Saturday, March 28, 2020

Keep your company digital assets available, and safe: "Two is One and One is None"

I received a call yesterday from my insurance agent. He works for a large company; you'd know the name. He told me that when the entire company went remote, their connection to the home office dropped for about a day. This is not the first company that I've heard this about. In our haste to go quickly to remote work, many companies failed to plan for redundancies and choke points. The good thing? The fixes aren't hard:

Here are some simple things to consider as we normalize in our potential for longer-term quarantine.

When it comes to terminating VPNs at the border, think redundancy

Many companies use a Next-Generation Firewall (NGF) at the edge. NGFs are great little boxes, filled with features --traditional firewalls, routing, intrusion prevention, anti-malware and SSL and IPSec VPN Concentrators.  Here's the problem: in generic terms, if you turn on VPN and Intrusion Prevention in many of these firewalls, performance drops... fast. You could lose as much as 70% of your speed. Add in SSL Inspection, and that amazing hardware-based box comes to a screeching halt, crawling, frustrating workers and costing the company valuable productivity time. What to do about it:
  • Separate those duties into independent functions
  • Consider adding High Availability (HA) pairs to allow for failover
  • Have a backup plan if you find your current inbound bandwidth swamped
Separate those duties into independent functions. Isolate VPN Concentration from protection. Use one machine (firewall, router, VPN concentrator) to terminate VPNs at the company edge, and the NGF for edge firewalling, IPS, anti-malware, etc. You'll find that your employees will be much happier.

Consider adding High Availability (HA) pairs to allow for failover.  High availability is the
pairing of two devices together so that if one fails, the other automatically takes over. Every device that we've used has the ability to be paired in high availability mode. Why? Three nights ago we saw an ASA fail because of the heavier workload. When it finally failed, the connection simply rolled over to the second firewall, allowing remote operations to continue, almost without issue, until the first machine could be updated to the newest OS.  In the world of firewalls, two is one and one is none. If you have HA paired firewalls, if one fails, the other continues. If you only have one, your remote workers lose access to the company and productivity stops.

Have a backup plan if you find your current bandwidth is swamped.  Most companies had planned for only a fraction of their workforce to be remote --sales, executives, support, and maybe a few dedicated telecommuters. If you had 100Mb of bandwidth set aside for remote access for 10% of your company, how much bandwidth will you need when the other 90% gets quarantined? The math isn't hard. Look at what's used internally, taking into consideration actual utilization, and plan.

We install next-generation firewalls, managed antivirus, and an anti-evasion toolkit in your home or office, and then monitor and manage them remotely, 24x7. If we see a threat, we stop it.

Contact us

Monday, April 30, 2018

No Cost NIST 800-171 Self Assessment

Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies? 

Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?

I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment.  Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.

The self assessment is located here:

If you're a small business (<500 alliance="" also="" and="" ask="" at="" business="" businesses:="" can="" charge="" corner="" employees="" for="" help="" in="" nbsp="" need="" no="" ompliance="" provided="" questions="" red="" sky="" small="" span="" the="" you="">

Good luck.

Saturday, January 06, 2018

What are Meltdown and Spectre? Should you be concerned?

We posted this analysis in the Red Sky Small Business Alliance portal. Red Hat Videos deserves kudos.. they do a wonderful job of describing where these bugs come from and one of our newer analysts offers a short analysis, written in plain english, describing the bugs in more detail. 

Source: Red Hat Videos - Meltdown and Spectre in 3 minutes

Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices.

The disclosure date for the flaws were set for January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed sooner and patches are just being made available for some platforms.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Both these critical CPU flaws come down to how a CPU handles cache and optimizes execution techniques which results in a user getting access to kernel memory.

Cache Management and Speculative Execution:

Processors use a concept of rings to protect kernel memory from user programs. x86 processors have lots of rings, but for this issue, only two are relevant: "user" (ring 3) and "supervisor" (ring 0). When running regular user programs, the processor is put into user mode, ring 3. When running kernel code, the processor is in ring 0, supervisor mode, also known as kernel mode.

These rings are used to protect the kernel memory from user programs. The page tables aren't just mapping from virtual to physical addresses; they also contain metadata about those addresses, including information about which rings can access an address. The kernel's page table entries are all marked as only being accessible to ring 0; the program's entries are marked as being accessible from any ring. If an attempt is made to access ring 0 memory while in ring 3, the processor blocks the access and generates an exception. The result of this is that user programs, running in ring 3, should not be able to learn anything about the kernel and its ring 0 memory.

Every modern processor performs a certain amount of speculative execution. For example, given some instructions that add two numbers and then store the result in memory, a processor might speculatively do the addition before ascertaining whether the destination in memory is actually accessible and writeable. In the common case, where the location is writeable, the processor managed to save some time, as it did the arithmetic in parallel with figuring out what the destination in memory was. If it discovers that the location isn't accessible—for example, a program trying to write to an address that has no mapping and no physical location at all—then it will generate an exception and the speculative execution is wasted.

Intel processors, specifically—though not AMD ones—allow speculative execution of ring 3 code that writes to ring 0 memory. The processors do properly block the write, but the speculative execution minutely disturbs the processor state, because certain data will be loaded into cache and the TLB in order to ascertain whether the write should be allowed. This in turn means that some operations will be a few cycles quicker, or a few cycles slower, depending on whether their data is still in cache or not. As well as this, Intel's processors have special features, such as the Software Guard Extensions (SGX) introduced with Skylake processors, which slightly change how attempts to access memory are handled. Again, the processor does still protect ring 0 memory from ring 3 programs, but again, its caches and other internal state are changed, creating measurable differences. (ArsTechnica, 2018)

Patch Status:

As these flaws cannot be fixed with a firmware or microcode update alone, an OS-level fix is also required for the affected operating systems. The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, potentially causing the system to slow down depending on the task and processor model.
Early indications suggest that these patches mostly deal with Meltdown exploits and not Spectre, which again, is harder to exploit and to fix. In order to protect against all instances of Spectre, application-level fixes are to be expected.
  1. 1.     Windows
Microsoft has released an emergency patch this week for Windows 10 that is being applied automatically. Windows 7 and Windows 8 have also received a patch that can be applied manually while automatic updates are rolling out ahead of next Patch Tuesday.
In addition to the patch, Microsoft is warning that some third-party antivirus will create a conflict with the fix and the OS update won't be applied to those systems until the antivirus supports these changes.
Users should expect additional hardware/firmware updates from OEMs and motherboard manufacturers in the short term to complement Microsoft's patch. There is a PowerShell verification script which can be used to test and confirm whether protections have been enabled properly.
  1. 2.     MacOS
Apple has confirmed that all of its iPhones, iPads, and Mac devices are affected by the recently discovered chip flaws. The company has already released OS updates to protect users from the Meltdown attack, and a patch for Spectre will arrive "in the coming days.”
Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, adding that these updates do not slow down the devices. As the Apple Watch doesn’t use Intel chips, it is not affected.
  1. 3.     Linux
Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) released in kernel 4.15 (currently in RC).
  1. 4.     Android
According to Google, devices with latest security updates are protected.
  1. 5.     Cloud Services
Companies using virtualized environments are the biggest potential targets for those looking to exploit the vulnerability. Microsoft Azure, Amazon AWS and Google Cloud are all implementing fixes and claim they have already mitigated some of the risk. Expect scheduled downtime of several cloud services in the coming days.

User Checklist:
  • Update to the latest version of Chrome (on January 23rd) or Firefox 57 if using either browser
  • Check Windows update and ensure KB4056892 is installed for Windows 10
  • Check your PC OEM website for support information and firmware updates and apply any immediately.
White Papers:


Author: Wapack Labs, Asia Desk
Contact the Wapack Labs for more information: 603-606-1246, or

Saturday, December 30, 2017

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

Phishing. Phishing continues to be at the top of the list for delivery and exploitation. It works, and shouldn’t be expected to slow down any time soon.

Distributed Denial of Service attacks (DDoS) appears to be losing some of its appeal.  LizardSquad/DD4BC glorified DDoS but large-scale adoption of common tools and botnets appears to decreasing in popularity (Phantomsquad, Armada, etc.). We expect to see continued use of DDoS attacks from hactivism motivated actors, those wishing to create noise for effect, and between the gaming communities as an entry into DDoS and IoT DDoS botnets but other tools, like ransomware appear to be growing in popularity while DDoS appears to be shrinking.

Credential Targeting.  In almost any breach, the holy grail of targeting is a domain server, Active Directory, or another location where credentials can be stolen and used. Unfortunately, account credentials are becoming increasingly more available. Keyloggers, misconfigurations, cloud computing, and the expansion of increasingly complex interconnected heterogeneous networking has led to massive losses of credentials. As recently as December 2017, a cache of 1.4 billion credentials was made available in an underground forum. Credentials in the wrong hands can enable a host of malicious activity, from automated, "credential stuffing" and account-takeover, to targeted attacks. The reported use of personal email accounts for official business, combined with the current availability of these credentials, indicates the year 2018 will likely see additional leaks of sensitive data and correspondence.

Democratization of cyber weapons.  2017 saw the most high-profile ransomware attack to-date with the Wannacry worm. Wannacry took advantage of publicly available exploits leaked by ShadowBrokers.  If more exploit leaks are forthcoming from ShadowBrokers or other sources, then their adoption by cyber criminals or other nation states is a near certainty and should be expected to not only continue, but to grow.

2018 is the year of fighting and winning against the abuse of the Tor network.  The Tor network is shrinking due to the new-found ability of IP leak scanning with an onion scanner. The need for compromised systems for web hosting is high and will remain great. Despite the Tor network shrinking, it remains the host of choice for ransomware and scanning/enumerating. The Tor network’s continuing IP leaks, may prove to be a good way at attributing ransomware.

Macro Malware. The popularity of malicious macros for malware delivery continued strong in 2017. The later part of 2017 indicated the increased obfuscation of malicious macros to bypass email based detections. Macro malware can easily achieve low anti-virus detection and there are infinite possibilities when it comes to obfuscation. Because of the ease of development, deployment, and opportunity for success, this trend will continue into 2018 and beyond.

Geopolitical tensions. Iran and North Korea tensions continue. With Russia intensifying contacts with North Korea and Iran, it is highly likely both Iranian and North Korean APT groups will gain more access to Russian APT expertise. Cyber has become the equalizer, and countries with little diplomatic leverage and lesser military power are using cyber as a weapon of choice –both in force and influence. As well, the introduction of asynchronous warfare into election scenarios is likely the tip of the iceberg. Wapack Labs has reported several times sources of fake news. The idea of manipulation of behavior through public influence –by cyber, by advertising, by fake news will grow through 2018.

Blockchain-related cybercrime. With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too. Blockchain will continue to receive investment but at the same time will receive corporate metrics to determine its value. As volatility continues in emerging markets, more people will try to hedge against inflation with bitcoins. Phishing and stealing cryptocurrency is on the rise. Bitcoin exchanges will continue to be targeted. Botnets and simple JavaScript inserts are used to mine cryptocurrency. New software in smart contracts and other blockchain-related infrastructure will continue to be exploited and will grow in complexity and losses.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or

Saturday, December 16, 2017

Iran, Blacklists and Red Sky Small Business

On Tuesday, the 60 day deadline Trump gave Congress to fix or scrap the 2015 Iran nuclear deal
Photo credit: Reuters

passed, leaving another deadline in mid-January for the State Department to act. Will it happen? Who knows, but what we do know is that cyber activity associated with pro-Iranian hackers appears to have been escalating over the last month, targeting organizations in the US, Qatar, Saudi Arabia, and others.

Earlier this year the Saudi government warned telecommunications companies of cyber attacks against 15 organizations, including the Saudi Labor Ministry, and Sadara, a venture between Saudi Aramco and Dow Chemical.

Wapack Labs is currently tracking 13 cyber groups with varying levels of pro-Iranian sentiment or Iranian association ranging from possible government sponsorship (APT) to pro-Iranian hactivism. 

Why do we care? In 2014, leading up to John Kerry sealing the original deal, we watched what we believed to be both APT and pro-Iranian hackers stockpile cyber tools and we called out the idea that if the deal went badly for Iran, both Iranian hackers and their cyber ally's could be preparing to use cyber as a possible equalizer.

Many of the tools that we saw being gathered back then took advantage of opportunistic targeting --they scanned a broad area of the internet and the tools automatically targeted those organizations that had openings that could be exploited through automation. At the same time, backdoors and other tools are used for targeted approaches against organizations of prominence or significance. This is not a new tactic. During the Petya/Not-Petya campaign, we reported that below the noise of the ransomware a second attack was operating that was targeting specific organizations in an attempt to steal credentials.

Cyber is the equalizer and will always be involved where there's geopolitical risk.

Starting in the mid-90's we watched the Mexican Zapatistas use DDoS tools against places like the German Stock exchange to garner support for their cause. Since then, hundreds of other organizations have followed suit. If not for bringing support to a cause, to attempt to change an outcome of an impending action, or for retribution. Even back then, the Zapatistas were not the direct actor in the fight, rather they allied with hacker groups who built DDoS tools and took their fight to public organizations --the German Stock Exchange, because they knew the action would appear in the news, and if associated, would bring attention to their cause. The effectiveness of this action could be debated. I'm probably one of a handful of people that tracked it enough to know the story.

That being said, I tell my team on a daily basis "Where there's geopolitical risk, there will always (now) be a cyber threat to someone". The Iranian story is no different.

In the past 45 days or so, we've seen long standing backdoors being used by actors who've been attributed by us and others to operating for, or operating in support of Iran.

In the last 18 days we've seen an uptick of a new attack profile with characteristics similar to previous attacks. If the linkage is true, then we've likely seen the escalation.


Changing gears. We're heading into Christmas. Last week we ran two days of fraud related presentations -one for Red Sky Alliance members, and one for the general public. Our second day was announced through a public service announcement on WMUR, the local ABC affiliate in New Hampshire, and for those of you who attended, we hope you found it useful.  Throughout the holiday period we've been publishing Black lists with monitor and/or block recommendations for addresses ranging from fraud to theft. Thank you to those of you who've provided feedback.

Last, we've opened the Red Sky Small Business Alliance - a no-cost location for small businesses to come for help. If you qualify as a small business under the SBA rules, please, feel free to join us. Both Red Sky Alliance and Red Sky Small Business Alliance are now officially registered with DHS as Information Sharing and Analysis Organizations, affording the CISA legal protections to those who request assistance.

Red Sky Small Business can be found at

As always, if you have any questions on services offered or membership in the information sharing environments, drop us a note.

Until next time,
Have a great weekend.

Saturday, December 09, 2017

Keyloggers in HP Drivers? Not sure, but… Healthcare? Retail? Money?

I received one of those updates from one of those lists on LinkedIn this morning. The headlines read "Keylogger found in HP Printer Driver". When I went to read the piece —keyloggers interest me —the piece had been removed from LinkedIn. The idea that the piece is removed might mean it was false, or premature… I'm not sure. What I do know is this… Key loggers are a pervasive, cancerous threat to information security and the operations that worry about it.

Yesterday during a CTAC demo for a large healthcare company, I ran a quick demo using the API. I pulled everything from every sinkhole that we monitor for anything with the word 'health' in the industry field, domain, or email address.

This one query showed 8990 records going back to 2016, 855 in 2016 —significantly lower, and 73 unique addresses being sent to 23 sinkholes.

We know of roughly 1250 sinkhole locations that capture everything from healthcare to bank accounts to porn. The idea that HP print drivers are (may be) compromised with keyloggers would not be surprising.

The idea that we can pull meta data on these sinkholes during a live demo and have findings in almost every industry both thrills me as a collector and scares the hell out of me as a security guy.

The idea that there are keyloggers in HP Print drivers? This is yet to be seen, but I'd probably speculate that many drivers are likely compromised. Remember VPN drivers under XP? Who'd have thought those would have been compromised?

Keyloggers, from an attacker perspective, are low skill high payoff attacks. Deploy, wait to be clicked, let it report back and collect the goods.

I'm keeping it short this week.
Until next time,
Have a great weekend (in the snow?)

Saturday, December 02, 2017

Announcing: Red Sky Small Business Alliance and a Day of Presentations

In the last few years we've had more and more experiences with small business —banks, credit unions, port operators, supply chain companies, local NH companies, etc. —primarily in the area of fraud —account takeover, card not present, new accounts, business email scams, etc., and it's only getting worse as fraud crosses information security boundaries and many are left simply not knowing where to turn.. 

Heading into '18, we decided to extend a hand. We wanted to do something for/with small business. Small business by the SBA is defined as 1-500 employees, or a manufacturer, up to 1500. 

Announcing the Red Sky Small Business Alliance. Red Sky Small Business Alliance is a no-cost community of companies who need cyber help. Risk assessments, architecture support, log reviews, incident response support, forensics, best practice, and more. We have someone that can help.

If you're a small business, please join us this Thursday for a day of Fraud related educational presentations as we announce the newest Wapack Labs service, the Red Sky Small Business Alliance. The day is offered at no charge. We'll start the day with a brief intro to the new Alliance, followed by one of our most popular speakers and talks, Elizabeth (Liz) Shirley, the head of our Fusion Intelligence Team.

We have 100 seats available for the day. Come in for the day, or in and out as you desire. Registration is on EventBright. 

When:     Thursday December 7th
Time:      9-4 EST
Where:   A bridge will be provided after registration

The Red Sky Small Business Alliance presents a well-timed online event -- 'CYBER FRAUD FOR CHRISTMAS'. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting
Sign up now, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.


9:00 to 9:15 AM -- Introduction
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

9:15 to 10:00 AM -- Post Data Breach ID Fraud & Mitigations
Liz Shirley | Technical Director, Intelligence & Analysis

10:00 to 10:15 AM -- Cyber Fraud: Skimmers and ATM Malware
Chris Alexander | Cyber Analyst

10:15 to 11:30 AM -- How The Cyber Grinch Stole Christmas: Social Engineering And Scams Around Holidays And Major Events
Technical Support scams, viruses/phishing pages, and holiday scams.
Jesse Burke | Advanced Cyber Analyst

11:30 to 11:45 AM -- Typosquatting – What’s in a Name?
Scott Hall | Jr. Cyber Analyst

11:45 to 12:15 PM -- Evolutions in Business Email Scams
Aure Hakenson | Cyber Analyst

12:15 to 1:00 PM Hacking People’s Lives with Google Sync
In reference to the recent Google Docs hack that went around, we will cover some of the unseen and convenient features that Chrome offers. If an account is compromised, these features can be used to exploit the end user and other accounts tied to the browser and email..
Sean Hopkins | Senior Security Engineer, H2L Solutions

1:00 to 2:00 PM -- Block Chain-Related Fraud
Yuri Polozov | Eurasia Desk Analyst

2:00 to 3:30 PM -- Threat Intelligence University (TIU) – Scripting for Analysis & Hunting
Chris Hall | Co-Founder, Principal Engineer

3:30 to 3:45 PM -- Closing Remarks
Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder