This is bad architecture. Let me show you why.

 

I have Comcast. Most of my clients do, too -business and executive homes. In 100% of cases when we walk in the door and see this very basic internet architecture, we know that you're already hacked. Why? Comcast, Frontier, Verizon, Spectrum; it doesn't matter who you use, this architecture provides ZERO protection from what's happening on the internet. 

Take six and a half minutes out of your day and watch this short cybersecurity education burst. I think you'll find it useful. 

Trusted Internet regarding the Colonial Pipeline Hack

On May 10, the FBI announced that on Friday, May 7, a group known as Darkside was responsible for a ransomware attack that effectively shut down the operation of the Colonial Pipeline. This morning, it was reported that Colonial Pipeline paid $5 mil in ransome tor restore operations.

DarkSide’s team is considered relatively professional and organized.  The group even has a dedicated phone number and a helpdesk to facilitate negotiations with its victims.  DarkSide has traditionally presented itself to be quite meticulous in using this process to collect information from the victim to only use its ransomware on the “right targets.” This stems from the claim that DarkSide is only interested in extorting large for-profit businesses and has even attempted to donate a portion of its earnings to various charities.  Further analysis of the group’s historic attacks shows that only western, English-speaking companies have been targeted with a mandate to exempt companies in Soviet states grouped under the Commonwealth of Independent States (CIS) coalition, including Georgia and Ukraine, hinting at the origins of the group.

DarkSide is a relatively new actor that presents itself as an independent for-profit group that follows the RaaS (ransomware-as-a-service) model touting new ransomware, DarkSide 2.0, equipped with the “fastest encryption speed on the market.” Along with conducting its ransomware operations, the group also markets and sells its software and tools to other hacking groups. 

 

Darkside 2.0 features multithreading in both Windows and Linux versions.  The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives targeting network-attached storages (NAS), including Synology and OMV.  A unique feature of the DarkSide ransomware is that it targets domain controllers, which puts the entire network environment at risk.

What have we done about it, and is your company at risk? 

Trusted Internet utilizes a defense-in-depth approach to protect our clients from ransomware attacks such as DarkSide.  Trusted Internet’s cybersecurity solution detects and prevents ransomware deployment from several aspects. 

• As information has come available, Trusted Internet has been combing our logs for indicators of Dark Side activities.
• As well, while we do participate in some of the larger information sharing environments, any intelligence offered has been validated and loaded into firewalls and endpoint solutions. 
• We continue to remain vigilant for updates in other kinds of pre-ransomware attacks, including loaders, installers, and dormant code.
• Last we've been working with our security vendors to ensure the latest indicators are loaded, in an effort to keep our customers safe and free of ransomware. 

Our 24/7 Security Operations Center monitors both next-generation firewalls and our Secure Workstation endpoint software to protect your corporate network and devices. These systems are specifically designed to prevent this type of and other attacks.  To keep up with the ever-evolving threat landscape, our internal systems and deployed equipment and software are uniquely equipped and constantly updated in real-time with the latest threat intelligence to stay ahead of malicious actors and malware.  

From an Intelligence and Analysis perspective, we continue to monitor the situation. We receive intelligence from dozens of high-quality, reliable sources and will update your firewalls with any additional information as it is received and validated.

 

In the meantime, if you are a Trusted Internet Cyber Security client, you are already protected. If you are interested in establishing cybersecurity services to secure your network, Trusted Internet can assist immediately.

If you're concerned or have had a problem or breach, please contact Trusted Internet to speak with a Virtual CISO^® today. 

Contact our 24x7 Security Operations Center at 800-853-6431, or staysafeonline@trustedinternet.io.

www.trustedinternet.io

Keep your company digital assets available, and safe: "Two is One and One is None"

I received a call yesterday from my insurance agent. He works for a large company; you'd know the name. He told me that when the entire company went remote, their connection to the home office dropped for about a day. This is not the first company that I've heard this about. In our haste to go quickly to remote work, many companies failed to plan for redundancies and choke points. The good thing? The fixes aren't hard:

Here are some simple things to consider as we normalize in our potential for longer-term quarantine.

When it comes to terminating VPNs at the border, think redundancy

Many companies use a Next-Generation Firewall (NGF) at the edge. NGFs are great little boxes, filled with features --traditional firewalls, routing, intrusion prevention, anti-malware and SSL and IPSec VPN Concentrators.  Here's the problem: in generic terms, if you turn on VPN and Intrusion Prevention in many of these firewalls, performance drops... fast. You could lose as much as 70% of your speed. Add in SSL Inspection, and that amazing hardware-based box comes to a screeching halt, crawling, frustrating workers and costing the company valuable productivity time. What to do about it:

• Separate those duties into independent functions
• Consider adding High Availability (HA) pairs to allow for failover
• Have a backup plan if you find your current inbound bandwidth swamped

Separate those duties into independent functions. Isolate VPN Concentration from protection. Use one machine (firewall, router, VPN concentrator) to terminate VPNs at the company edge, and the NGF for edge firewalling, IPS, anti-malware, etc. You'll find that your employees will be much happier.

Consider adding High Availability (HA) pairs to allow for failover.  High availability is the

pairing of two devices together so that if one fails, the other automatically takes over. Every device that we've used has the ability to be paired in high availability mode. Why? Three nights ago we saw an ASA fail because of the heavier workload. When it finally failed, the connection simply rolled over to the second firewall, allowing remote operations to continue, almost without issue, until the first machine could be updated to the newest OS.  In the world of firewalls, two is one and one is none. If you have HA paired firewalls, if one fails, the other continues. If you only have one, your remote workers lose access to the company and productivity stops.

Have a backup plan if you find your current bandwidth is swamped.  Most companies had planned for only a fraction of their workforce to be remote --sales, executives, support, and maybe a few dedicated telecommuters. If you had 100Mb of bandwidth set aside for remote access for 10% of your company, how much bandwidth will you need when the other 90% gets quarantined? The math isn't hard. Look at what's used internally, taking into consideration actual utilization, and plan.

--------------------------------------------

TRUSTED INTERNET IS A MANAGED SECURITY SERVICES PROVIDER

We install next-generation firewalls, managed antivirus, and an anti-evasion toolkit in your home or office, and then monitor and manage them remotely, 24x7. If we see a threat, we stop it.

Contact us

800-853-6431

staysafeonline@trustedinternet.io

No Cost NIST 800-171 Self Assessment

Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies? 

Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?

I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment.  Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.

The self assessment is located here: https://www.surveymonkey.com/r/BKTXJ89

If you're a small business (<500 alliance="" also="" and="" ask="" at="" business="" businesses:="" can="" charge="" corner="" employees="" for="" help="" in="" nbsp="" need="" no="" ompliance="" provided="" questions="" red="" sky="" small="" span="" the="" you="">https://redsky-sba.ning.com/compliance-corner.

Good luck.
Jeff

What are Meltdown and Spectre? Should you be concerned?

We posted this analysis in the Red Sky Small Business Alliance portal. Red Hat Videos deserves kudos.. they do a wonderful job of describing where these bugs come from and one of our newer analysts offers a short analysis, written in plain english, describing the bugs in more detail. 

Source: Red Hat Videos - Meltdown and Spectre in 3 minutes

Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices.

The disclosure date for the flaws were set for January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed sooner and patches are just being made available for some platforms.

Meltdown

Spectre

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Both these critical CPU flaws come down to how a CPU handles cache and optimizes execution techniques which results in a user getting access to kernel memory.

Cache Management and Speculative Execution:

Processors use a concept of rings to protect kernel memory from user programs. x86 processors have lots of rings, but for this issue, only two are relevant: "user" (ring 3) and "supervisor" (ring 0). When running regular user programs, the processor is put into user mode, ring 3. When running kernel code, the processor is in ring 0, supervisor mode, also known as kernel mode.

These rings are used to protect the kernel memory from user programs. The page tables aren't just mapping from virtual to physical addresses; they also contain metadata about those addresses, including information about which rings can access an address. The kernel's page table entries are all marked as only being accessible to ring 0; the program's entries are marked as being accessible from any ring. If an attempt is made to access ring 0 memory while in ring 3, the processor blocks the access and generates an exception. The result of this is that user programs, running in ring 3, should not be able to learn anything about the kernel and its ring 0 memory.

Every modern processor performs a certain amount of speculative execution. For example, given some instructions that add two numbers and then store the result in memory, a processor might speculatively do the addition before ascertaining whether the destination in memory is actually accessible and writeable. In the common case, where the location is writeable, the processor managed to save some time, as it did the arithmetic in parallel with figuring out what the destination in memory was. If it discovers that the location isn't accessible—for example, a program trying to write to an address that has no mapping and no physical location at all—then it will generate an exception and the speculative execution is wasted.

Intel processors, specifically—though not AMD ones—allow speculative execution of ring 3 code that writes to ring 0 memory. The processors do properly block the write, but the speculative execution minutely disturbs the processor state, because certain data will be loaded into cache and the TLB in order to ascertain whether the write should be allowed. This in turn means that some operations will be a few cycles quicker, or a few cycles slower, depending on whether their data is still in cache or not. As well as this, Intel's processors have special features, such as the Software Guard Extensions (SGX) introduced with Skylake processors, which slightly change how attempts to access memory are handled. Again, the processor does still protect ring 0 memory from ring 3 programs, but again, its caches and other internal state are changed, creating measurable differences. (ArsTechnica, 2018)

Patch Status:

As these flaws cannot be fixed with a firmware or microcode update alone, an OS-level fix is also required for the affected operating systems. The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, potentially causing the system to slow down depending on the task and processor model.

Early indications suggest that these patches mostly deal with Meltdown exploits and not Spectre, which again, is harder to exploit and to fix. In order to protect against all instances of Spectre, application-level fixes are to be expected.

1. 1.     Windows

Microsoft has released an emergency patch this week for Windows 10 that is being applied automatically. Windows 7 and Windows 8 have also received a patch that can be applied manually while automatic updates are rolling out ahead of next Patch Tuesday.

In addition to the patch, Microsoft is warning that some third-party antivirus will create a conflict with the fix and the OS update won't be applied to those systems until the antivirus supports these changes.

Users should expect additional hardware/firmware updates from OEMs and motherboard manufacturers in the short term to complement Microsoft's patch. There is a PowerShell verification script which can be used to test and confirm whether protections have been enabled properly.

1. 2.     MacOS

Apple has confirmed that all of its iPhones, iPads, and Mac devices are affected by the recently discovered chip flaws. The company has already released OS updates to protect users from the Meltdown attack, and a patch for Spectre will arrive "in the coming days.”

Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, adding that these updates do not slow down the devices. As the Apple Watch doesn’t use Intel chips, it is not affected.

1. 3.     Linux

Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) released in kernel 4.15 (currently in RC).

1. 4.     Android

According to Google, devices with latest security updates are protected.

1. 5.     Cloud Services

Companies using virtualized environments are the biggest potential targets for those looking to exploit the vulnerability. Microsoft Azure, Amazon AWS and Google Cloud are all implementing fixes and claim they have already mitigated some of the risk. Expect scheduled downtime of several cloud services in the coming days.

User Checklist:

• Update to the latest version of Chrome (on January 23^rd) or Firefox 57 if using either browser
• Check Windows update and ensure KB4056892 is installed for Windows 10
• Check your PC OEM website for support information and firmware updates and apply any immediately.

White Papers:

Meltdown: https://meltdownattack.com/meltdown.pdf
Spectre: https://spectreattack.com/spectre.pdf

References:

1. https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/

2. https://meltdownattack.com/

3. https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

4. https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in?ranMID=24542&ranEAID=nOD%2FrLJHOac&ranSiteID=nOD_rLJHOac-0s_BQfWnVMfvTrXJyOOiCA&tduid=(8ccb530b4211244cf9ca25d6db524960)(256380)(2459594)(nOD_rLJHOac-0s_BQfWnVMfvTrXJyOOiCA)()

Author: Wapack Labs, Asia Desk

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

Phishing. Phishing continues to be at the top of the list for delivery and exploitation. It works, and shouldn’t be expected to slow down any time soon.

Distributed Denial of Service attacks (DDoS) appears to be losing some of its appeal.  LizardSquad/DD4BC glorified DDoS but large-scale adoption of common tools and botnets appears to decreasing in popularity (Phantomsquad, Armada, etc.). We expect to see continued use of DDoS attacks from hactivism motivated actors, those wishing to create noise for effect, and between the gaming communities as an entry into DDoS and IoT DDoS botnets but other tools, like ransomware appear to be growing in popularity while DDoS appears to be shrinking.

Credential Targeting.  In almost any breach, the holy grail of targeting is a domain server, Active Directory, or another location where credentials can be stolen and used. Unfortunately, account credentials are becoming increasingly more available. Keyloggers, misconfigurations, cloud computing, and the expansion of increasingly complex interconnected heterogeneous networking has led to massive losses of credentials. As recently as December 2017, a cache of 1.4 billion credentials was made available in an underground forum. Credentials in the wrong hands can enable a host of malicious activity, from automated, "credential stuffing" and account-takeover, to targeted attacks. The reported use of personal email accounts for official business, combined with the current availability of these credentials, indicates the year 2018 will likely see additional leaks of sensitive data and correspondence.

Democratization of cyber weapons.  2017 saw the most high-profile ransomware attack to-date with the Wannacry worm. Wannacry took advantage of publicly available exploits leaked by ShadowBrokers.  If more exploit leaks are forthcoming from ShadowBrokers or other sources, then their adoption by cyber criminals or other nation states is a near certainty and should be expected to not only continue, but to grow.

2018 is the year of fighting and winning against the abuse of the Tor network.  The Tor network is shrinking due to the new-found ability of IP leak scanning with an onion scanner. The need for compromised systems for web hosting is high and will remain great. Despite the Tor network shrinking, it remains the host of choice for ransomware and scanning/enumerating. The Tor network’s continuing IP leaks, may prove to be a good way at attributing ransomware.

Macro Malware. The popularity of malicious macros for malware delivery continued strong in 2017. The later part of 2017 indicated the increased obfuscation of malicious macros to bypass email based detections. Macro malware can easily achieve low anti-virus detection and there are infinite possibilities when it comes to obfuscation. Because of the ease of development, deployment, and opportunity for success, this trend will continue into 2018 and beyond.

Geopolitical tensions. Iran and North Korea tensions continue. With Russia intensifying contacts with North Korea and Iran, it is highly likely both Iranian and North Korean APT groups will gain more access to Russian APT expertise. Cyber has become the equalizer, and countries with little diplomatic leverage and lesser military power are using cyber as a weapon of choice –both in force and influence. As well, the introduction of asynchronous warfare into election scenarios is likely the tip of the iceberg. Wapack Labs has reported several times sources of fake news. The idea of manipulation of behavior through public influence –by cyber, by advertising, by fake news will grow through 2018.

Blockchain-related cybercrime. With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too. Blockchain will continue to receive investment but at the same time will receive corporate metrics to determine its value. As volatility continues in emerging markets, more people will try to hedge against inflation with bitcoins. Phishing and stealing cryptocurrency is on the rise. Bitcoin exchanges will continue to be targeted. Botnets and simple JavaScript inserts are used to mine cryptocurrency. New software in smart contracts and other blockchain-related infrastructure will continue to be exploited and will grow in complexity and losses.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

Iran, Blacklists and Red Sky Small Business

On Tuesday, the 60 day deadline Trump gave Congress to fix or scrap the 2015 Iran nuclear deal

Photo credit: Reuters

passed, leaving another deadline in mid-January for the State Department to act. Will it happen? Who knows, but what we do know is that cyber activity associated with pro-Iranian hackers appears to have been escalating over the last month, targeting organizations in the US, Qatar, Saudi Arabia, and others.

Earlier this year the Saudi government warned telecommunications companies of cyber attacks against 15 organizations, including the Saudi Labor Ministry, and Sadara, a venture between Saudi Aramco and Dow Chemical.

Wapack Labs is currently tracking 13 cyber groups with varying levels of pro-Iranian sentiment or Iranian association ranging from possible government sponsorship (APT) to pro-Iranian hactivism. 

Why do we care? In 2014, leading up to John Kerry sealing the original deal, we watched what we believed to be both APT and pro-Iranian hackers stockpile cyber tools and we called out the idea that if the deal went badly for Iran, both Iranian hackers and their cyber ally's could be preparing to use cyber as a possible equalizer.

Many of the tools that we saw being gathered back then took advantage of opportunistic targeting --they scanned a broad area of the internet and the tools automatically targeted those organizations that had openings that could be exploited through automation. At the same time, backdoors and other tools are used for targeted approaches against organizations of prominence or significance. This is not a new tactic. During the Petya/Not-Petya campaign, we reported that below the noise of the ransomware a second attack was operating that was targeting specific organizations in an attempt to steal credentials.

Cyber is the equalizer and will always be involved where there's geopolitical risk.

Starting in the mid-90's we watched the Mexican Zapatistas use DDoS tools against places like the German Stock exchange to garner support for their cause. Since then, hundreds of other organizations have followed suit. If not for bringing support to a cause, to attempt to change an outcome of an impending action, or for retribution. Even back then, the Zapatistas were not the direct actor in the fight, rather they allied with hacker groups who built DDoS tools and took their fight to public organizations --the German Stock Exchange, because they knew the action would appear in the news, and if associated, would bring attention to their cause. The effectiveness of this action could be debated. I'm probably one of a handful of people that tracked it enough to know the story.

That being said, I tell my team on a daily basis "Where there's geopolitical risk, there will always (now) be a cyber threat to someone". The Iranian story is no different.

In the past 45 days or so, we've seen long standing backdoors being used by actors who've been attributed by us and others to operating for, or operating in support of Iran.

In the last 18 days we've seen an uptick of a new attack profile with characteristics similar to previous attacks. If the linkage is true, then we've likely seen the escalation.

BT

Changing gears. We're heading into Christmas. Last week we ran two days of fraud related presentations -one for Red Sky Alliance members, and one for the general public. Our second day was announced through a public service announcement on WMUR, the local ABC affiliate in New Hampshire, and for those of you who attended, we hope you found it useful.  Throughout the holiday period we've been publishing Black lists with monitor and/or block recommendations for addresses ranging from fraud to theft. Thank you to those of you who've provided feedback.

Last, we've opened the Red Sky Small Business Alliance - a no-cost location for small businesses to come for help. If you qualify as a small business under the SBA rules, please, feel free to join us. Both Red Sky Alliance and Red Sky Small Business Alliance are now officially registered with DHS as Information Sharing and Analysis Organizations, affording the CISA legal protections to those who request assistance.

Red Sky Small Business can be found at redsky-sba.ning.com.

As always, if you have any questions on services offered or membership in the information sharing environments, drop us a note.

Until next time,
Have a great weekend.
Jeff

Keyloggers in HP Drivers? Not sure, but… Healthcare? Retail? Money?

I received one of those updates from one of those lists on LinkedIn this morning. The headlines read "Keylogger found in HP Printer Driver". When I went to read the piece —keyloggers interest me —the piece had been removed from LinkedIn. The idea that the piece is removed might mean it was false, or premature… I'm not sure. What I do know is this… Key loggers are a pervasive, cancerous threat to information security and the operations that worry about it.

Yesterday during a CTAC demo for a large healthcare company, I ran a quick demo using the API. I pulled everything from every sinkhole that we monitor for anything with the word 'health' in the industry field, domain, or email address.

This one query showed 8990 records going back to 2016, 855 in 2016 —significantly lower, and 73 unique addresses being sent to 23 sinkholes.

We know of roughly 1250 sinkhole locations that capture everything from healthcare to bank accounts to porn. The idea that HP print drivers are (may be) compromised with keyloggers would not be surprising.

The idea that we can pull meta data on these sinkholes during a live demo and have findings in almost every industry both thrills me as a collector and scares the hell out of me as a security guy.

The idea that there are keyloggers in HP Print drivers? This is yet to be seen, but I'd probably speculate that many drivers are likely compromised. Remember VPN drivers under XP? Who'd have thought those would have been compromised?

Keyloggers, from an attacker perspective, are low skill high payoff attacks. Deploy, wait to be clicked, let it report back and collect the goods.

I'm keeping it short this week.
Until next time,
Have a great weekend (in the snow?)
Jeff

Announcing: Red Sky Small Business Alliance and a Day of Presentations

In the last few years we've had more and more experiences with small business —banks, credit unions, port operators, supply chain companies, local NH companies, etc. —primarily in the area of fraud —account takeover, card not present, new accounts, business email scams, etc., and it's only getting worse as fraud crosses information security boundaries and many are left simply not knowing where to turn.. 

Heading into '18, we decided to extend a hand. We wanted to do something for/with small business. Small business by the SBA is defined as 1-500 employees, or a manufacturer, up to 1500. 

Announcing the Red Sky Small Business Alliance. Red Sky Small Business Alliance is a no-cost community of companies who need cyber help. Risk assessments, architecture support, log reviews, incident response support, forensics, best practice, and more. We have someone that can help.

If you're a small business, please join us this Thursday for a day of Fraud related educational presentations as we announce the newest Wapack Labs service, the Red Sky Small Business Alliance. The day is offered at no charge. We'll start the day with a brief intro to the new Alliance, followed by one of our most popular speakers and talks, Elizabeth (Liz) Shirley, the head of our Fusion Intelligence Team.

We have 100 seats available for the day. Come in for the day, or in and out as you desire. Registration is on EventBright. 

When:     Thursday December 7th
Time:      9-4 EST
Where:   A bridge will be provided after registration

The Red Sky Small Business Alliance presents a well-timed online event -- 'CYBER FRAUD FOR CHRISTMAS'. Please join top cyber professionals as they share a series of presentations on fraud topics including; scams, malware, and viruses.

Included in this presentation is a Threat Intelligence University (TIU) seminar on Scripting for Analysis & Hunting

Sign up now, only 100 online seats available. Bridge information will be provided after you register. No tickets needed.

AGENDA

9:00 to 9:15 AM -- Introduction

Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

---

9:15 to 10:00 AM -- Post Data Breach ID Fraud & Mitigations

Liz Shirley | Technical Director, Intelligence & Analysis

---

10:00 to 10:15 AM -- Cyber Fraud: Skimmers and ATM Malware

Chris Alexander | Cyber Analyst

---

10:15 to 11:30 AM -- How The Cyber Grinch Stole Christmas: Social Engineering And Scams Around Holidays And Major Events

Technical Support scams, viruses/phishing pages, and holiday scams.

Jesse Burke | Advanced Cyber Analyst

---

11:30 to 11:45 AM -- Typosquatting – What’s in a Name?

Scott Hall | Jr. Cyber Analyst

---

11:45 to 12:15 PM -- Evolutions in Business Email Scams

Aure Hakenson | Cyber Analyst

---

12:15 to 1:00 PM Hacking People’s Lives with Google Sync

In reference to the recent Google Docs hack that went around, we will cover some of the unseen and convenient features that Chrome offers. If an account is compromised, these features can be used to exploit the end user and other accounts tied to the browser and email..

Sean Hopkins | Senior Security Engineer, H2L Solutions

---

1:00 to 2:00 PM -- Block Chain-Related Fraud

Yuri Polozov | Eurasia Desk Analyst

---

2:00 to 3:30 PM -- Threat Intelligence University (TIU) – Scripting for Analysis & Hunting

Chris Hall | Co-Founder, Principal Engineer

---

3:30 to 3:45 PM -- Closing Remarks

Jeff Stutzman, CISSP | Chief Intelligence Officer & Co-Founder

REGISTER

Grand Challenge: Victim Notification at Scale

I've been thinking about this for several years. There are several people out there using the term "Grand Challenge" — Bill Joy, Bill and Melinda Gates, and others. I think it applies here. 

I have a friend who is a police officer in the mid-west. His wife owns a one person candy store that takes orders for her hand made candy over the internet. She has an online order form, will take orders via a non-toll free telephone number, and she lists a gmail account for her company. My friends wife could just as easily be a three person credit union, a mom and pop logistics shop, or a hair dresser making appointments on his/her iCloud calendar. 

In 2010 there were 27.9 million small businesses, and 18,500 frms with 500 employees or more. Over three-quarters of small businesses were nonemployers —one sole proprieter. 

Why do we care? 

According to the Independent, Google says that phishing attacks pose the “greatest threat” to users of its services.  The company has studied the ways in which hackers steal people’s passwords and break into their accounts. In the space of 12 months, it found 788,000 login credentials stolen via keyloggers (tools that secretly record every key you press), 12 million stolen via phishing (a method of tricking you into giving up your personal information), and 3.3 billion exposed by third-party data breaches.

Last week we blogged about the problems that we identified when attempting to notify individuals and small company victims of breach. These did not include the 3.3 billion exposed by third-party breach, rather, those who were infected by keylogger, phishing, drive-by, spam, or automation. What is the process for notifying not only the nearly 13 million Google users mentions above, but also the 22 million showing up in our sinkholes, and the hundreds of millions showing up in others?

Who notifies my friend's wife when her computer gets breached and her customer accounts —payment information, shipping (presumably their home) address, and other privacy information is stolen by unscrupulous cyber thieves? 

As far as I can tell, nobody.

Nobody notifies them. The identity monitoring services would never see the kinds of activity that Google (or we, as intelligence providers) see. They can sign on to notification sites like Have I Been Pwned, but HIBP doesn't run sinkholes either, so they wouldn't know. Troy specializes in third party breach notification, not intelligence.

Let’s fix that.

Last year we sent almost 200,000 notifications to abuse email accounts listed in companies domain registrations. This came with mixed feedback -some positive, mostly negative.  This year we sent notifications to individuals. Out of all of the emails sent, we were marked as spam only once (thank you!), and earned a 97% reputation score with our transactional email provider. The email might have been worded better, but in talking with one of our Red Sky members, we were told that they too had received similar mixed feedback when attempting their own notification campaigns.

Today, from Sinkhole collections alone, we have recorded over 22 million sinkhole connections reaching out to command and control (C2) nodes that we own.  What does that mean? It means that there are a ton of people out there who have no idea that they've been infected, and nobody else who is going to tell them about it. Worse, my bet is, they have no idea where to get help? 

One company? Ten? Fifty?  That's easy… How do we handle 22 million? Should it be done by a government? The US? The National CERTS? Where is the clearing house? And with the numbers growing exponentially, it's only going to get worse. 

I see this as a Grand Challenge scale opportunity —one that is never going to be fixed with current technology, rather requiring education. 

Thoughts? grandchallenge@wapacklabs.com

A Veterans Day Message

It's Veterans Day, and instead of my normal blog, I wanted to take a moment and acknowledge the vets, and the vet interns that we've brought into our small company.  We're small, but we pitch in where we can, and we very much enjoy training returning vets to do what we do. 

So first, to our team. These guys are the mentors, peer analysts, and instructors:

• Me? USN and USCG
• Chris: USA 
• Liz: USAF
• Bill: CGIS (Ret) - Heads up our Veteran program (Thank you!)
• Mac: USMC-R
• John: USAF (Ret)
• Pedro, USMC (Introduced through Audrey at the VA, and full scholarship recipient at SNHU)
• Brent, USMC (Introduced through Audrey at the VA)

And to our interns — Some did 15 weeks for credit, others have been here much longer. Some decide to stay even after the semester. To Audrey at the Manchester VA Hospital,  the myriad of people in the Veteran and placement offices at Southern NH University, and Peter at Manchester Community College; Thank you for helping us help returning vets:

• Jeremy (and buddy!), USMC (Former Wapack Analyst and full scholarship recipient at MCC)
• Chris, USA (and SNHU student)
• Jessica, USA (and SNHU student)
• Phil, USN (and SNHU student)
• Shannon, USA 
• Matt, US?? (and SNHU student)
• Travis, USA
• Inbound in January: Thomas, USMC and Manchester Community College

BZ! 

Thank you!

Jeff

Reducing complexity!? Small business?

A few minutes ago I heard a security pro giving an interview on television. He says that one of the best things that a company can do is reduce complexity. I don't disagree. However… the graphic shown here is VERY old, but I love it. The story it tells is amazing…

I consider myself an expert in IT risk. I think about it often. I think about the complexity that's built into our own computing and the things that hide either just below the surface, or sitting just outside the fence waiting for someone to leave a door open, even a little bit. I used to give a talk.. it was about an hour long and one slide. This one slide talk discusses how in any given environment, if you follow any one of the standards (NIST, SANS Top 20, ISO), there are at least 100 things that you need to do right every minute of every day —and if you miss one? The door's left open and those automated threats are always there; always standing by the ready waiting to pounce.

So let's think about this for a moment… lets frame the scenario.  Let's say you're a small business; a 20 person company with public facing internet, an online ordering system, and you produce something that's distributed digitally or in a storefront.  Your computing environment might look like this:

• 20 employees, each with two (or more) devices (computer and mobile phone).. 40 devices
• Servers and storage —handling digital data, processing work product, etc… 30 devices
• You probably have some kind of cloud environment.. maybe your hosted in one?
• You'll likely use several Software as a Service providers one or more of your internal needs —Google Corporate Apps, Microsoft Office, or something else. 
• VPN access into remote areas for sensitive work
• VPN access into the company for remote workers
• Externally facing operations —public facing web servers, databases, etc.
• Externally facing customer touchpoint —registration pages, shopping carts, etc.

Immediately, you can see, you have 40 user endpoints, plus 30 server/storage endpoints, plus the network infrastructure that connects them… 

You've got cloud infrastructure, customer facing infrastructure, email in the cloud. You're probably processing credit cards, and for all of this, you have absolutely no idea how many additional endpoints you've got data passing through or sitting on. 

And then, you've decided to implement your security standard… remember that 100 number that I talked about? It's probably conservative, but for even your small company, you only have direct visibility and control over a small portion of your total computing environment!

AND your stuff is probably in a cloud that HOSTS bad stuff —because they all do,  but that's a story for another blog! 

As well, buy any computer today —Mac or PC, and default storage is in the cloud. Wow! And if you try and turn it off, it gives you a warning that you'll lose access to your stuff! 

So, where do we reduce complexity? It seems to me like it's built into the process. It's one of the reasons that I love the intelligence and risk roles so much. I'm like the weather man.. I don't (and won't) be right all of the time, but if I'm right more times than not, it's good. As a defender, you've got to be right every time. And the owner has to be able to pay for it all… and it's not cheap.

I get the question almost every time I speak in public —"What do you guys do?" We are a small company, and as an intelligence company, obviously we're targeted. We've set up controls but we must also stand guard. We trust some things in the cloud but not others. Our sensitive stuff is moated off —sometimes multiple times, and with few exceptions, passwords are dead to us. We require two factor authentication for just about everything. And as important as everything else? We know where the highest priority threats are coming from. 

Want to know more? Join us. I'll give you a presentation and show you how we do it!

Reduce complexity? I'm not sure that's even possible anymore, but I am sure that there are ways to offset it. 

Intelligence is one of the best value items that money can buy… It shouldn't cost you an arm and a leg. It should save you reading time. It should save you stress.  It should tell you what to protect from today, next week, and maybe next year; and you should be able to buy it from someone who doesn't want to sell it to you to get you to buy their box. 

Information sharing is the other. The latest buzz phrase seems to be 'trusted circles'. Find a group —Red Sky Alliance, the Financial Services ISAC, the Maritime ISAO, or one of the others that are out there.  Asking questions of others in a trusted, non-governmental environment is HUGE. Why non-governmental? Nobody wants to talk about themselves when there's a chance a regulator might be in the room. Use information sharing to learn how to fix your stuff —and then decide how you want to work with the government. Privacy is important. 

Climbing off my horse…

Until next time,

Have a great weekend!

Jeff

CTAC Attack! Fridays

How many times have you walked into the office, only to find your boss looking for answers to the threat of the day —you know what I mean. I saw this on the news this morning. What's it mean? or Hey boss, we just got hit with this … and now you have to explain it (and fast!).

If you've ever been in one of these situations read on...

Every Friday afternoon at 2:00, we hold a short form training session called CTAC Attack! CTAC is short for Cyber Threat Analysis Center, and its desktop of tools that we provide to our subscribers for their own analytics. CTAC Attack! goes like this…

The idea is that in 20 minutes or less, a presenter will show a group of analysts -virtually via webinar, how they use a specific tool, or in combination, tools, to solve analytic problems.  20 minutes is usually more than enough time to show the tool, describe how the analysts uses it to solve a problem, and then leave 10 minutes for Q&A. Presenters earn CTAC Attack T-Shirts, and attendees are entered into a drawing to win one.

So this week instead of my authoring an opinion piece, I've recorded a short, two minute video summation of one of the sessions that I do. This is a tool that we bought from a startup. It was built to create books, but we liked it more as a search and answer tool, so we hired the founder to make sure we got it right, and after some slight modifications, this quickly became one of my favorite tools.

THIS, is information sharing. We created a dashboard of our favorite tools. I love (LOVE) Pagekicker. Most of the other guys loves CyberChef. We all love Kibana, and we share notes in real time via Slack.

Enjoy the video. Interested in seeing more? Drop me an note.

Until next time,
Have a great weekend!
Jeff

Sometimes you just need to talk to someone!

I've used the VA for my healthcare since leaving the Navy in 2001. In my opinion, it's one of the best deals going.  One of the things that you see from the minute that you walk in, are magnets, handouts, and wallet cards —seemingly everywhere —all designed for one thing; they give a vet a place to call when they're in crisis. Maybe that applies more to some than others, but for that one, who finds themselves in crisis, it could mean everything.

I was having dinner with Liz last night. Liz is the head of our intelligence team. We talked about the idea that since starting Red Sky Alliance back in 2012, people, laws, and trends have really changed. In Red Sky for example, once fertile two-way communication has become more the place where we get RFIs from members, deliver PIRs and get asked questions about the intelligence we push through.

So in talking with Liz last night, who's given talks to over 1000 people in the last three weeks —her audience largely bankers, with the majority being smaller --all on fraud; a subject we know well, She says, you know what? These companies just want a place where they can ask questions, not necessarily share a bunch of information.

"They're not all big companies" she says. The majority of those she's talked to haven't built an internal, 200 person infosec team (like many of our original members), nor do they have dedicated intelligence. They have Directors of IT who, many times find themselves double, even triple-hatted —CIO, CISO, Analyst, Fraud person, privacy, and general go-to person for anything wrong with the IT. They participate in free groups and pull down as much information as they can, and make due with it as best they can, but when they get stuck… they want to talk with someone.

And for the last four years, this is exactly what Red Sky Alliance has been. Red Sky Alliance is a place talk to an analyst. Not only can you talk to a Wapack analyst, ask the RFI, or get your intelligence, but Red Sky still today maintains roughly 40% month over month participation —not including my own analysts. Companies come in when they want to talk —when in crisis and they get expert feedback from folks dedicated to monitoring the chatter, pulling apart code, and tracking the fraud. And when we don't know the answer, someone else usually does. Did I mention 40% participation? Yeah, someone else usually knows.. it's called crowdsourcing… and it's amazing.

And in the coming weeks, we're making it easier than ever to talk to someone. We've been on Jive since the start, and realized the need is for more tactical communications. We're moving to a Slack-based platform starting November 1st. Tactical, mobile, and always on. Need to talk to an analyst? Compare notes? We're here; and so are about 60 of your closest friends. This isn't a group of 2000+, it's small trusted, and smart.

I think Liz stumbled onto our new marketing message. Talk to an analyst. 

She's dead on.

**********************************************

This week was the week for fraud. Liz has delivered three talks in the last two weeks to over a thousand people, is preparing to do another one this week, and will give a talk on cryptocurrencies in fraud next week at the MacKenzie Institute in Toronto. 

We published several pieces of analysis, one originally appearing to be a simple smash and grab leading us down another analytic path only to believe (still a WIP) that it may turn out to be a major data loss breach and even more, ongoing fraud —for over a year. 

Me? I'm speaking at ISC2 in New Hampshire on Tuesday and heading off to ZeroDay Con in NY later in the week. I'm looking forward to seeing some of you.

So until next time,

Have a great weekend!

Jeff