Risk Analysis Gone Wrong?

Since a picture says a thousand words here is an attempt at explanation of Risk Analysis.

The rows are “Impact on Environment”: none, minimal, minor, significant, major, critical

The “Likelihood” or “Likely – what is % to happen” is  the columns: not likely, low, medium, medium-high, high, will happen.

These are not “real” systems in anyone’s network, only an example of different CVE (Common Vulnerabilities and Exposures) risks in a hypothetical company.  Although I picked on the IoT systems as the likely weak link (one has to update those camera or ups device software or one can be hacked). IoT systems are a weak link since they are not as easy to upgrade and require upkeep like all systems.

In the past I was trying to explain the weak links with this picture:

The problem is that when a system is hacked it now leaves the whole network with all the critical systems open.

The new image, I am trying to explain if a less important system was hacked (like the IoT vulnerabilities) which means an IoT vulnerability system which is critical but has a medium likely chance to get hacked.

Once hacked this system allows the attacker to review other targets and it may be where systems that have lower CVE’s (3-6) are canvassed and with the right vulnerabilities the hacker will now attack and set up persistent methods to stay in the network. Of course the idea is not to just stay in the network, one wants to  attack valuable targets.

“Such as having a High CVE on less critical systems ” before the final attack on a critical system at the highest level.

The ultimate and worst possible attack is a remote code execution attack, as with a simple attack one can execute an attack on the system. for a hacker it is easily done.

So explaining the attack in total gives one a further and more complete understanding of the ultimate goal . But what is even more important? To now have the ability to assess risk better. Instead of assessing each device separately with each vulnerability now one must assess the impact and likelihood with a total attack in mind.

Which means? The lower vulnerabilities can have higher impacts. How should we account for this phenomenon?

We have to become attackers (even hypothetically) to figure out which system would be nice to have with a lower vulnerability… so that the hypothetical attack  can advance through to the eventual goal.

You might be saying now – that’s all? That is all I have to do ? sort my systems, figure out the vulnerabilities, and then patch them. Well, it is not that easy since life and it’s vacations, sicknesses, labor issues, and other things coming your way. Since the vulnerabilities may come at inopportune times (they do not care if your family has an event). the hacker will hack you at Christmas without batting an eye.  The truth of it is the reasons  why people and companies get hacked is because the vulnerability management  programs do not take into account sickness and vacations. Thus labor is always pushed to ever more difficult situations. There seems to be always a push for cost containment in IT and computer security, since it is assumed all systems should be secure. A cost was not associated with computer security in the past. So this is why many companies lost their cohesion over time and then something happens and the attackers get in.

Once the attacker has a toehold, it is possible to stay undetected for months. In the meantime the patching lifecycle is front and center the reason for many systems getting hacked as well.

Notice that when a vulnerability is found by a researcher it takes many days to actually get a fix for the vulnerability and then it takes yet another few weeks before installing it in your system. It may be 60 days before the  system is safe from attack. So we are in a constant state of risk in our networks.  This is why every month with new vulnerabilities is an important report to view. And this is why we must continually test for any potential weaknesses in the network.

 

Now that you know the full reasons from A to Z it is easier to actually assess risk on systems.

What you need when assessing risk is to review all possible risk and decide what to focus on next.

Contact for more information or to discuss your risk assessment.

Also the latest CapitalOne hack seems to have been a misconfigured cloud configuration, including why is it storing private information in a public cloud?? Cyberscoop discusses this in more detail. The breach response may have been fast, but there was a major failure of architecture.

 

Interesting take on CapitalOne breach from former employee: https://medium.com/cloud-security/whats-in-your-cloud-673c3b4497fd

He says that the configuration was faulty as one IAM (Identity Access management) could be used to access all data (which is a large weak link). I.e. if a hacker can get one account username and password they have all of the data.

The thing to do is to perform threat modeling and review your architecture as well as vulnerability management.

Chinese Cyberattacks Unrelenting And Will Not Stop

It is all part of the Chinese strategy to steal technology and information as they work on being the top country in the world.

There is an excellent article on the history of China and how it pertains to today’s world by Brandon J. Weichert at New English Review.

The “trade war” is part of a complex struggle by China to come to parity and overtake the United States.

 

The struggle with China is also pertinent in the Cyber world, as we know from Mandiant’s report the Chinese PLA (People’s Liberation Army) has a unit that actively attacks western companies and countries to steal technology and anything else that might be important.  this was the APT1 operational attack on the world.

China is actively attacking systems (as you will see below).

The PLA units are hundreds if not thousands of attackers.

In Mandiant’s report there is some history where the APT1 was first used in 2006.  So for the last 13 years the Chinese have been systematically trying to attack and steal relevant information from Western companies.

Every industry was attacked (just like it is easy to do as everyone is connected to everyone on the Internet).  Some industries are more important than others:

Above image is from Mandiant’s report linked above.

This is from a report in 2012 about an old attack, but today these items have not changed much.

 

Let’s go back to Mr Weichert’s article (“Much More Than a Trade War With China”)  where in the warring states period of Chinese history (771-475BC) was a unique time period.  In this era the Qin Dynasty was able to overcome a superior adversary in the Zhou dynasty, due to superior statecraft and mastery of strategy.

Mr Weichert brings up a quote by Jiang Zemin (Chinese leader  1995-2003) “there cannot be two suns in the sky”.  Because the history of China showed only one dynasty will eventually defeat the other and survive  to rule over all.

In here the “Barbarian-Handling” techniques are analyzed by Edward Luttwak:

  • Initially, concede all that must be conceded to the superior power, to avoid damage and obtain whatever benefits or at least forbearance that can be had from it;
  • Entangle the ruler and ruling class of the superior power in webs of material dependence that reduce its original vitality and strength, while preferring equality in a privileged bipolarity that excludes every other power;
  • Finally, when the formerly superior power has been weakened enough, withdraw all tokens of equality and impose subordination.

And then the Chinese culture assimilates the ‘Barbarian’ culture.   Such as when the Mongols invaded and eventually used Chinese methods which were eventually surpassed later.  There are many older cultures in Asia that have been completely swallowed up by China.

 

Whether this is a good methodology by China is not a question here (I believe it is not), we note that it is occurring and part of the “entanglement” strategy to steal technology. The technology advantage will not be significant or even an advantage over time with more and more tech thefts.

What is the easiest way to steal technology today? Over the internet!!

This is why the PLA is systematic in its actions. They attack everyone and then find the nuggets in the network stream. China’s strategy is deliberate and systematic.  In the 80s and 90s we had neighborhood kids who were trying to hack companies for the ‘fun’ of it. Today we have nation states with MASSIVE budgets and techniques.

If you do not think there is a serious Cyberattack happening you must wake up and smell the roses.  If you have something to protect, and even if you do not the wide swaths of Cyberattacks coming out out China will make your life more difficult.

The above image does not surprise me and is the number of attacks on this website in a week. And this website has no data beyond what you see on the blog (i.e. there is no customer data or other data hidden)

Contact us to review your Cyber defense strategy.

What We Can learn From Baltimore City Ransomware Attack

From WSJ article

On May 7th hackers were able to shut down a number of city of Baltimore computers. They demanded $100k worth of bitcoins to release their stranglehold. On this day that is about 13 Bitcoins (value of Bitcoins fluctuates).

So Baltimore is refusing to pay as they should. The ransomware the hackers used is called RobbinHood.

And apparently if no payment within 10 days the price goes up.  How did RobbinHood get access to the systems (and then corrupt them)?

Bleepingcomputer.com goes into some of the RobbinHood details.

Apparently this ransomware is not coming in through Spam (like many others). Arstechnica has some more details of the IT details in Baltimore City departments:

“Tracking down how and when the malware got into the city’s network is a significant task. The city has a huge attack surface, with 113 subdomains—about a quarter of which are internally hosted—and at least 256 public IP addresses (of which only eight are currently online, thanks to the network shutdown).”

Part of this problem seems to stem out of mismanagement of GRC (Governance, Risk, Compliance).  The IT department was underfunded, which seems obvious now, but was not earlier.  And now the decision is do we pay ransom to get back to normal?  Or suffer through a restore which is an unknown amount of time and resources. Will the restore work? If not, then we have to rebuild systems from scratch. Reinstall operating systems and applications, while also making sure this problem does not resurface (create proper procedures of installing and patching).  So all the things that were obvious in the past and had a long time to resolve, now must be done under the glare of the public eye, in a quick manner. There are plenty of stories of how real estate transactions are not closing without some department computers. So where the city wanted to be paperless, it has to reinstate paper based processes.

Needless to say Baltimore is the poster child of how not to do things.

There is a price to pay at some point for bad management decisions (underfunding IT updates or security initiatives). When you do not update systems in a sprawling campus of hundreds of systems, then it is inevitable that there will be a system that can get attacked. Hackers are ingenious and find ways in. Once they are in, the game is to elevate credentials (privileges).

Let me ask you a question: If it is relatively easy to come in and take a system (for the hacker) then elevating privileges will also be ‘easy’. As privilege escalation vulnerabilities are more numerous.

So now the hacker is in the network and can do pretty much as they please. Now the hacker will try and find the most important systems (email and file servers among others) to infect. This is  exactly what happened in the city of Baltimore campus.

Contact US to discuss GRC and prevent a disaster like this to your organization.

Internet Cameras Vulnerable to Attacks With No Fix

If there is no way to fix a vulnerability what do you do if you have a camera with a vulnerability?

Here is the quote on Threatpost (from the engineer that found the flaw):

“Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws  setup the hacked.camera website

So the key from Paul’s website is the following two CVE’s:

What is CVE-2019-11219?

CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that allows attackers to rapidly discover devices that are online. Due to the nature of P2P, attackers are then able to directly connect to arbitrary devices while bypassing firewall restrictions.

What is CVE-2019-11220?

CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that allows attackers to intercept connections to devices and perform man-in-the-middle attacks. Attackers may use this vulnerability to steal the password to a device and take control of it.

So mostly iLnkP2P  with many companies potentially affected.

This problem has just been relesed to the public, with initial advisories to vendors by Mr. Marrapese  1/15/19.

 

so in theory the vendor should have been working on this issue, but they did not respond. So vulnerability sent to CERT/CC and then the 2 official CVEs were setup by MITRE:

CVE-2019-11219 and CVE-2019-11220

Devices that use the following Android apps may be vulnerable:

  • HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
  • VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
  • Wanscam: E View7
  • NEO: P2PIPCAM, COOLCAMOP
  • Sricam: APCamera
  • Various: P2PCam_HD

Time to start to make people aware and get their vendors on fixing these problems, because some vendors are foot draggers on security.

So real bad news is that the hackers now definitely  know the problems so attacks coming soon???

Coming back to original question… How can you protect cameras with this flaw? Have to put a New NGFW system in front of it to protect it.  Kind of like how one protects a WindowsXP machine, or a system that is no longer getting updates.

Here is my old post on NGFW : https://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/

 

Contact us to discus this with you.

SAML Attacks can break down Single Sign-On(SSO)

Area41 Defconswitzerland had an interesting video about attacking Single Sign-on technology SAML – Security Assertion Markup Language  (basic tutorial on SAML)

There are a few ways an attack can happen, while the initial connections are made (and all certificate info is exchanged or other info needed.

Or after the initial connection was made and now the single sign on conditions are set. I.e. the auth server will store cookies, and redirects on next ask for access.

The image above is from auth0.com

So when the attacker tries to inject an attack they are mimicking the tokens. or the XML .

check out the following from the defconswitzerland video:

SAML Attacks Certificate Tampering

  • Clones a certificate, generate a new key material
  • Use a certificate signed by other official CA

SAML Attacks XML

  • signature Exclusion(simply delete Signature)
  • XML signature Wrapping
    • Paper on breaking SAML(Be whoever you want to be 2012)

SSO is supposed to be a technology which makes accessing multiple network systems easier and safer. So if there is a way to attack it and have access then it defeats the purpose of all this defense.

 

Contact Us to discuss auditing your network environment