We often get asked by our clients for an easy way to demonstrate to other people outside of security the reason for many of the security controls put in place. The majority of cyber-attacks begin with a phishing email or drive-by/watering hole website. The chain of events for these attacks is very predictable, as are the controls you can put in place to mitigate these attacks.
To quote Brad Arkin, Chief Security Officer of Adobe:
Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
RSA recently updated NetWitness and changed the product name to Security Analytics. NetWitness used a Windows-based client for investigation of network sessions. Security Analytics adds the ability to conduct investigations via a new web interface. Many other security tools (SIEM, IPS, threat feeds, etc.) use a web interface. Critical Start just released version 2 of our Threat Analytics Search extension for Chrome that allows integration of 3rd party (web GUI) security tools with RSA Security Analytics. It’s only available in Chrome because we think that is the most secure browser. The Chrome Extension can be added from the Google Chrome Store at https://chrome.google.com/webstore/detail/threat-analytics-search/eliokoocofjemjjohafbmhmgjmedomko.
The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in February 1995 but contained a number of security flaws which ultimately led to the design of SSL version 3.0 in 1996. Transport Layer Security (TLS) has replaced SSL and has several different versions (1.0, 1.1, and 1.2). SSL/TLS provides us:
This post is primarily for customers of RSA NetWitness (Security Analytics), although it may be interesting to security practitioners that conduct security investigations. We describe how to use the Critical Start Threat Analytics Chrome Extension (https://www.criticalstart.com/2013/01/threat-analytics-search-extension-for-chrome/) to open a NetWitness Investigator drill from a Chrome browser.
Oracle released an emergency patch for Java, but security experts warn the patch doesn’t fix all critical vulnerabilities. Not counting future Java exploits, the current Java bugs may take 2 years to correct. The US-CERT advises, “Unless it is absolutely necessary to run Java in web browsers, disable it, even after updating to 7u11.” There are also some other good mitigation strategies discussed in the US-CERT advisory, such as blocking JAR and CLASS files at the proxy. However, be aware that we have seen examples of Java files disguised at other file formats (see example below from NetWitness session capture).
Threat Analytics is focused on using information to make decisions about events that impact the information assets of the organization. In other words, how can we transform the deluge of security data into actionable intelligence.
Back in February, Oracle released their Critical Patch update that included 14 security fixes for Oracle Java SE (http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html). To quote Oracle:
This post is a quick look at an incident that occurred at one of our clients. This certainly isn’t an advanced threat but is an excellent example of the type of malware targeted at individuals. In this incident the user contacted the help desk, although the malware had already been detected by dynamic malware analysis. After being redirected to a infection website the laptop screen was locked and displayed the image below:
At Critical Start we try to ensure that customers improve in several key areas while working with us:
- Attack Phase Maturity
- Security Efficiency
One of the best approaches to better security that doesn’t cost any money is securing local administrator accounts for your users (and domain administrator accounts, but that’s a separate topic). This can be accomplished by:
What can you do that will actually improve security (not compliance) over time? This requires your organization to build capabilities in the different attack phases:
- Initial Compromise
- Lateral Movement Mitigation
- Data Exfiltration/Illicit transaction
- Incident detection, response, and eradication
The numbers of news articles about organizations getting compromised continues to increase. Our engagements with customers matches information from the 2012 Verizon Data Breach Investigations Report that 92% of organizations never realize they have been compromised. As a minimum this illustrates the number of large companies with incidents that remain undetected.
These 3 steps will prevent all malware infections:
- Disconnect from all wired and wireless networks (Ethernet, Bluetooth, Infrared, etc.)
- Remove your CD/DVD-ROM drive
- Glue shut all other connectors
When discussing how to protect corporate networks, we often get asked about advice for home networks. The NSA has a good guide that can be found at HERE. However, they don’t give any real product information – this post will address that deficiency (for at least Windows operating systems).
Earlier this year RuggedCom confirmed the existence of a backdoor in several of their products. RuggedCom has also disclosed additional security vulnerabilities around Private Key security for HTTPS/SSL and SSH that is discussed in a US-CERT Alert at http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf. The new vulnerability is conceptually similar to the old vulnerability, which shows how few vendors (even security vendors) understand how to securely code applications. The new private key security flaw involves “hard-coding” the private key so that the same private key is used on every device – analogous to hard coding a password.
CNBC is premiering an hour long show on 7/9/12 about the cyber espionage threat to American business from China. The preview of the show can be seen at http://www.cnbc.com/id/15840232?video=3000100683&play=1. If you are a security professional, then the show should be interesting versus educational. However, we would recommend forwarding the information to your IT and business executives that need information on how the security landscape has changed. Cyber crime is big business and computer espionage the new research and development arm for some countries.
Bit9 has seen a 150 percent year-over-year increase in the number of attacks on domain controllers. Attackers, largely nation states and cyber criminals, are after corporate intellectual property (IP)—everything from chemical formulas and vaccines to military data and source code—all valuable competitive information. Rather than attacking directly the servers that house such information, advanced persistent attackers are targeting domain controllers so as to gain access to all information repositories and systems within the company.
Traditional security (firewalls, anti-virus, intrusion detection, etc.) is based on the concept of identifying and stopping the known bad. Intrusion detection (IDS/IPS) and anti-virus (AV) are primarily based on being able to detect the known bad based on a blacklist (signatures) of previously identified malware. So much new malware is being created everyday and so much malware is never identified that the known bad list never matches the actual bad software, websites, and domains.
Passwords are like a lot of security technologies – the people and process aspects are even more important than the technology or product. LinkedIn made three extremely serious mistakes:
PKI and digital certificates generate the largest false sense of security of any technology I know. The Flame malware is just the latest example of how configuration mistakes and personnel errors can render any technology control ineffective. The picture above is a screen capture of one of the Microsft Certificates that was revoked recently by Microsoft. The first mistake was giving a certificate used for Terminal Server licensing the ability to generate code signing certificates. The second mistake was the use of MD5 instead of SHA1 as the signature hash algorithm. Back in 2008 (yes – 4 years ago!), a a US-CERT advisory was released and a research paper was published that discussed the weaknesses of MD5:
Unless you live in a cave, Flame (or Flamer or SKyWIper – the industry can’t agree on the name) is the latest APT threat to gain notoriety. The hype and response to the Flame malware only confuses most customers in our opinion.
Apple began taking pre-orders for the iPad from U.S. customers on March 12, 2010. 300,000 iPads were sold on their first day of availability. By coincidence (maybe?), 2010 is when IBM began a BYOD policy for employees. Fast forward 2 years later, and IBM is taking a completely different approach. While IBM has gained notoriety for blocking Dropbox and Siri, the real story is that mobile device management is like every other IT project. Technology is an enabler, but process and people are still a critical component of success. The Technology Review (published by MIT) has a balanced interview with the IBM CIO (Jeanette Horan) at http://www.technologyreview.com/business/40324. To quote their interview:
Justin W. Clarke is an independent researcher, who happens to work in the energy sector. Evidently his idea of fun is to purchase items from eBay and review firmware :) Mr. Clarke purchased two used RuggedCom devices (a RS900 switch and a RS400 serial server) off eBay for about a $100 and proceeded to reverse engineer the firmware. He discovered backdoor login credentials – a default username (factory) assigned by the vendor and a generated password derived from the devices MAC address. He notified RuggedCom in April of 2011. RuggedCom confirmed the existence of the backdoor and immediately ceased communication. Since Mr. Clarke had a day job, he stopped pursuing the issue.
In that morally questionable but legal market for security vulnerabilities, a zero-day exploit that might earn a researcher $2,500 from a software vendor could earn 10 to a 100 times that sum from nation state spies and cyber criminals who would use the exploit for their own purposes. Back in 2007 Charlie Miller wrote a paper on the 0-day black market. His paper does an excellent job of discussing the black market for exploits. Forbes recently wrote an article on a similar topic. If you are an enterprising software programmer, you have many options available after discovering a software vulnerability – especially if the vulnerability is reliable when packaged into an exploit kit. A few options to profit from a 0-day vulnerability:
Long considered the gold standard of strong authentication in spite of their high cost, attackers have figured out how to compromise smart cards (Hardware protected PKI credentials). The attackers were able to access to restricted resources using legitimate user credentials without ever stealing the private key required to gain access.
Jericho Forum is a leading international IT security thought-leadership association dedicated to advancing secure business in a global open-network environment. Members include top IT security officers from multi-national Fortune 500s & entrepreneurial user companies, major security vendors, government, & academics. Working together, members drive approaches and standards for a secure, collaborative online business world.
No, we aren’t about brownies but a type of attack commonly used by advanced attackers. This attack allows cyber criminals to obtain Active Directory credentials without password cracking or brute force attempts – very sneaky! Technical details can be found here. DO NOT use the same local administrator credentials for all your laptop, desktop, and server images.