Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:

 

Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the archive.org webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:

 

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.

 

Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.

 

 

 

The Old FUD – Fear Uncertainty Doubt

The FUD techniques are certain to come up again and again as they are effective (to a degree).

FUD is a marketing technique to sow fear into cost conscious customers that are thinking of going to a competitor. Pushing safety in numbers and other uncertainty creates FUD in the mind of potential customers. Thus it is not so easy to go with a competitor unless one is armed with knowledge.

the first FUD campaign happened when IBM mainframes finally receive some competition with Amdahl mainframe company.

Above picture is an Amdahl mainframe (with red-hued panels instead of the familiar IBM blue). Newcastle university in picture)

So obviously Newcastle University did not pay attention to FUD by IBM

Why do I mention this FUD business? Because it is an old tactic and is being used by competitor Firewalls in the security firewall market space.  Palo Alto is muscling into a larger marketshare (due to developing and running a good firewall operation)

So the competitors have developed a youtube video 

First one selects an exploit 

Then configure the test environment which means setting up what kind of attack will be ‘tested’.

then conveniently one can Run the attack.

So the competitor ran the Evader software with specific evasion techniques to see if they can evade the Palo Alto firewall they have set up so they can evade it.

 

This is exactly why FUD works, make future Palo Alto customers(or current ones) see that they can have a firewall that is not bullet proof.

Yes we know that – no firewall is bulletproof no matter how well you configure it, there is always one item that is missed over the days and years. Since we are assaulted day after day and all the hackers have to do is get one attack to work. We have to be cognizant to not be complacent and invincible (it will not happen to me attitude).

It is true we have better firewalls and the only thing to combat FUD no matter your industry is massive amounts of information, thus knowing what you have backwards and forwards.

Contact us to review your environment so that you don’t worry about FUD.

To Measure Risk, Measure Impact : Major Threats and Effects

To Measure Risk means to measure impact and threats(likelihood)

(R=L*I) Risk = Likelihood * Impact

 

So what does that mean? What are the threats and their effects to your environment? Answering this will give the true impact of the problem figuring out what risk one really has.

(Above image was copied from @ipfconline1 twitter images)

So let’s assume these are the major threats and Major concerns (from image)

  • Unauthorized Access  53%
  • Hijacking Accounts  44%
  • Insecure interfaces / APIs  39%
  • External sharing of data

Major Concerns

  • Data Loss/leakage  49%
  • Data Privacy  46%
  • Confidentiality  42%
  • Legal and regulatory compliance   39%

The threat is one portion of risk, the impact is another.

The idea is to view all of the threats coming at you and review where you should spend your time.

The problem with this methodology is one has to have a decent understanding of the impact and likelihood of various threats. Some of these items need to be also taken into context.

If you have 100 computers and they are all running Windows Operating systems (different versions 7,8,Server, 10) then a threat to your Windows base for MS17-10 is not as dangerous for all computers.

But what if a virus/trojan attacked and affected 20 computers?  Now the impact would be higher. So the Risk to your organization is higher from a relatively minor Microsoft vulnerability.

So one thing you will find is that even minor vulnerabilities can grow into major problems. So the potential effect of an exploited vulnerability  is the issue. Every month new patches are released and at the same time criminal hackers are trying to exploit the patch exploitability.

Unfortunately every vulnerability has an attack timeline.

Here is the crux of the issue, what is the impact for each separate vulnerability to your environment? As criminals develop better attacks you have to keep the threats in mind and do proper patching so as to defend your network.


By performing an audit of your environment and  reviewing impacts and likelihood you will hopefully be able to evaluate your risk properly.

Contact Us to help you with this process.

What is Real Story on Default Passwords?

Is it really as bad as some say? People are not changing default passwords and thus hackers control their machines if remote access is enabled in some way.

i think it is VERY BAD – as people are really looking for ways to make bad decisions:

https://superuser.com/questions/106917/remote-desktop-without-a-password

\

My apologies to this person who maybe innocently was trying to make some administration easier for him, but the lack of security knowledge is apparent. One should NOT even think of creating a scenario where there is a blank password on a machine (ever – even worse for remote access).

If this machine was connected to a Credit Card Machine now you are in PCI compliance violation.

Ok, we know not to have default or blank passwords…

Or is it that people don’t need to change the default password as the system is not remote accessible?

Even then the default password should be changed, because physical access needs to thought of, and is not 100% foolproof.

Or is it that people think the system is not remote accessible but it really is in some way?

The last scenario may be likely if the level of sophistication is not good.

And the hackers are looking for these machines as a post from last year notes the Verizon data breach Investigations Report  http://oversitesentry.com/why-are-there-cyber-security-issues/

Mentions that Remote Command Execution was found on scanned machines more than at other times.

Human error is one of the main reasons for security failures. in 2014 IBM ‘s Cyber Security Intelligence index notes “95% of all security incidents involve human error”

 

So how does a stakeholder (the board, CEO, exec team) make sure that human error is minimized (as it will likely never be 100% gone). It is to obvious to most: Bring in outside help to get a second or third opinion, and perform tests to see where human error can be minimized.  The CISA (Certified Information Systems auditor) would review the potential risks and set up  an audit to methodically find security issues.

Contact us to discuss

Email at Yahoo? You were hacked! Will be Phished!!

Yes we know yahoo had millions of email addresses hacked or rather the email address password database was stolen by an ingenious hacker.

 

Also according to this story(TechCrunch) the full disclosure over several years is 1 Billion email addresses and passwords were stolen

Updated 3/14  later in day:  also keep in mind if you have an ATT email account that is tied into Yahoo due to a connection the two companies made – aand that includes Verizon. CNET news story “Yahoo hack: It’s not just verizon. AT&T should be worried too”

So we know of about a million email addresses being sold on the Dark Web, and this is just the first 100k being sold on a dark web interface:

Image from hackread.com

In this ad for 10.75$ you can obtain 100k  email addresses and the decrypted password.

 

 

So your Yahoo email and password is in many places now, Where did you use the Yahoo email to login? Banks, credit card.

The hackers are not just buying emails and passwords to check your email. First they will check your email and then see what bank and other accounts they can take over.

Or they can use this information to create more focused phishing campaigns. I.e.  the information in emails within all the yahoo emails can be used to create targeted phishing campaigns (also called spear phishing)

So what should you do?

Get rid of your Yahoo email address ASAP, should you require all employees to remove any vestiges of Yahoo emails in their lives?

How can you make this claim? Because the longer they keep the Yahoo email account the more likely the criminal hacker will access the email account and steal information to phish more effectively, especially into a company account.

 

Have you ever sent something from work email to the Yahoo email? If this is a Yes  now the hacker knows your work email. and can create highly sophisticated phishing attacks with malware that may have an adverse affect on your company.

So owning a personal Yahoo Account may enable criminal hackers to get access to your company in the months ahead as the criminals are just now digesting  how the new information and are setting their attack plans in place.

Remember this OODA Loop image.. from my post a few days ago(Feb 28 Post “What Cybersecurity Methods to Use”).

Right now both the criminals(Attackers in red) and you have been given information what is more likely the attacker will Observe, Orient, Decide and Act first or you will process the OODA loop and ultimately ACT!

In the past it has been the aggressive criminals making moves and getting the into company networks.

What will be your move?

Contact Us to discuss.