up is in New York, there is a higher level of risk associated with that transaction. Identifying ways  to leverage the sensors and data points from a mobile device, and rolling it into fraud detection heuristics and machine learning analytics is the next wave of security for some of these applications. We are pleased to be helping clients get there…

To hear more about modern fraud techniques, application security testing or targeted threat intelligence like what we discussed above, drop us a line (info at microsolved dot com) or via Twitter (@lbhuston). We look forward to discussing it with your team.

Brands Being Used in Pornography Search Engine Poisoning

Recently, during one of our TigerTrax™Targeted Threat Intelligence engagements, we were performing passive threat assessments for a popular consumer brand. In the engagement, we not only gathered targeted threat intelligence about their IT environments, applications and hosting partners, but also around the use of their brand on a global scale. The client had selected to take advantage of our dark net intelligence capabilities as well, and were keenly interested in how the dark net, deep web and underground portions of the Internet were engaged with their brand. This is a pretty common type of engagement for us, and we often find a wide variety of security, operational and reputational issues.

This particular time around, we ran into a rather interesting and new concern, at least on the dark net. In this case, a dark net pornography site was using the consumer brand embedded as an HTML comment in the porn site’s main pages. Overall, there were several hundred name brands in the comments. This seems to have been performed so that the search engines that index the site on the dark net, associate the site with the brands. That means when a user searches for the brand name, they get the porn site returned as being associated. In this case, it was actually the first link on several of the dark net search sites we tested. The porn site appears to be using the brand names to lure eyeballs to the site – essentially to up the chance of finding a subscriber base for their particularly nasty set of pornography offerings. Search engine poisoning has been an issue on the public web for some time, and it is a commonly understood tactic to try and link your content to brands, basically serving as “click bait” for users. However, on the dark net, this was the first time we had observed this tactic being used so overtly.

The brand owner was, of course, concerned about this illicit use of their brand. However, there is little they could do to respond, other than reporting the site to the authorities. Instead, after discussing various options, we worked with them to identify an action and response plan for how they would handle the problem if it became a public concern. We also worked with them to identify a standard process that they could follow to bring their existing legal, marketing, management and other parts of their incident response team up to date on threats like these as they emerged.

The client was very pleased to have the discussion and with the findings we identified. While any misuse of their brand is a concern, having their brand associated with pornography or other illicit material is certainly unnerving. In the end, there is little that organizations can do, other than work with authorities or work on take down efforts if the brand is misused on the public web. However, having the knowledge that the issue is out there, and working to develop the threat into existing response plans certainly goes a long way to help them minimize these kinds of risks.

To learn more about dark net brand issues, targeted threat intelligence or passive assessments, drop us a line (info@microsolved dot com) or get in touch on Twitter (@lbhuston) for a discussion. 

3 Reasons I Believe In #CMHSecLunch And Its Mission

I get asked quite often about why I started CMHSecLunch and what the goals behind it are. I wanted to take a moment and discuss it on the blog.

First, if you aren’t a security person in Columbus, Ohio, you might not have heard of the event. Here are the details about it.

Every month, on the second Thursday, my team loosely organizes a simple lunch meet up at one of the local mall foodcourts. It is free, open to all – including non-security folks, kids and interested parties. There is usually a topic like “physical security”, “supply chain”, “threat intelligence”, “pen-testing”, etc. We also usually have something for people to fiddle with while they talk, like locks and lock picks, Legos, smart bits, cards and readers, etc. We find that having something to play with physically seems to help the attendees converse more easily.

The mission of CMHSecLunch was to emulate the “hallway conversations” part of security conferences, and to open up the security community to even larger groups of folks that may be interested, but may not have an easy way to get involved. I wanted it to be less formal than something like an ISSA/ISACA event, be free, loose in organization and really help people make personal connections with each other and the community at large.

The mission started in roughly 2012, and while we took a couple of breaks, is over 4 years old. Sure, there a lot of other events and even a couple of knock off lunches – emulation is a compliment 🙂 – but those usually include some formal presentation, vendor sponsor pitches or some other form of noise as the center of the event. I wanted to avoid all of that and put people at the center of the event. No vendor pitches, no one buys your lunch – so you don’t owe anyone anything either implicit or implied – and since it is in an open public space like a mall food court – there is no separation of infosec from the general public. Everyone can see, talk and ask questions without all of the speed bumps and smoke/mirrors and sense of separation sometimes associated with the infosec community. We’ve had middle school kids, college students, IT folks, janitors at the mall, infosec practitioners, managers and executives join us, engage and ask questions.

So, the #1 reason that I support CMHSecLunch is just that – the open nature and open discussion that comes from it. Thus far, nearly everyone who sits down with us at these events leaves their ego at home or in their car. We’ve had honest discussions from technical to personal, jokes and explanations, stories and anecdotes and even some project launches. Overall, the sense of openness and community has been one of the most amazing parts of my career. Sometimes there are 3 people, sometimes 30 – but I always leave with a smile and a renewed sense of community.

The second reason I believe in CMHSecLunch is that I have seen it bring new talent and fresh energy to the community. People have personally told me that because it was an open, public space and there was nothing expected, that they had the courage to finally approach infosec folks. Many times, people are nervous that they may not fit in, or have the skill set or knowledge of security practitioners at the more focused meetings. They may not have the management or budget support to go to conferences, ISSA/ISACA/OWASP events or even know that they exist. But a lot of people are on Twitter. A lot of people aren’t nervous to go to a mall food court. A lot of people can afford to invest in a fast food or brown bag lunch to get to know people to get started. That’s the crucial ingredient – to make it easy for new folks to join and engage. We need them. The community desperately needs new talent, fresh ideas and new resources that aren’t already locked into the echo chamber of infosec. In fact, I would say new ideas and new talent will make or break infosec over the next 10 years. I believe CMHSecLunch is an easier way for those new people to get started.

Lastly, I love bringing security discussions out of closed business conference rooms and into the mall. I absolutely get thrilled when people around us ask about lock picking or smart bits or whatever we are playing with. I love it when people lean in to listen about hacking or about how credential theft works. We have seen so many surrounding tables clearly listening in – that I have made it a habit to simply ask them to join us and explain the mission. It’s a beautiful thing. Remove the smoke, mirrors and mysticism of infosec – and everyday people are suddenly interested again. They become a little less apathetic, a little less distant and a lot more aware. Isn’t that what we have always asked for as a community? Didn’t we always want everyday users to be more engaged, more aware and more security capable? I truly believe that it will take bringing the public into the fold to make that happen. I believe that events like CMHSecLunch – loosely organized, free, open to the public, held in common public locations and developed on a spirit of inclusion, just might be a way forward. Mostly, I believe in the open, honest and caring attitudes of people, regardless of what community they believe themselves to be a part of. Thus, I believe in CMHSecLunch and our mission…

Wanna give it a try? If you are around central Ohio, you can find the schedule, locations and times here. Want to start your own event, in your area? Ping me on Twitter (@lbhuston) and I’ll be happy to discuss what I did to promote it, and how I would go about it. If I can help you get a group started, I will. That’s it. That’s why I believe. I hope you will believe too… 

Passive Assessments Continue to Astound

Our passive assessment capability continues to astound us with the things we find. I haven’t seen this many obvious hits since the early days of vulnerability scanning…

It seems that many organizations are missing issues that lie outside of their perimeter. Hosted sites, cloud-based systems and rogue network segments abound. Brand-focused assessments and passive testing of the security posture of partners, providers and external resources have proven to our clients to be a tipping point moment. It has become clear to them and us that a significant portion of the threats and attack surface have moved into wider distribution outside the network perimeter of yesterday. 

Client have been using this capability to test and audit their own risks, but also their vendors, partners and cloud “en masse”.

We are looking for 3-5 key organizations to put together a summit and think tank group to develop standards and best practices together for how to best use passive assessments and targeted threat intelligence on an enterprise level. If your organization would like to discuss passive assessment and potentially engaging in the best practices development summit, please reach out to us on Twitter (@microsolved) or contact your account executive/project manager to arrange for a quick call. Thanks and we look forward to bringing these game changing new tools to organizations around the world shortly!

3 Tools Security Teams Need to Look at Today

I would urge most security teams to hit pause for an hour and take a moment to look at these three tools that may add leverage to the work you are doing.

1. Python LogTools – This is an excellent python library that makes parsing web logs, primarily Apache logs, easy and useful. The capability also can be trivially expanded to analyze other types of logs and system outputs with a little bit of text hacking. Seriously, we know you aren’t reading the logs – find a way to use programatic tools – even if that just means you are parsing for specific issues. I know, I know – you have the SEIM – but honestly, parse the logs. You’ll likely be amazed what you find…

2. Open Source Web Task Manager – Taskfreak – Nearly every team we talk to asks about coordinating task and resource management on other security teams. Here is a free tool set that you can you can use, apart from the more difficult enterprise tools and bloatware. Get a team server or instance and share tasks and resources. Done! 

3. Nmap – yeah, we said it – NMAP! – Oh, I know – you’ve used it. It comes on Kali and nearly every distro – but forget using it for pen-testing and auditing. Now, with a clear mind – begin to think about how you can use nmap to know what’s out there. Inventory of systems and services, done. Ongoing runs to detect new devices, done. Ongoing runs to find new services on known network segments, done. Periodic runs to test network speeds and connectivity for routing issues, done. Gateway checks, done. Detection of new devices by parsing DHCP logs and launching runs – a poor man’s NAC tool, done. There are so many things you can do with nmap other than pen-testing that I am thinking of just becoming an nmap consultant. C’mon – learn the basics and then use the basic tool in new ways to solve problems you already have. Nmap and some simple scripting can up your security team’s game. Give it a shot… 

Got other ideas? Let us know on Twitter (@microsolved). See you there! 

The Dark Net Seems to be Changing

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Business Size Affects Security Flexibility

In the realm of cyber-security, all of the advantages are with the attacker. To be successful, defenders have to guard against and defeat all possible attack types all of the time; attackers only need to find one hole in those defenses to win the game. That is why information security programs need to be dynamic and flexible in order to work properly.

I have worked with all types and sizes of organizations during my years in the information security field including government agencies, regulatory bodies, retail concerns, service providers, financial institutions and medical organizations. No matter what kind of organization I am working with, I have found it to be an immutable truth that the larger and more complex the organization, the more difficult and time consuming it is to make changes and to their information security program. It’s not really anybody’s fault, it’s just the nature of the beast. Bigger organizations have more checks and balances to deal with, more personality clashes to arbitrate, more committees to wrestle with and more ‘rice bowls’ to protect. However, this is no reason to throw up our hands and admit defeat. Now is the time to recognize that we have a problem and try to find ways to work around it.

One idea I wish to propose in this regard is the ‘top-down, bottom-up’ approach to information security. First, the people in top positions in large organizations need to be made fully aware that a real problem exists and how serious it is. They also need to be made aware of the business advantages of a flexible and effective information security program. Most important of all, they need to be willing to visibly show their full support for the program and the changes that are to come. After all, no organizational security initiative can get very far without full buy-in at the Board Room level.

Another part is the ‘bottom up’ part of the process. Some years ago I worked with a software suite that allowed anyone in the organization to easily access and view security policy on the company intranet. Not only could personnel view the policy, they could make suggestions to improve and change it, propose new techniques, recommend ways to streamline the process, etc. Nobody in an organization knows more about business processes and how to protect them than the people that work with them every day. Why not encourage them to make suggestions and report problems? All it takes is a little encouragement and minor reward. In fact, I’ve found that simply recognizing personnel for their security efforts is enough. Praise them in group meetings, put their pictures up on the wall, that sort of thing. Why should the organization hire expensive consultants to tell them the same things that they can learn from their own personnel?

The last part is acting upon the suggestions produced by management encouragement. Once valid suggestions have been made, the initiative needs to flow through the normally recalcitrant and obstructionist mid-levels of the organization to make it back to the top. Can this group be made to set aside their differences and encourage the adoption of rational and workable suggestions for change? If they can, then large organizations can truly improve the flexibility and effectiveness of their information security program, and save money doing it.

Ransomware: Bigger and More Sophisticated than Ever

Ransomware has been around for decades. In 1989 the AIDS Trojan was used to hide directories and encrypt all files on the C drive of infected computers. Users were then asked to “’renew the license” which involved sending $189.00 to a Panama P.O. box. This is an example of “crypto-ransomware.” Then around 10 years ago, other families of crypto-ransomware such as Cryzip, Krotten and Gpcode appeared on the scene.

Crypto-ransomware is particularly dangerous because it encrypts files on computer systems using strong and often unique encryption algorithms. This means that if these files were not properly backed up, users could lose this information forever unless they agreed to pay the price asked by the extortionists. And even if proper backups were extant, users still faced the hassle of rebuilding their machines; a time-consuming task that many would happily pay to avoid.

Another type of ransomware (that has been with us for more than 15 years) uses “blockers” to render computers unusable. Blockers are windows that cover all other windows on your desktop. These blocker windows usually contain a message from the extortionists telling users how and where to send the ransom in order to get their computer screens or browsers unlocked. This type of ransomware was the first to reach “epidemic” proportions back in 2010. Both of these ransomware types were originally used to attack mostly user machines, but now attacks on businesses are increasing rapidly.

Recently, especially within the last 6 to 10 months, things have changed. In April of this year, Kaspersky Lab noted that more than half of all ransomware is now crypto-ransomware; a figure up from barely 10% just a year earlier. In addition, there are new, more insidious types of crypto-ransomware appearing on the scene.

In January of this year the first JavaScript ransomware, “Ransom32” was noted. This ransomware uses the NW.js framework to infect computers, and so can probably be used to attack not only Windows OS, but Linux and Mac OS as well. This type of ransomware is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut in the ransom profits.

Another recently noted ransomware is called “Cerber.” Cerber encrypts user files using AES encryption, and costs the victim 1.24 bitcoins ($500.00) in ransom. Cerber itself is easy to remove, but encrypted files that have not been backed up will be lost if users fail to pay.

Now, there are even more dangerous ransomware types appearing. ZCryptor acts like a worm and can be spread from machine to machine. It is distributed through spam and email infection vectors, but can also be spread through Macro malware, removable/network drives or fake installers. It encrypts a number of different file types on infected computers using strong AES encryption algorithms, and changes the file extension to “.zcrypt.”

The sophistication and variety of these newer ransomware types shows that cyber criminals are investing plenty of resources on this malware. Users (and businesses) should expect more and more of these types of attacks in the future, and should protect themselves accordingly. Suggestions include:

  • Backup your important files very regularly. You will still lose any files/documents created after the last backup, so adjust your backup frequency accordingly.
  • Ensure that all of your systems and software are current for security maintenance and are configured in a secure manner.
  • Train your personnel about ransomware and how it spreads.
  • Keep your security software up to date and employ pop-up blocker software.
  • Monitor file system activity and extensions.
  • Employ Honeypots (such as MSI HoneyPoint software) on your systems.
  • Employ User Behavior Analytics (UBA) on your network.
  • Employ anti-ransomware products and mechanisms.
  • Ensure your Incident Response and Disaster Recovery plans are up to date and well-practiced.