Quick Look at Ransomware Content

Ransomware certainly is a hot topic in information security these days. I thought I would take a few moments and look at some of the content out there about it. Here are some quick and semi-random thoughts on the what I saw.

  • It very difficult to find an article on ransomware that scores higher than 55% on objectivity. Lots of marketing going on out there.
  • I used the new “Teardown” rapid learning tool I built to analyze 50 of the highest ranked articles on ransomware. Most of that content is marketing, even from vendors not associated with information security or security in general. Lots of product and service suggestive selling going on…
  • Most common tip? Have good and frequent backups. It helps if you make sure they restore properly.
  • Most effective tip, IMHO? Have strong egress controls. It helps if you have detective controls and process that are functional & effective.
  • Worst ransomware tip from the sample? Use a registry hack across all Windows machines to prevent VBS execution. PS – Things might break…

Overall, it is clear that tons of vendors are using ransomware and WannaCry as a marketing bandwagon. That should make you very suspicious of things you read, especially those that seem vendor or product specific. If you need a set of good information to use to present ransomware to your board or management team, I thought the Wikipedia article here was pretty decent information. Pay attention to where you get your information from, and until next time, stay safe out there!

3 Reasons I Believe In #CMHSecLunch And Its Mission

I get asked quite often about why I started CMHSecLunch and what the goals behind it are. I wanted to take a moment and discuss it on the blog.

First, if you aren’t a security person in Columbus, Ohio, you might not have heard of the event. Here are the details about it.

Every month, on the second Thursday, my team loosely organizes a simple lunch meet up at one of the local mall foodcourts. It is free, open to all – including non-security folks, kids and interested parties. There is usually a topic like “physical security”, “supply chain”, “threat intelligence”, “pen-testing”, etc. We also usually have something for people to fiddle with while they talk, like locks and lock picks, Legos, smart bits, cards and readers, etc. We find that having something to play with physically seems to help the attendees converse more easily.

The mission of CMHSecLunch was to emulate the “hallway conversations” part of security conferences, and to open up the security community to even larger groups of folks that may be interested, but may not have an easy way to get involved. I wanted it to be less formal than something like an ISSA/ISACA event, be free, loose in organization and really help people make personal connections with each other and the community at large.

The mission started in roughly 2012, and while we took a couple of breaks, is over 4 years old. Sure, there a lot of other events and even a couple of knock off lunches – emulation is a compliment 🙂 – but those usually include some formal presentation, vendor sponsor pitches or some other form of noise as the center of the event. I wanted to avoid all of that and put people at the center of the event. No vendor pitches, no one buys your lunch – so you don’t owe anyone anything either implicit or implied – and since it is in an open public space like a mall food court – there is no separation of infosec from the general public. Everyone can see, talk and ask questions without all of the speed bumps and smoke/mirrors and sense of separation sometimes associated with the infosec community. We’ve had middle school kids, college students, IT folks, janitors at the mall, infosec practitioners, managers and executives join us, engage and ask questions.

So, the #1 reason that I support CMHSecLunch is just that – the open nature and open discussion that comes from it. Thus far, nearly everyone who sits down with us at these events leaves their ego at home or in their car. We’ve had honest discussions from technical to personal, jokes and explanations, stories and anecdotes and even some project launches. Overall, the sense of openness and community has been one of the most amazing parts of my career. Sometimes there are 3 people, sometimes 30 – but I always leave with a smile and a renewed sense of community.

The second reason I believe in CMHSecLunch is that I have seen it bring new talent and fresh energy to the community. People have personally told me that because it was an open, public space and there was nothing expected, that they had the courage to finally approach infosec folks. Many times, people are nervous that they may not fit in, or have the skill set or knowledge of security practitioners at the more focused meetings. They may not have the management or budget support to go to conferences, ISSA/ISACA/OWASP events or even know that they exist. But a lot of people are on Twitter. A lot of people aren’t nervous to go to a mall food court. A lot of people can afford to invest in a fast food or brown bag lunch to get to know people to get started. That’s the crucial ingredient – to make it easy for new folks to join and engage. We need them. The community desperately needs new talent, fresh ideas and new resources that aren’t already locked into the echo chamber of infosec. In fact, I would say new ideas and new talent will make or break infosec over the next 10 years. I believe CMHSecLunch is an easier way for those new people to get started.

Lastly, I love bringing security discussions out of closed business conference rooms and into the mall. I absolutely get thrilled when people around us ask about lock picking or smart bits or whatever we are playing with. I love it when people lean in to listen about hacking or about how credential theft works. We have seen so many surrounding tables clearly listening in – that I have made it a habit to simply ask them to join us and explain the mission. It’s a beautiful thing. Remove the smoke, mirrors and mysticism of infosec – and everyday people are suddenly interested again. They become a little less apathetic, a little less distant and a lot more aware. Isn’t that what we have always asked for as a community? Didn’t we always want everyday users to be more engaged, more aware and more security capable? I truly believe that it will take bringing the public into the fold to make that happen. I believe that events like CMHSecLunch – loosely organized, free, open to the public, held in common public locations and developed on a spirit of inclusion, just might be a way forward. Mostly, I believe in the open, honest and caring attitudes of people, regardless of what community they believe themselves to be a part of. Thus, I believe in CMHSecLunch and our mission…

Wanna give it a try? If you are around central Ohio, you can find the schedule, locations and times here. Want to start your own event, in your area? Ping me on Twitter (@lbhuston) and I’ll be happy to discuss what I did to promote it, and how I would go about it. If I can help you get a group started, I will. That’s it. That’s why I believe. I hope you will believe too… 

The Dark Net Seems to be Changing

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Just a Quick Thought & Mini Rant…

Today, I ran across this article, and I found it interesting that many folks are discussing how “white hat hackers” could go about helping people by disclosing vulnerabilities before bad things happen. 

There are so many things wrong with this idea, I will just riff on a few here, but I am sure you have your own list….

First off, the idea of a corp of benevolent hackers combing the web for leaks and vulnerabilities is mostly fiction. It’s impractical in terms of scale, scope and legality at best. All 3 of those issues are immediate faults.

But, let’s assume that we have a group of folks doing that. They face a significant issue – what do they do when they discover a leak or vulnerability? For DECADES, the security and hacking communities have been debating and riffing on disclosure mechanisms and notifications. There remains NO SINGLE UNIFIED MECHANISM for this. For example, let’s say you find a vulnerability in a US retail web site. You can try to report it to the site owners (who may not be friendly and may try to prosecute you…), you can try to find a responsible CERT or ISAC for that vertical (who may also not be overly friendly or responsive…) or you can go public with the issue (which is really likely to be unfriendly and may lead to prosecution…). How exactly, do these honorable “white hat hackers” win in this scenario? What is their incentive? What if that web site is outside of the US, say in Thailand, how does the picture change? What if it is in the “dark web”, who exactly do they notify (not likely to be law enforcement, again given the history of unfriendly responses…) and how? What if it is a critical infrastructure site – like let’s say it is an exposed Russian nuclear materials storage center – how do they report and handle that? How can they be assured that the problem will be fixed and not leveraged for some nation-state activity before it is reported or mitigated? 

Sound complicated? IT IS… And, risky for most parties. Engaging in vulnerability hunting has it’s dangers and turning more folks loose on the Internet to hunt bugs and security issues also ups the risks for machines, companies and software already exposed to the Internet, since scan and probe traffic is likely to rise, and the skill sets of those hunting may not be commiserate with the complexity of the applications and deployments online. In other words, bad things may rise in frequency and severity, even as we seek to minimize them. Unintended consequences are certainly likely to emerge. This is a very complex system, so it is highly likely to be fragile in nature…

Another issue is the idea of “before bad things happen”. This is often a fallacy. Just because someone brings a vulnerability to you doesn’t mean they are the only ones who know about it. Proof of this? Many times during our penetration testing, we find severe vulnerabilities exposed to the Internet, and when we exploit them – someone else already has and the box has been pwned for a long long time before us. Usually, completely unknown to the owners of the systems and their monitoring tools. At best, “before bad things happen” is wishful thinking. At worst, it’s another chance for organizations, governments and law enforcement to shoot the messenger. 

Sadly, I don’t have the answers for these scenarios. But, I think it is fair for the community to discuss the questions. It’s not just Ashley Madison, it’s all of the past and future security issues out there. Someday, we are going to have to come up with some mechanism to make it easier for those who know of security issues. We also have to be very careful about calling for “white hat assistance” for the public at large. Like most things, we might simply be biting off more than we can chew… 

Got thoughts on this? Let me know. You can find me on Twitter at @lbhuston.

Artificial Intelligence – Let’s Let Our Computers Guard Our Privacy For Us!

More and more computer devices are designed to act like they are people, not machines. We as consumers demand this of them. We don’t want to have to read and type; we want our computers to talk to us and we want to talk to them. On top of that, we don’t want to have to instruct our computers in every little detail; we want them to anticipate our needs for us. Although this part doesn’t really exist yet, we would pay through the nose to have it. That’s the real driver behind the push to achieve artificial intelligence. 

Think for a minute about the effect AI will have on information security and privacy. One of the reasons that computer systems are so insecure now is because nobody wants to put in the time and drudgery to fully monitor their systems. But an AI could not only monitor every miniscule input and output, it could do it 24 X 7 X 365 without getting tired. Once it detected something it could act to correct the problem itself. Not only that, a true intelligence would be able monitor trends and conditions and anticipate problems before they even had a chance to occur. Indeed, once computers have fully matured they should be able to guard themselves more completely than we ever could.

And besides privacy, think of the drudgery and consternation an AI could save you. In a future world created by a great science fiction author, Charles Sheffield, everyone had a number of “facs” protecting their time and privacy. A “facs” is a facsimile of you produced by your AI. These facs would answer the phone for you, sort your messages, schedule your appointments and perform a thousand and one other tasks that use up your time and try your patience. When they run across situations that they can’t handle, they simply bring you into the loop to make the decisions. Makes me wish this world was real and already with us. Hurry up AI! We really need you!

Should MAD Make its Way Into the National Cyber-Security Strategy?

Arguably, Mutually Assured Destruction (MAD) has kept us safe from nuclear holocaust for more than half a century. Although we have been on the brink of nuclear war more than once and the Doomsday clock currently has us at three minutes ‘til midnight, nobody ever seems ready to actually push the button – and there have been some shaky fingers indeed on those buttons! 

Today, the Sword of Damocles hanging over our heads isn’t just the threat of nuclear annihilation; now we have to include the very real threat of cyber Armageddon. Imagine hundreds of coordinated cyber-attackers using dozens of zero-day exploits and other attack mechanisms all at once. The consequences could be staggering! GPS systems failing, power outages popping up, banking software failing, ICS systems going haywire, distributed denial of service attacks on hundreds of web sites, contradictory commands everywhere, bogus information popping up and web-based communications failures could be just a handful of the likely consequences. The populous would be hysterical! 

So, keeping these factors in mind, shouldn’t we be working diligently on developing a cyber-MAD capability to protect ourselves from this very real threat vector? It has a proven track record and we already have decades of experience in running, controlling and protecting such a system. That would ease the public’s very justifiable fear of creating a Frankenstein that may be misused to destroy ourselves.

Plus think of the security implications of developing cyber-MAD. So far in America there are no national cyber-security laws, and the current security mechanisms used in the country are varied and less than effective at best. Creating cyber-war capabilities would teach us lessons we can learn no other way. To the extent we become the masters of subverting and destroying cyber-systems, we would reciprocally become the masters of protecting them. When it comes right down to it, I guess I truly believe in the old adage “the best defense is a good offense”.

Thanks to John Davis for this post.

Never Store Anything on the Cloud that You Wouldn’t Want Your Mamma to See

It’s great now days, isn’t it?

You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.

Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.

It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!

Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.

First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.

If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!

Thanks to John Davis for this post.

Three Security People You Should Be Following on Twitter

Network 256

There are a lot of security people on Twitter. There are a lot of people people on Twitter. That said, finding great people to follow on Twitter is often a difficult task, especially around something as noisy as Information Security.

That said, I wanted to take a quick moment and post three people I think you should be following on Twitter in the Infosec space and might not be.

Here they are, in no particular order:

@sempf – A great person (and a personal friend), his posts rock the mic with content ranging from locksport (lock picking as a sport/hobby), deep coding tips, application security and even parenting advice. It’s fun! 

@abedra – Deep knowledge, deep code advice (ask him about Clojure…we’ll wait…). The inventor of RepSheet and whole bunch of other cool tools. His day gig is pretty fun and he is widely known for embracing the idea of tampering with attackers and their expectations. Check him out for a unique view. Do remind him to change hats occasionally, he often forgets… 🙂

@NocturnalCM – Hidden deep in the brain of the person behind this account is an incredible wealth of knowledge about cellular infrastructures, mobile code, security, devops and whole lot more. Don’t let the “Code Monkey” name fool you, there’s a LOT of grey matter behind the keyboard. If nothing else, the occasional humor, comic strips and geek culture references make them a worthwhile follow!

So, there you go. 3 amazing people to follow on Twitter. PS – they also know some stuff about infosec. Of course, you can always follow me (@lbhuston) and our team (@microsolved) on Twitter as well. As always, thanks for reading and get back to keeping the inter-tubes safe for all mankind!

Let’s Get Proactive with End User Security

Where do most of the threats to the security of our IT systems lurk? The Internet, of course! Powerful malicious software apps are all over the Net, like website land mines, just waiting to explode into your computer if you touch them. And how about accessing social networks from your company work station? Do you really think that content on these sites is secured and only available to those you chose to see it? If so, then Im sorry to disillusion you.

So why do most concerns still let their employees casually access and surf the Web from their business systems? Especially in the present when most everyone has a smart phone or pad with them at all times? Businesses should embrace this situation and use it to their advantage. Why not set up an employee wireless network with all the appropriate security measures in place just for Internet access? (This network should be totally separate from business networks and not accessible by business computers). Its not expensive or difficult to administer and maintain a network like this, and employees could access websites to their hearts content (on their off time of course). And for those employees that are without a smart phone (an ever dwindling few), you could stand up a few kiosk computers that they could access using their employee wireless network password.

As for employees that need Internet access to perform their work duties, you should lock their access down tight. The best thing to do is to add needed websites to a white list and only allow those employees with a business need to access only those websites that are necessary and no others. Black listing and web filtering are partially effective, but they dont really work well enough. I cant tell you how often we have seen such filters in place at businesses that we assess that prevent access to gaming and porn sites, but still allow access to traps like known malicious websites in foreign countries! Go figure.

And dont forget to properly segment your business networks. Users should only be allowed access to those network resources that they need for business purposes. Users in workstation space should never be allowed to seeinto server space. Preventing this will go a long way in curtailing attacks from the other big danger the malicious insider. 

Thanks to John Davis for writing this post.

On Complexity & Bureaucracy vs Security…

“Things have always been done this way.” —> Doesn’t mean they will be done that way in the future, or even that this is a good way.

“We know we need to change, but we can’t find the person who can authorize the changes we need.” —> Then who will punish you for the change? Even if punishment comes, you still win, as you’ll know who can authorize the change in the future.

“We don’t have enough time, money or skills to support those controls, even though we agree they are necessary.” —>Have you communicated this to upper management? If not, why not? How high have you gone? Go higher. Try harder.

“That’s too fast for our organization, we can’t adapt that quickly.” —>Welcome to the data age. Attackers are moving faster that ever before. You better adapt or your lack of speed WILL get exploited.

In many of my clients, complexity and bureaucracy have become self re-enforcing regimes. They lean on them as a way of life. They build even more complexity around them and then prop that up with layers and layers of bureaucracy. Every change, every control, every security enhancement or even changes to make existing tools rational and effective, is met with an intense mechanism of paperwork, meetings, “socialization” and bureaucratic approvals.

While many organizations decry “change management” and “security maturity” as being at the core of these processes, the truth is, more often than not, complexity for the sake of bureaucracy. Here’s the sad part, attackers don’t face these issues. They have a direct value proposition: steal more, get better at stealing and make more money. The loop is fast and tight. It is self correcting, rapid and efficient.

So, go ahead and hold that meeting. Fill out that paperwork. Force your technical security people into more and more bureaucracy. Build on complexity. Feed the beast.

Just know, that out there in the world, the bad guys don’t have the same constraints.

I’m not against change controls, responsibility or accountability, at all. However, what I see more and more of today, are those principals gone wild. Feedback loops to the extreme. Layers and layers of mechanisms for “no”. All of that complexity and bureaucracy comes at a cost. I fear, that in the future, even more so than today, that cost will be even more damage to our data-centric systems and processes. The bad guys know how to be agile. They WILL use that agility to their advantage. Mark my words…