tag:blogger.com,1999:blog-5052392636836306032024-03-13T07:11:50.306-07:00MalwareJakeRamblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.comBlogger277125tag:blogger.com,1999:blog-505239263683630603.post-75798377974395177412018-07-10T12:52:00.003-07:002018-07-10T12:52:53.146-07:00It's 10pm, do you know where your API keys are?<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Yesterday, the social media archival service Timehop announced that they had suffered a breach. The service allows users to look back through their social media feeds to see what was happening last year for instance. In order to facilitate this, Timehop stores API keys for users' social media accounts. Timehop did a great job disabling any API keys they thought may have been accessed. Still, this breach highlights the risks of compromises in increasingly connected applications. In this video, we discuss some recommendations for individuals and organizations to inventory and understand API key usage for connected applications.<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/zSK7bNhBtT4/0.jpg" src="https://www.youtube.com/embed/zSK7bNhBtT4?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-3673741506425498802018-04-28T09:34:00.000-07:002018-04-28T09:34:41.043-07:00DrupalGeddon 2.1 and the state of vulnerability management<div dir="ltr" style="text-align: left;" trbidi="on">
If you’re running Drupal 7.x, 8.4.x, or 8.5.x, a new <a href="https://www.drupal.org/sa-core-2018-004" target="_blank">patch was released Wednesday</a>. The patch was rated Critical with a score of 20/25. The Drupal team notified users two days before the patch was released so they could be ready to patch. The patch went live in the middle of the US workday, meaning that organizations wishing to patch had to take an outage window during business hours (not normally advisable). Several organizations we work with wanted to take more time to patch and scheduled a patch window for this weekend (something we strongly advised against).<br />
<br />
Unfortunately (and unsurprisingly), attackers began exploiting this vulnerability mere hours after the patches were released. Since this is a remote code execution vulnerability, attackers that exploit it take control as the user that runs the web server software (thankfully this is rarely root). However (depending on configuration), attackers may be able to:<br />
<br />
<ul style="text-align: left;">
<li>Upload a web shell</li>
<li>Dump data from a backend database</li>
<li>Create landing pages for spam on your domain</li>
<li>Exploit users who come to your site</li>
<li>Steal credentials from users who come to your website</li>
</ul>
<br />
Read the rest of the story on the <a href="https://www.renditioninfosec.com/2018/04/drupalgeddon-2-1-and-the-state-of-vulnerability-management/" target="_blank">Rendition Infosec corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-38192314816874729862018-03-30T12:37:00.003-07:002018-03-30T12:37:48.512-07:00New Windows 7 and Server 2008R2 out of band patch<div dir="ltr" style="text-align: left;" trbidi="on">
Microsoft usually only issues patches on the second Tuesday of every month (so-called “Patch Tuesday”). However, when there is a vulnerability that is being exploited in the wild (or is likely to be) Microsoft may issue an out of band patch. That’s exactly what happened yesterday. The vulnerability being patched was introduced when Microsoft patched Meltdown and Spectre in January. In that patch, Windows separates page tables between user space and kernel space to mitigate processor vulnerabilities (kernel page table isolation). But this apparently creates a new problem in Windows 7 and Server 2008R2.<br />
<br />
The new vulnerability allows any user on the machine to read and write to the memory of any process, including the kernel. Ironically, this is worse than the original Meltdown vulnerability which only allowed attackers to read (but not write) arbitrary memory. In other words, the patch creates a problem worse than the original vulnerability the patch was written to solve.<br />
<br />
Read the full story on the Rendition Infosec <a href="https://www.renditioninfosec.com/2018/03/new-windows-7-and-server-2008r2-out-of-band-patch/" target="_blank">corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-60788153121288510522018-03-27T11:17:00.000-07:002018-03-27T11:17:00.546-07:00Atlanta government was compromised in April 2017 - well before last week's ransomware attack<div dir="ltr" style="text-align: left;" trbidi="on">
Last Thursday, the City Of Atlanta suffered outages from a ransomware attack. During the press conference (<a href="https://www.pscp.tv/w/1djGXdYwaBPGZ" target="_blank">recorded here</a>), city officials indicated that they were invested in cyber security. They noted that they were working with state and federal law enforcement to resolve the incident and had even been in contact with the Secret Service. Officials noted that this type of attack (and outage) were happening to many organizations. Officials attempted to convey that despite adopting cyber security best practices, the City of Atlanta was victimized. This prompts the question “Was the City of Atlanta following cyber security best practices?”<br />
<br />
Though little is known about the internals of the city’s cyber security posture, we quickly learned that the city had exposed remote desktop protocol (RDP) to the Internet with no multi-factor authentication*. This is extremely important because if attackers get a valid username and password combination, they can directly access your information systems if no multi-factor authentication is in place.<br />
<br />
*Full disclosure: We’re a little biased on the need for multi-factor authentication, Rendition Infosec installs and monitors multi-factor authentication solutions, <a href="https://www.renditioninfosec.com/multi-factor-authentication-solutions/" target="_blank">click here</a> to learn more.<br />
<br />
<b>Cybersecurity Hygiene</b><br />
<br />
Leaving RDP open to the Internet is bad, but leaving SMB (windows file sharing, or Server Message Block) open to the Internet is much worse. Most readers probably remember the WannaCry ransomware campaign that shut down services at the UK’s National Health Service and elsewhere in May 2017. These attacks were powered by the leaked NSA (allegedly) exploit EternalBlue. In June, the same leaked exploit was used with the NotPetya attacks to target Ukrainian businesses (though impacts were felt worldwide). The EternalBlue exploit targets the SMB service on unpatched computers.<br />
<br />
Read the full story on the Rendition Infosec <a href="https://www.renditioninfosec.com/2018/03/atlanta-government-was-compromised-in-april-2017-well-before-last-weeks-ransomware-attack/" target="_blank">corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-37042344991938709672018-03-06T07:43:00.000-08:002018-03-06T07:43:20.154-08:00Countering Russian cyber influence operations<div dir="ltr" style="text-align: left;" trbidi="on">
Last Friday in <a href="https://www.sans.org/newsletters/newsbites" target="_blank">SANS NewsBites</a>, I saw an <a href="https://arstechnica.com/tech-policy/2018/02/why-us-cyber-warriors-cant-do-anything-about-russian-cyber-meddling/" target="_blank">article</a> talking about how NSA has not taken any action against the reported Russian cyber influence operations in US elections. Many laypeople have commented to me that the US can’t continue to operate in an environment other countries can try to influence our elections. But my follow up question to them is always “how would you fix this?” The answers often start out strong, but when we dig into them a little, we find out there are significant problems with implementation.<br />
*Full disclosure: I’m on the editorial board for SANS NewsBites. You should subscribe and use it for expert opinions on cybersecurity news.<br />
<br />
Influence operations in cyberspace are a form of asymmetric warfare. As we have learned from <a href="https://www.cnbc.com/2018/02/17/facebooks-vp-of-ads-says-russian-meddling-aimed-to-divide-us.html" target="_blank">Facebook’s identification of advertising buys by Russian organizations</a>, the cost to launch an influence operation is low. Unfortunately, the cost to counter an influence operation is very high. There are very limited options to counter a cyber influence operation and they all have serious problems. We intentionally won’t address the legal issues with each – let’s assume that the legislature will clear any legal hurdles that need to be addressed.<br />
<br />
Options for dealing with cyber influence operations<br />
<div style="text-align: left;">
</div>
<ol>
<li>Counter with your own influence operations to negate undue influence from foreign actors</li>
<li>Hack those performing the cyber influence operations and prevent them from performing the operations</li>
<li>Sanctions or other political pressure against those conducting the cyber influence operations</li>
<li>Conduct cyber influence operations against the aggressor hoping for a “cyber cease fire”</li>
<li>Force the platforms used for influence to limit their susceptibility to such operations</li>
<li>Criminally charge those involved in influence operations</li>
</ol>
<br />
<div style="text-align: left;">
Read the full post at the Rendition Infosec <a href="https://www.renditioninfosec.com/2018/03/countering-russian-cyber-influence-operations/" target="_blank">corporate blog</a>.</div>
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-87901522873045272312018-02-25T01:50:00.005-08:002018-02-25T01:50:45.508-08:00Vulnerability disclosure – did we get it right with Meltdown and Spectre?<div dir="ltr" style="text-align: left;" trbidi="on">
Today Rendition Infosec is releasing a blog post that we started writing more than a month ago. Why now? The dust has settled, that’s why. Prior to the dust settling on Meltdown and Spectre, we think this very important conversation would have been lost in the noise. In light of these vulnerabilities, we think it is important to talk about how their disclosure was handled. What did we get right, what did we get wrong, and how should we in the security community posture for the disclosure of next round of CPU vulnerabilities (there will be more).<br />
<br />
As most know, Intel found out about the CPU vulnerabilities as early as June of 2017. The mainstream public did not find out about these until January 2018, and then only because AMD engineers made careless comments in open forums that allowed independent researchers to reverse engineer the vulnerabilities. Normally, Google releases vulnerabilities to the public in 90 days, with exceptions given only in rare circumstances. In this case, they waited because of the seriousness of the vulnerabilities and the amount of work needed to patch them.<br />
<br />
Read the full post on the <a href="https://www.renditioninfosec.com/2018/02/vulnerability-disclosure-did-we-get-it-right-with-meltdown-and-spectre/" target="_blank">Rendition Infosec corporate blog.</a></div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-70629979054559668022018-01-23T09:15:00.000-08:002018-01-23T09:15:14.191-08:00Top three considerations when limiting local administrator rights<div dir="ltr" style="text-align: left;" trbidi="on">
Ideally we would always remove administrator rights from all users. But in the real world, we unfortunately must deal with years of technical debt and poor architecture decisions that make the complete elimination of administrator rights difficult (or financially non-viable) for many organizations. So when faced with the task of prioritizing the removal of admin rights from users, where should you start?<br />
<br />
There are many things to consider when removing administrator rights and these won’t apply to everyone (for instance some organizations are dealing with specific legacy software that requires admin rights). But when working with clients Rendition Infosec uses these considerations as our top three.<br />
<blockquote class="tr_bq">
1. Users with access to sensitive information<br />2. Users that use the machine to surf the Internet or open email attachments<br />3. Machines that have direct Internet access</blockquote>
<br />
Read the rest of the post (along with remediation thoughts) on the <a href="https://www.renditioninfosec.com/2018/01/top-three-considerations-when-limiting-local-administrator-rights/" target="_blank">Rendition Infosec corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-39007756426439366612017-12-14T15:52:00.000-08:002017-12-14T15:52:30.137-08:00Infosec Advent Challenge #14 - syslog intrusion analysis<div dir="ltr" style="text-align: left;" trbidi="on">
We've posted the 14th challenge in the "Infosec Advent" series. This one is a Linux server intrusion case. You get syslog and auth.log. Unfortunately that's all that was being forwarded.<br />
<br />
<blockquote class="tr_bq" style="text-align: left;">
We have some Linux syslog and authentication logs download here. Download and analyze the logs for signs of intrusion. Based on the log data, let us know what you think has happened.</blockquote>
<br />
<blockquote class="tr_bq" style="text-align: left;">
Specifically, we're looking to understand the following:<br /><ol style="text-align: left;">
<li>How many attackers compromised the server?</li>
<li>What did the attackers do once on the server?</li>
<li>What steps should be taken to recover from the incident?</li>
<li>What, in your opinion, is the likely root cause of the incident?</li>
</ol>
In all cases, please show your work (e.g. back your analysis with facts, where available). In cases where data is not available to back your hypothesis, let us know what data you would need and where you would look to collect it.</blockquote>
<br />
<blockquote class="tr_bq" style="text-align: left;">
Please limit your submissions to 1500 words. The best characterization of this web server intrusion will receive a $25 Amazon gift card (subject to contest rules). The winner will be announced 21DEC17.</blockquote>
<br />
If you were looking for another Digital Forensics and Incident Response (DFIR) related challenge, here you go. Have fun!<br />
<br />
If you don't already have an account, you can register to play at <a href="https://www.infosecadvent.com/">https://www.infosecadvent.com</a>.<br />
<br />
Cross posted from the Rendition Infosec <a href="https://www.renditioninfosec.com/2017/12/infosec-advent-challenge-14-posted-linux-syslog-analysis/" target="_blank">corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-16749611670932735872017-12-13T19:08:00.001-08:002017-12-13T19:08:33.881-08:00Infosec Advent Challenge #13 - web server intrusion analysis<div dir="ltr" style="text-align: left;" trbidi="on">
We've posted the 13th challenge in the "Infosec Advent" series. This one is a web server intrusion case where we will ask you to analyze the logs and let us know what you find.<br />
<br />
<blockquote class="tr_bq">
We have a set of web server logs that you can download here. Download and analyze the logs for signs of intrusion. Based on only the web log data (yes, we know that makes it harder) write a narrative that explains what happened.</blockquote>
<br />
<blockquote class="tr_bq">
Is this a realistic scenario to only have logs and not an image of the web server filesystem? Unfortunately, the answer is yes. Rendition Infosec worked a case this year where logs were available but the server image was unavailable. We would prefer more data to work with, but in infosec as in life, you have to play what you've got.</blockquote>
<br />
<blockquote class="tr_bq">
Please limit your submissions to 1500 words. The best characterization of this web server intrusion will receive a $25 Amazon gift card (subject to contest rules). The winner will be announced 20DEC17.</blockquote>
<br />
If you were looking for some Digital Forensics and Incident Response (DFIR) related challenges, here you go. Have fun!<br />
<br />
If you don't already have an account, you can register to play at <a href="https://www.infosecadvent.com./">https://www.infosecadvent.com.</a><br />
<br />
Cross posted from the Rendition Infosec <a href="https://www.renditioninfosec.com/2017/12/challenge-13-posted-web-server-intrusion-analysis/" target="_blank">corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-81828030576063415592017-12-12T10:03:00.005-08:002017-12-12T10:03:43.992-08:00Introducing Infosec Advent<div dir="ltr" style="text-align: left;" trbidi="on">
Rendition Infosec is sponsoring a new contest this holiday season to up your infosec skills and make you think (at least a little) about infosec each day. We're calling the challenge "Infosec Advent" and have set aside $1,000 in prizes to sweeten the pot for those who wish to participate.<br />
<br />
In all honesty, it would have been way cooler if we could have launched this on December 1st like we planned. But unfortunately, attackers don't schedule their attacks on our clients so this project got put on hold while we did some end-of-year incident response. We almost decided not to run it this year, but then realized that was dumb. When it comes to this sort of thing does late really matter? After all, we're talking about free infosec education and free money...<br />
<br />
We're releasing a series of hard and soft skill challenges between now and December 24th (the first 12 are posted now). While we'll admit that the initial set of challenges are relatively soft skill focused, we don't think that's a bad thing. Soft skill challenges are accessible to anyone, while hard skill challenges require more specific skills to perform. That said, you can expect some PCAP, memory dumps, and a few other surprises before Christmas.<br />
<br />
We have no idea how popular this will be (or if anyone will care) but we wanted to give back to the broader community and this seemed like a great way to do it. We will posting the entries of the winners (and probably honorable mentions) so that everyone can learn throughout the holiday season.<br />
<br />
If you want to play, hop on over to <a href="https://www.infosecadvent.com/">https://www.infosecadvent.com</a> and register to play.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-17705062131546212192017-10-21T08:16:00.002-07:002017-10-21T08:16:34.347-07:00Cybersecurity Awareness Month - should this even be a thing if awareness isn't working?<div dir="ltr" style="text-align: left;" trbidi="on">
If I'd written this last week, the post would have been very different. I would have pondered whether cybersecurity awareness month should even be a thing. Granted I live in the infosec echo chamber, but I often wonder how many out there aren't already inundated with information about staying safe online. Does one more phishing assessment or security reminder poster really matter? Sure, I regularly perform incident response and forensics, so I know attacks happen. But the extent to which we can stop them with additional training is questionable.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://2.bp.blogspot.com/-gt_UuysQj_8/WetkjEDq53I/AAAAAAAAhbw/fPeYDvwG-HgydKy__qVBTkDAg5ASKG5fwCLcBGAs/s1600/canstockphoto36131764.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="534" data-original-width="800" height="213" src="https://2.bp.blogspot.com/-gt_UuysQj_8/WetkjEDq53I/AAAAAAAAhbw/fPeYDvwG-HgydKy__qVBTkDAg5ASKG5fwCLcBGAs/s320/canstockphoto36131764.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">One idiot, two keyboards</td></tr>
</tbody></table>
<br />
But that was last week... This week a good friend of mine who is a high profile APT target hit me up for some cybersecurity advice. Now before I tell the rest of this story, it's important to me that you know that he's been educated in cybersecurity hygiene and receives regular briefings on security from his organization. His organization uses regular phishing tests. He's a smart guy. I'm not mentioning names, but I bet if I did most of you would know who he is and would understand why he's a no joke nation state (dare I say APT?) target.<br />
<br />
Read the rest of the story on the <a href="https://www.renditioninfosec.com/2017/10/cybersecurity-awareness-month-should-this-even-be-a-thing-if-awareness-isnt-working/" target="_blank">Rendition Infosec corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-41841848635327383792017-10-08T19:11:00.004-07:002017-10-08T19:11:59.442-07:00Should Antivirus software be part of your threat model?<div dir="ltr" style="text-align: left;" trbidi="on">
Should Antivirus (AV) software be part of your threat model? Strictly speaking, yes it probably should be. AV is potentially dangerous to an organization and should be tested thoroughly before being deployed. As argued in the recent <a href="https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense-1507222108" target="_blank">WSJ article about Kaspersky</a> (note that the article is behind a pay wall), AV software could threaten the confidentiality of a protected system.<br />
<br />
But as any infosec professional can tell you, information security is about more than just confidentiality. The security triad is referred to by the acronym CIA, which most reading this post will know stands for Confidentiality, Integrity, and Availability. In every security program, one of these items takes precedence over the other two.<br />
<br />
In the case of the NSA contractor who placed classified material on their home computer, confidentiality was clearly the most important of the three. However, there are few organizations for whom a breach of confidentiality is really the most damaging impact. In the vast majority of organizations, devastating compromises to integrity and availability would have a far greater impact to organizational health.<br />
<br />
Read the full post (including scenarios for compromising integrity and availability) on the <a href="https://www.renditioninfosec.com/2017/10/should-antivirus-software-be-part-of-your-threat-model/" target="_blank">Rendition Infosec blog.</a></div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-42127644756552286202017-09-08T10:45:00.004-07:002017-09-08T10:45:39.837-07:00Equifax Breach – Early lessons learned and six point action plan<div dir="ltr" style="text-align: left;" trbidi="on">
In this post, we’ll discuss a few early lessons learned from the Equifax breach announced yesterday. We’ll also recommend a six point plan to avoid becoming “the next Equifax” based on what we know today about the breach. Rendition is in no way involved with the breach assessment for Equifax and we have no inside knowledge. However, we will discuss the publicly available information so organizations can take action to avoid a similar breach.<br />
<br />
<b>Note:</b> In the coming days and weeks, you’ll likely be inundated with vendor pitches claiming they can stop you from becoming “the next Equifax.” <b><i>Be wary, be very wary. </i></b> If it sounds too good to be true, it probably is. In information security, there are no silver bullets. But that’s okay – werewolves probably aren’t part of your threat model anyway…<br />
<br />
At Rendition Infosec, we endorse the SANS Institute six step Incident Response (IR) process. For those not familiar with the process, the steps are:<br />
<br />
<ol style="text-align: left;">
<li>Preparation</li>
<li>Identification</li>
<li>Containment</li>
<li>Eradication</li>
<li>Recovery</li>
<li>Lessons Learned</li>
</ol>
<br />
This conveniently spells <b>PICERL</b>. A handy mnemonic to remember this is “<b>Patched Infrastructure Could’ve Easily Reduced Losses</b>.” This is great because it’s simple to remember <b>AND</b> true.<br />
<br />
For this post, we’re going to focus on the preparation and identification phases since those are what we know the most about so far.<br />
<br />
Read the full article with our six step action plan on the <a href="https://www.renditioninfosec.com/2017/09/equifax-breach-early-lessons-learned-and-six-point-action-plan/" target="_blank">Rendition Infosec corporate blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-17198314840209455052017-08-26T15:13:00.002-07:002017-08-26T15:13:46.958-07:00Five steps to prepare for a ransomware attack<div dir="ltr" style="text-align: left;" trbidi="on">
Like many information security firms, Rendition Infosec has worked many ransomware attacks over the last several years. If you’re reading this post, you probably know about the obvious things you can do to prepare for a ransomware event. We often talk about having good backups (and testing them). We also know that most ransomware is distributed through phishing, so having good phishing defenses helps too.<br />
<br />
When it comes to ransomware, an ounce of prevention is worth a pound of cure…<br />
<br />
But lets assume that you’ve checked those two boxes (as well as anyone can). Let’s face it, sooner or later you are likely to have to deal with a ransomware threat in your environment. So what else can you do to prepare for the inevitable ransomware compromise? In this post, we’ll detail a few things that can be done to quickly ensure security for your machines in the event of a ransomware attack.<br />
<br />
The five preparation steps are:<br />
<br />
<ol style="text-align: left;">
<li>Enable Volume Shadow Copies and increase allocated space</li>
<li>Remove users from the local administrators group</li>
<li>Limit the number of shares that a user has write access to</li>
<li>Use hidden file shares</li>
<li>Only map file shares while in use</li>
</ol>
<br />
In the rest of the post on the <a href="https://www.renditioninfosec.com/2017/08/five-steps-to-prepare-for-a-ransomware-attack/" target="_blank">Rendition Infosec blog</a>, we’ll discuss the rationale for each of these recommendations.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-42433508252066616592017-08-23T15:24:00.001-07:002017-08-23T15:24:07.145-07:00The need for cyber security in law firms<div dir="ltr" style="text-align: left;" trbidi="on">
An interesting article came through our feed today mentioning the need for cyber security in law firms. As an information security company that works with law firms, we couldn't agree more. <a href="https://www.natlawreview.com/article/cybersecurity-more-important-ever-law-firms" target="_blank">The article</a> makes a number of points, but leaves a couple of critical things out, and we'd like to cover those here. It's worth noting that the advice here applies to practically any organization (not just law firms).<br />
<br />
The article suggests the following five items for all law firms to increase their security:<br />
<br />
Use password managers<br />
Update computer software<br />
Use encryption software<br />
Use encryption software<br />
Use multi-factor authentication (MFA/2FA)<br />
Risk landscape for law firms<br />
<br />
At Rendition Infosec, we don't fundamentally argue with any of these. We do however think that this falls well short of information security best practices for most law firms. The reality is that lawyers deal with sensitive data every day and that makes them a target for attackers. Sensitive data might include mergers and acquisitions information from clients. This data, if compromised, can have major economic impacts to both the law firm and the client.<br />
<br />
Attackers may also target law firms for more than just the data they have. Many users, even those at the most secure organizations, expect email communication from external counsel. Attackers may target law firms as a way to get into other networks more easily. Law firms should think of this as extending their cyber risk to their clients.<br />
<br />
Read the rest of the story at the <a href="https://www.renditioninfosec.com/2017/08/the-need-for-cyber-security-in-law-firms/" target="_blank">Rendition Infosec blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-78526893325749175262017-08-13T05:22:00.002-07:002017-08-13T05:22:26.409-07:00The need for dump analysis in Cyber Threat Intelligence (CTI)<div dir="ltr" style="text-align: left;" trbidi="on">
Over the last year, there have been numerous dumps of stolen classified data posted on the Internet for all to see. The damage from these dumps has obviously been huge to the US intelligence community. In this post, we won’t discuss the actual damage of the dumps to the intelligence community (many others have already pontificated on that). Instead, this post will focus on the need for CTI analysts to perform analysis of the dumps.<br />
<br />
For the first time, CTI analysts have a view of what appears to be a relatively complete nation state toolset in the Shadow Brokers dumps and insight into tool development and computer network exploitation (CNE) tool requirements in the Vault 7 dumps. These are game changers for CTI analysts. We define threat as the intersection between intent, opportunity, and capability. These tools and documents highlight the capabilities of an APT adversary. Whether you believe the US intelligence services have the intent to attack your network, it is likely (almost certain) that other nation state attackers have developed similar capabilities. Analyzing the data you have available (Shadow Brokers and Vault 7) can help shed light on what you don’t have available (every other nation state attacker’s toolset in a single dump).<br />
<br />
Note: We understand that this is a sensitive topic. When classified data is released, it is still considered classified until declassified by a classification authority. There is no evidence that any classification authorities have declassified the data in the Shadow Brokers or Vault 7 dumps. It is likely that they remain classified to this day. The advice in this article may put those with security clearances at odds with the advice of their security officers. Please proceed with care.<br />
<br />
Read the full post on the <a href="https://www.renditioninfosec.com/2017/08/the-need-for-dump-analysis-in-cyber-threat-intelligence-cti/" target="_blank">Rendition Infosec blog</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-32185241698867554862017-08-05T06:37:00.001-07:002017-08-05T06:37:13.196-07:00Software plugins/extensions should be part of your threat model<div dir="ltr" style="text-align: left;" trbidi="on">
Over the last few months we’ve seen multiple cases of warnings about plugins and extensions for various software packages threatening the security of users. We’ve recently seen the Copyfish and and Web Developer Chrome plugins compromised and used to push malware to users.<br />
<br />
While Chrome is likely safe and should probably not be considered a threat, perhaps your plugins should be. Plugins are developed by potentially malicious third parties. Even if your plugin developers are not themselves malicious, they have security concerns just like everyone else. And make no mistake about it: when understanding software supply chain issues, their security is your security.<br />
<div>
<br /></div>
<div>
Read the full story <a href="https://www.renditioninfosec.com/2017/08/software-pluginsextensions-should-be-part-of-your-threat-model/" target="_blank">here</a>.</div>
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-83645908460613672542017-08-02T06:28:00.005-07:002017-08-02T06:28:34.778-07:00An important consideration for “bug bounty” programs<div dir="ltr" style="text-align: left;" trbidi="on">
The US DoJ recently released <a href="https://www.justice.gov/criminal-ccips/page/file/983996/download" target="_blank">guidance on running vulnerability disclosure programs</a> (aka bug bounties). The document is nothing earth shattering, but does provide some free advice to organizations considering such programs.<br />
<br />
Rendition’s advice to organizations considering a bug bounty program? Think VERY carefully about how it will impact your monitoring and detection strategies. People looking for bugs will create noise in your network – a lot of it. And the noise will look like attacks, because technically they ARE attacks. How will you separate this non-malicious attack traffic from real attack traffic you should be concerned about?<br />
<br />
Read the full post <a href="https://www.renditioninfosec.com/2017/08/bug-bounty-considerations-security-monitoring/" target="_blank">here</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-333407069734048352017-07-12T06:12:00.001-07:002017-07-12T06:12:31.601-07:00Honestly evaluating the Kaspersky debate<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
So far, Rendition has posted on the Kaspersky debate twice. In the <a href="https://www.renditioninfosec.com/2017/07/why-a-kaspersky-code-audit-doesnt-really-ensure-security/" style="background: transparent; box-sizing: inherit; text-decoration-line: none; user-select: auto;">first post</a>, Rendition educated the public on why a software audit would not address the fears raised by the Senate. The <a href="https://www.renditioninfosec.com/2017/07/av_threat_model_kaspersky/" style="background: transparent; box-sizing: inherit; text-decoration-line: none; user-select: auto;">second post</a> explained the damage that any antivirus software could perform in a network if its operation were taken over by a foreign government. The second post is about more than just Kaspsersky - as Rendition made clear in the post, it could apply to <em style="box-sizing: inherit;"><strong style="box-sizing: inherit;">any</strong></em> antivirus software.<br />
<br /></div>
<strong style="box-sizing: inherit;">Bloomberg's reports previously unknown Kaspersky involvement with Russian government</strong><br />
Yesterday, <a href="https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: inherit;">Bloomberg wrote an article</a> claiming that Kaspersky is far deeper involved with Russian intelligence than was publicly known. At Rendition, we think parts of that reporting were careless, especially the interpretation of the words "active countermeasures." "Active countermeasures" is not an industry standard term, a pet peeve of Rendition's founder <a href="https://www.linkedin.com/in/jacob-williams-77938a16/" style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: inherit;">Jake Williams</a>, who has spoken on the topic at various industry events. Bloomberg took the phrase "active countermeasures" to mean the following.<br />
<blockquote style="border-left: 0px; box-sizing: inherit; font-family: Arial, sans-serif; font-size: 14px; font-style: italic; margin: 1.125em 1.25em; padding-left: 0px;">
"Active countermeasures is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks.</blockquote>
We know of no such standard definition for "active countermeasures." Even if Bloomberg got this definition from an infosec expert, any expert worth quoting would have told Bloomberg that their definition was one of many and not "generally accepted" by the community. That this wasn't reported makes the whole article reek of bias - where there's smoke, there's usually fire.<br />
<strong style="box-sizing: inherit;"><br /></strong>
<strong style="box-sizing: inherit;">Kaspersky responds to Bloomberg</strong><br />
Eugene Kaspersky <a href="https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-clarifying-inaccurate-statements-published-in-bloomberg-businessweek-on-july-11-2017" style="background: transparent; box-sizing: inherit; text-decoration-line: none; user-select: auto;">posted a retort that addresses the Bloomberg article point by point</a>. Kaspersky calls out some of the obvious problems with the article, including talking around the point made above. But in his response, Kaspersky says something that is misleading if not outright false, and we think that needs to be addressed as well.<br />
<br />
Read the full story <a href="https://www.renditioninfosec.com/2017/07/honestly-evaluating-the-kaspersky-debate/" style="background: transparent; box-sizing: inherit; text-decoration-line: none; user-select: auto;">here</a>.
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-66657582185843694622017-07-11T20:11:00.001-07:002017-07-11T20:11:34.840-07:00Is antivirus software part of your threat model? Maybe it should be...<div dir="ltr" style="text-align: left;" trbidi="on">
Recently we learned that the US Senate was pushing to add language to the National Defense Authorization Act (NDAA) that would prohibit the purchase and use of Kaspersky software anywhere in the DoD. This is nearly certainly a political move and CyberScoop’s Patrick Howell O’Neill did a great job of <a href="https://www.cyberscoop.com/kaspersky-pentagon-dod-ban-political-move/" style="background: transparent; box-sizing: inherit; line-height: inherit; text-decoration-line: none;">covering this story</a> already from a political angle. It is entirely possible that the Senate’s statements about the NDAA are just political messages meant to rattle the sabers.<br />
<br />
But should antivirus be part of your threat model? Perhaps it should. As <a class="" href="https://twitter.com/taviso" style="background: transparent; box-sizing: inherit; line-height: inherit; text-decoration-line: none;">Tavis Omandy</a> has shown over the last year, antivirus software is often full of security vulnerabilities. This is especially concerning because antivirus runs with elevated privileges. And the elevated privileges make antivirus software so dangerous.<br />
<br />
In considering this debate, it is important to consider the types of threats that antivirus software could pose if the vendor were subject to “influence” from a government. Obviously we are talking about this because of Kaspersky and the NDAA, but it is important to note that this <u style="box-sizing: inherit; line-height: inherit;"><strong style="box-sizing: inherit; line-height: inherit;">any</strong></u> antivirus company could be subject to the same attacks. The risk is not only for antivirus companies that could be influenced – any software manufacturer with automatic updates could be used as an attack platform by a government. If one was hacked by an APT group (most likely a nation state), their customers would also be vulnerable (whether the software in question is antivirus or something else).<br />
<br />
Read the full post <a href="https://www.renditioninfosec.com/2017/07/av_threat_model_kaspersky/" style="background: transparent; box-sizing: inherit;; line-height: inherit; text-decoration-line: none;">here</a>.
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-23591931506856167042017-06-13T10:12:00.003-07:002017-06-13T10:12:30.195-07:00CRASHOVERRIDE guidance from NCCIC is confusing at best<div dir="ltr" style="text-align: left;" trbidi="on">
After reviewing the awesome <a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank">Dragos Inc report on CRASHOVERRIDE</a>, Rendition analysts received a <a href="https://www.us-cert.gov/ncas/alerts/TA17-163A" target="_blank">similar alert from US Cert and NCCIC</a>. After reviewing the guidance from NCCIC, we were less than thrilled. The second recommendation from NCCIC (take measures to avoid watering hole attacks) is impossible by its very definition. A watering hole attack first compromises a remote site that you would already be visiting in an attempt to compromise your network. The fact is that the victim is not being tricked into visiting a rogue site as is the case in phishing. There is frankly no way for an organization to do this. Unfortunately, the fact that this "mission impossible" is set as recommendation #2 means that many will stop trying to implement anything further down the stack, assuming that the rest may also be impossible by definition.<br />
<div>
<br /></div>
<div>
Read the full post <a href="https://www.renditioninfosec.com/2017/06/crashoverride-nccic-guidance-is-confusing-at-best/" target="_blank">here</a>.</div>
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-33573618263282066232017-06-12T12:16:00.000-07:002017-06-12T12:16:05.598-07:00CRASHOVERRIDE – monitor your IT networks (and OT too)<div dir="ltr" style="text-align: left;" trbidi="on">
Last week Rendition Infosec founder Jake Williams contributed an article for next month’s issue of Power Grid International magazine. The article highlights the need for utilities to monitor their IT networks in order to protect their OT networks from compromise. Today’s release of the excellent <a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank">CRASHOVERRIDE report</a> by Dragos Inc only reinforces the points Williams’ made in his article.<br />
<br />
While a simple Shodan search will show many ICS devices directly connected to the Internet, these organizations obviously aren’t following best practices in the first place. Monitoring would certainly help these organizations to detect threats as well, but they honestly have bigger problems that start with segmenting their networks.<br />
<br />
For those utilities that have already segmented IT from OT (<a href="https://en.wikipedia.org/wiki/Operational_Technology" target="_blank">operational technology</a>), monitoring the IT network is absolutely critical. Most attackers enter the OT network from the IT side of the network through phishing emails or other commodity exploits. They then noisily stumble through the network looking for the bridge between IT and OT. Even if the networks are completely airgapped (few truly are in our experience), attackers will eventually find a way to get malware to the OT side. But along the way, attackers usually make a ridiculous amount of noise trying to find the places where the IT and OT networks are joined.<br />
<br />
Read the full story <a href="https://www.renditioninfosec.com/2017/06/crashoverride-monitor-your-it-networks-and-ot-too/" target="_blank">here</a>.</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-47410257026407439602017-05-22T05:06:00.003-07:002017-05-22T05:06:35.542-07:00The problems of PUA (Potentially Unwanted Alerts)<div dir="ltr" style="text-align: left;" trbidi="on">
Recently we had a client call us about a problem on their network. Rendition Infosec runs a 24×7 security monitoring service and had a client call about an antivirus alert for PUA (potentially unwanted application). This class of alert is often difficult to tune out since attackers and administrators often use the same software tools.<br />
<br />
Frequent examples of this are netcat (nc.exe) and psexec from SysInternals. These tools are like the infamous “dual use technology” we hear so much about when sanctioning oppressive regimes. When we receive an alert like this, we most frequently find that the alert can be attributed to the activity of a systems administrator. However, there is a possibility that the alert represents the activities of an attacker.<br />
<div>
<br /></div>
<div>
Read the <a href="https://www.renditioninfosec.com/2017/05/the-problems-of-pua-potentially-unwanted-alerts/" target="_blank">rest of the article here</a>.</div>
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-19383273264986893502017-05-08T16:07:00.000-07:002017-05-08T16:07:15.738-07:00Petition for Microsoft to disclose data about MS17-010<div dir="ltr" style="text-align: left;" trbidi="on">
Rendition Infosec is sponsoring a petition asking Microsoft to disclose telemetry data around MS17-010. We've highlighted a number of reasons why we feel this is important for the security community as a whole.<br />
<br />
It is almost certain that Microsoft has data around how these vulnerabilities were exploited by attackers. Revealing this data will help us better understand decisions made in the vulnerability equities process. It will also enhance understanding about how likely it is that vulnerabilities discovered by APT attackers are independently rediscovered by others attack groups. Finally, it will help policy makers assess whether the exploits reportedly stolen (and subsequently released) by Shadow Brokers were likely used to exploit other targets before being released to the general public. If you work in infosec, think computer security is a good thing to have, and/or believe in transparency, please consider signing our petition, linked below:<br />
<br />
<a href="https://www.renditioninfosec.com/2017/05/call-to-microsoft-to-release-information-about-ms17-010/">https://www.renditioninfosec.com/2017/05/call-to-microsoft-to-release-information-about-ms17-010/</a></div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0tag:blogger.com,1999:blog-505239263683630603.post-50177851087117011712017-04-27T07:25:00.001-07:002017-04-27T07:25:08.770-07:00Observations from the latest Internet-wide DOUBLEPULSAR scan<div dir="ltr" style="text-align: left;" trbidi="on">
I've posted some notes from the latest Rendition Infosec Internet wide scans for DOUBLEPULSAR. Despite some reports to the contrary, it's not getting any better. In fact, it's a bit worse than earlier this week despite the uninstallation scripts moving around the Internet (note that Rendition Infosec does NOT recommend using these tools). <br />
<br />
You can read the rest of the story <a href="https://www.renditioninfosec.com/2017/04/observations-from-the-latest-doublepulsar-scans/" target="_blank">here</a>.<br />
<div>
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/11982692586016206766noreply@blogger.com0