What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)?

Bleepingcomputer.com goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.

Windows10 Obsolete already?

Is your Windows10 version obsolete already?  there are many versions of Windows10 and it depends on when it was released, example – the first one version 1507 released July 2015 has a end of service date of May 9, 2017.

The problem is every software manufacturer  Can’t or doesn’t keep releasing  vulnerability updates forever. The reason has to do with structural and other programmatic changes that would make some updates very difficult to incorporate. In fact in some cases it would be a herculean task to make changes, so it is a monetary and feasibility reason as to why there is and end of service date.

Now that you know that there is an “end” date what needs to be done?

Update to new version of Windows10!!!

Here is the lifecycle table for Windows10 versions from support.microsoft.com webpage

So as an IT user or professional we must learn the technical nature of our devices. Microsoft does not want to issue a version update like in years past:

I.e. version 3.0(1990) with first multi-task abilities, then 3.11 with networking. When 4.0  was due that became WindowsNT and 95.  As the marketing team took control of the naming of new Windows Operating systems the version changes(1.0/2.0/3.0/4.0) were not reflected in the names, only as an additional “version” number.

My version is relatively new (released April 2018), so I have until Nov 2019 until I _have_ to make a change.

Now Microsoft is at Windows10 and with a 4 digit version number.  The actual numbers do not have a significance except that it tells you when it was released and when it will have end of service life only if you look it up in a Microsoft End of Service Table.

There is another reason to keep a close eye on this End of service date, as once the version is obsolete, no more updates will be made and you are out of compliance with your systems.

At the Microsoft End of Service webpage there is an interesting sentence:

“Some editions1 can defer semi-annual feature updates at Settings  >Windows Update >Advanced options or via a policy that an organization’s management system may provide to the device. On devices that haven’t been configured for deferral, you’ll need to install the latest feature update to help keep your device secure and have it remain supported by Microsoft. New versions may be automatically installed prior to the end-of-service date of the current version on your device.

1 Home edition does not support the deferral of feature updates and will therefore typically receive a new version of Windows 10 prior to the end-of-service date shown.”

So in theory the windows Update will update the Windows version before it expires and no longer updates on its own. But for those of us in IT that have managed hundreds of systems, not all systems update correctly. You cannot assume all systems will updates on their own.

It is best to have someone review your systems which can be done in an automated fashion by scanning the systems. If an old Operating system is present the scan will reveal a high vulnerability (10 out of 10).

Since the system will not get any more updates, the system has to be initiated to upgrade.

Contact US to help you with this process

Headless OpenVAS install

I needed to run OpenVAS (OpenVAS stands for Open Vulnerability Assessment System) the Linux based vulnerability management software on a virtual machine, which means it does not have its own monitor that one sits at to see this screen:

OpenVAS is made by Greenbone, “which develops OpenVAS as part of their commercial vulnerability management product family “Greenbone Security Manager” (GSM). “(from their main web page:)

OpenVAS was developed out of the Nessus code base since 2005, now at github.  The developer of Nessus decided to make Nessus closed source(proprietary) in October of 2005, so openVAS was created and initially named GNessUs.

Why am I talking OpenVAS today? Because I was tasked to install it on a virtual system.

So, one has to install OpenVAS (or update on some Linux distributions since it is already installed by default).  So I work with Kali Linux,  since I use a lot of other tools that are built into the distribution. I wanted to keep some familiarity and so run OpenVAS on Kali Linux.

What are you installing? Several pieces that will need to run on the virtual machine:

As you can see in the image above the Greenbone Security Assistant is software that connects to the OpenVAS Manager and Scanner to run the scans to the targets. OpenVAS uses NVTs(Network Vulnerability Tests) to run the scans. Up to this point (3/18/2019) there are over 49600 tests. CVEs now number 115906.

So in a standard kali Linux install one has the OpenVAS version that comes with it, so to use OpenVAS you have to upgrade Kali first using the following commands:

apt-get update && apt-get install openvas

So now that you have the latest version on your machine how are you going to access OpenVAS? since you cannot sit at the monitor of a virtual system (or what is called a headless install).

 

After some (actually a lot) of review online and some tinkering I found it useful to know some systemd.  And it just so happens that systemd has several configuration files in a few directories:

/etc/systemd/system/*

/run/systemd/system/*

/lib/systemd/system/*

 

The one that is important and relevant for OpenVAS is the /lib/systemd/system directory.

In here there are 3 files that are of importance:

Openvas-scanner.service

Openvas-manager.service

Greenbone-security-assistant.service

What we have to do to make the installation complete is to replace the ip address of the virtual machine to the greenbone-security-assistant.service file.

Specifically

change it in this manner, run the following command(changing <your ip> to the virtual system ip address):

Sed –e ‘s/mlisten=<your ip>/127.0.0.1/g’  greenbone-security-assistant.service

Example the virtual system ip address is 192.68.0.1  so this is what should be run:

Sed –e ‘s/mlisten=192.168.0.1/127.0.0.1/g’  greenbone-security-assistant.service

After running this command you have to run the following:

Systemctl  daemon-reload

(these commands need to be run with root permissions(sudo))

So once the ip address is entered in command line, and the systemd file .service file reloaded you can restart the gsad  and then log into the web interface assuming you already set up the users.  To access the Greenbone-security-assistant program enter the following in your browser:

https://192.168.0.1:9392

From there you will have to learn how to create scans and more.  But at least it is working remotely.

There is also a small issue with this procedure, it is not supported by Greenbone, they want you to install the Greenbone community edition

The security feed is more stable than the community feed (the free version) and has encrypted transmissions.

Contact us to discuss

PCI Compliance Small Biz Simplified

There are 12 pieces to PCI compliance, let’s list them and find if they are applicable, or if we can minimize our attention.

first of all it is not a major point in the standards, but creating an inventory of devices is paramount in becoming PCI compliant. Being compliant will also be easier for you if you make a proper inventory (with all the software and hardware that is applicable), but it is also good for general security even if not needed due to not touching payment card data.  Basically for PCI compliance anything that touches payment card data is going to get some extra scrutiny.

So guess what, you need to have documentation and procedures to make sure only the right people will access the data and not abuse the data. I.e. do not send payment card data in an unencrypted format over Internet for example. Another example is do not send customer data via fax or chat sessions.

So if you have documentation and have signed employee statements that they read this, then PCI compliance is easier.

 

Let’s work our way form bottom:   Must have security policy(documentation), must have testing of network and all systems, must have a firewall, must have antivirus or anti-malware software, must change default passwords, do not develop your own software (as that is much more difficult), authenticate to systems and restrict access to payment card data also physically.  Do not store cardholder data will simplify your compliance needs.

Encrypt the actual transaction from cardholder (merchant to financial institution). This machine should be an approved mechanism from your financial institution.    Although it complicates things if you have it on one of your computers. Easier if on a machine specific for swiping cards, or inserting cards.

If you focused on no development of your own software and used only a specific PCI compliant machine with documentation for your employees that would go a long way to solving your PCI compliance.  If you can segment the network (if the payment card machine needs to access the Internet which a lot do now) that will cut down on the number of machines to test by the auditor.

Monitoring the log system is just prudent, as well as making sure that the access of systems is properly authenticated.  Many of these steps are just common sense computer security items (changing default passwords).

 

Some general topic headings from PCI document:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program
  5. Protect all systems against malware and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

 

 

 

We will test your network and give you a specific list of making PCI compliance easy to follow and complete.  Contact us to discuss.

 

Back To Basics in 2019 – Must Have Cybersecurity Issues

What was different about 2018 that will confound us in 2019?  Is there anything new in 2019 that will cause problems for us?

By ‘us’ I mean businesses trying to keep going with their business lives. I.e. run your business, try to make profits, grow product lines or services.

None of us are in tune with new technologies that can be used to upend  our current world that we live in until it is too late and we have to play catch -up. In 2007 how many people actually went and bought a smartphone before it was obvious everyone was going to get one?

This next picture is of an IBM Quantum computer as written about in Wired UK among others:

If you have not heard your computers and phones are built on an old architecture(from the 50’s and 60’s) The quantum computer is a new architecture much faster the current binary machines.

What can possibly be created with a quantum computer?

  1. Unbreakable encryption for one.
  2. Artificial Intelligence and Machine learning (similar yet different)
  3. Molecular Modeling and other sophisticated modeling
  4. Optimization programs
  5. Financial Modeling
  6. Sophisticated new attacks on hardened targets

My point is not that a new Armageddon is coming, it may be but most important is that new days may bring new challenges, and you have to be ready to take them on.

Most important you must take a little time to review new technologies and techniques to see if these methods can create security headaches for your organization.

Practically though the place where we all will get hit is regulations. As more high profile cyber attacks make inroads in organizations the regulations will make life more difficult(more paperwork).

More paperwork means risk based analysis and scanning / audits of networks and computers.

End result is we need more vigilance even if our computers are in “the cloud”.

In the above AWS youtube video   some common sense:

The first thing any auditor will want to see is your documentation.  What is your documentation? Do you have a security policy? Do your employees read it and sign off on it? I.e. is Cybersecurity at least a little bit important?

We are in the business of Computer Cyber audits to help your business be more secure and thus handle the coming challenges in 2019 wherever they may come (technological or regulatory).

Contact Us to discuss