Category: ITSecurity Training

How are Hackers Always a Step Ahead of Defense?

So the Defense (also known as Blue team) has been inundated with spam, the goal of the spam(for the hackers) is for an unsuspecting user to give up their credentials(username and password). Hackers are always trying to get your usernames and passwords.

Opening a word document? What if it included a small file that is unlikely  or even impossible to detect when first opening the file? because it gets resized to a small point in the document.

Notice the above image shows how to create a link inside a picture.

the above image is from ISC.sans.edu link.

So due to various dirty tricks in spam we have built 2FA (Two Factor Authentication) so that the connecting to the email server and getting your email will effectively shut out the spam merchants… until now with this nifty trick.  (Do you have to re-establish 2FA every time you get email? Or only when first logging in?)

When you open the word document the picture activates and tries to connect to the criminal-hacker-website.com which then sends the credentials of the computer to criminal-hacker-website.com.

Clearly only username and password defense is not going to do the job, as many tricks will pry the information to your account out of you.  And an incorrectly set up 2FA also would be a problem.

The defense must have a good logging and egress filter setup. (Block port 445/tcp , 137/tcp, 139/tcp, and 137/udp and 139/udp.

Back to my question “How are Hackers Always a step ahead of the Defense?”

The answer lies in logic actually:  If you have to defend 24 hours per day every day while trying to use software of the Internet then it is only a matter of time before a hacker uses ingenuity to break or bypass your defenses as shown above. We have to constantly be aware of new attacks and thus ways of defending against new vulnerabilities found every day.

True it would be nice if all software did not have security issues, but as we know security is not the highest effort while making a product. Making money is, and sometimes a security audit is not high on the priority scale.

So it is the same old story “The risk versus Security” see-saw.

The people who focus on Security might spend more in resources rather than others, so if you hear a new potential attack are you impulsively scoffing? Or saying I have to learn this attack and defend against it (thus spending resources?

if you are scoffing and wish to take on more risk by thinking the security problems might go away just by thinking they will go away. The risk on the internet these days is not that low, the ingenuity of new attacks are coming so fast that if you have not upped your ante, then one day it will be too late and the headlines will serve your epitaph.

So We believe that you should do both seek some risks while also staying secure  by employing Security Auditors.

 

Contact Us to discuss

Is There Cyber Risk? How to Assess Risk?

An interesting video from RSA Conference 2018: “There’s no such Thing as a Cyber-risk”

So if you look at possible risk domains  Computer Security (or Cybersecurity is not on there.

  1. Operations: errors – fraud – talent – employee engagement – safety
  2. Service Availability: capacity, resiliency, data integrity, intentional disruption
  3. Product delivery: pre-executions – release executions
  4. Compliance: regulatory, contractual obligations, privacy lane, employment law, other laws

Of course data integrity is there – so if there is a cybersecurity problem data integrity may become an issue.

The definition of “Operational risk” is the prospect of loss resulting from inadequate or failed procedures, systems or policies. Employee errors. System failures. fraud or other criminal activity. Any event that disrupts business processes

The problem with Cyber risk is that it can affect operations but is not always obvious how bad it can get until it happens.  Can you operate without computers? Can it get that bad? What if it does? Just like one may have electricity backup in an area which has frequent power outages, one has to consider what to do if there are no computers to run credit card transactions.

To properly assess operational risk, what is it one must ask in regards to computer assets with regard to cybersecurity? What if I cannot use this device? i.e. it has been hijacked by hackers or otherwise incapacitated.

If credit card processing is stolen, what could be worse is now your reputation can take a hit. Since the news will be filled with stories of Credit card fraud originating at your business.

Consider reputation in assessing operational risk. And reputation does not always mean systems fail or money is lost due to no electronic access.

It all depends on who you claim to be in the public space. Is your business marketing claim to be up-to-date? Then  reputation may have to have a higher impact. Make sure you are spending enough resources in relation to your REAL level of risk.

 

If you need help in assessing risk contact us.

Why Is It Cybersecurity Pros Make It Complicated?

We say things like: DO NOT CLICK ON Phishing emails!!

But then Equifax creates www.experianidentityservice.co.uk ???  or creditexpert.co.uk/login/login

Bsides in London earlier this year had a presentation by Meadow Ellis (@notameadow).

Meadow makes a good point, as we as Cybersecurity professionals ask users to be careful what you click, and then  somebody in the company makes a difficult to read domain name, since the easy ones are taken.

So if a user can at times be duped and then clicks on malware (let’s face it users will  never be 100% accurate) then we must assume that the hackers can go into one of our systems inside the firewall.

So this scenario describes why we need to have zero-trust network architecture, and in a zero-trust network, we assume the bad guys are everywhere, so it requires identity management to be hardened.

Assume that phishing will work eventually in your environment

Here is where tyhe phishing domains are actually coming from(Paloaltonetworks.com post):

You see the problem is all the hosting companies are in the USA  so as I mentioned all the attackers are already in our midst.

Your risk management and Cybersecurity plans need to reflect that.

Your marketing efforts should reflect a simple domain structure that makes sense so that when the phishing people try to scam your customers, they will hopefully see through the bad domains.

As per Isaca presentation: “State of Cybersecurity”  90% of all federal (US) breaches are started with a phishing email.

 

Contact us to discuss your cybersecurity risk management profile.

 

SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from auth0.com

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.

 

Contact Us to discuss auditing your network environment

You are Good, But Neighbor is not… Now What?

Let’s set this up…

You have paid attention to some Cyber security efforts, and have a number of defenses, maybe not “all of them” but your risk management matrix has shown you where to focus. What is impact on a device if having Cyber security problems?

Assuming you set up the probability matrix of all of your devices failure impact… Did you think of everything?

What about this:

Internet Storm center has  a story “More malspam pushing Lokibot”  

The post is about when an email attachment RTF(Rich Text Format) runs and then downloads an exploit for CVE-2017-11882 which installs Loki the information stealer.

Once Loki is on the machine it will contact home base and more.

Loki is an especially bad malware software, as it steals FTP credentials, SMTP credentials, Browser data, database information, and keylogger abilities.

So how do we defend against this malware? we need to deny the entry points. Because if once the malware is in one of your systems or one of your partners then it is a different game.

 

So what happens when  you think the neighbor is infected?  The firewall is no longer in play, as all internal machines are now open to attack. All it takes is another payload to be dropped into the infected machine that will take advantage of other machines with weak defenses.

So the problem is that any machine that you allow into your network (with vpn or otherwise) also can make your network systems weaker.

Coming back to our neighbor, if the neighbor does not have the same methods to security as you do, they are now a liability if you do not take the neighbor threat seriously.

I want to give an example in an apartment building that has been setup with a well known ISP internet service. So you get an apartment  and the service for internet is built-in to the price of your apartment(or at least is a minor add-on).

The Apartment people tell you to just plug into the wall and voila you have internet service.

So when i plug in, do i get my own router? Or am I connected within a switch with every other apartment first? So now I have to run a discovery scan, and check all other IP addresses first?

This is why one runs a discovery scan, to see all the machines that are on the network and that can see you. This is all part of the risk management of your company.

 

Contact Us to discuss Risk management and more.