Skip to content

The first thing that happens is we know that the IT personnel are working overtime and are still not keeping up with problems.

How you say can this possibly be happening?

How about this for a headline:

"Developers have To Fix a Vulnerability(Badlock) for the April 12th patch Tuesday" (says Microsoft) Security Affairs¹ has the story.

Badlock is a vulnerability in Samba and Windows File Services technologies.

This means that a hacker can create some code (also called malware - MALicious SoftWARE) that if run on the affected machines will be taken over by the hacker.

So from(3/23)  now until 4/12 at least there is no fix for this problem. And if a hacker somehow gets into your windows systems the only way to know is if you can track the hacker movements.

Samba² software has been updated already to 4.1.7 this vulnerability has been known in the hacker world since February 23rd (from the CVE-2015-0240, so this is a well known exploitable vulnerability in the hacker world.

How do we know? Because there are markets  where the hackers can sell their malware to other criminals which use them to attack us.  Darknet³ is a marketplace of hackers and criminals selling and buying various sections of the attack and exploit into our environments.

The reason things have gotten worse is that the attackers have gotten better and better while we have improved marginally, and the reality is it is easier to attack and succeed only once instead of defending 365x days per year 24x hours per day.

pluggedinwiressmall

So what can be done?

It is important to get started like in this page we have created: https://fixvirus.com/patching-your-computers-consistent-policy-defends-against-attackers/  on our page.

Getting started on proper Cybersecurity has to be started sometime. So don't be overwhelmed and start writing a security policy so that your employees know what their role is. good communication is a must.

Contact Us to help you with writing a Security policy, notice we do not have previous client names on this site since the confidentiality of our clients is important. (we can give you specific referrals but that takes time). Let's start with an initial visit which is free.

Once you have a program in place - and people looking at logs and more, then you can create a methodology to find the hackers when they are in the environment -

Find them when they try to execute code that does not belong. when the code tries to communicate to their command and control servers.

exploitprogram

Once the  plan is in place then create new scripted methods to find unknown malware.

Why wait until security policy is in place? Because one has to know what is on the systems and what is good before you can stop the malware. And it is always better when documentation is available.

 

 

 

  1. http://securityaffairs.co/wordpress/45579/hacking/badlock-windows-samba-flaw.html
  2. https://www.samba.org/samba/history/samba-4.1.17.html
  3. http://oversitesentry.com/darknet-know-it-learn-it/

Houston we have a problem - a kind of misunderstanding which leads to apathy.

Example: I wonder if you knew this week a new ransomware threat came out.  I should also say that every week new ransomware comes into the "wild", into our computers. (For example in the week of 3/28 - 4/1 we discuss in our blogpost [at Oversitesentry(5)] how to prevent the Locky ransomware and how the Petya Ransomware will now destroy your Master Boot Record (MBR) or the actual usage of the hard drive.

For the first time a program language called Javascript is now being used for Ransomware: Called Ransom32

The following picture is from an older ransomware so we can discuss what ransomware is and does.(and what to fear and be proactive about it).

ransomwarecrypto

Ransom means that the criminal has found a way to take something of yours and is now trying to extort money out of you so you can get that back. In this age we are talking data files.

Imagine that you are working on a Word document - like a proposal for a client.  Now somehow ransomware software got on your computer, once the software runs ...  it then tries to encrypt your files. Since you are still working on your proposal you try to save the file and it does not work - you cannot save the file as the file you saved to is now renamed and reconfigured(encrypted).

As you try to open other files you notice the encryption does not allow your files to be opened.

If you thought on your feet you can do a "save as" with the current file being worked on and thus at least save the current file. But hundreds maybe even thousands of the rest of your files are now encrypted.

This is obviously a problem, and can put you into a standstill. Will it matter if your files are on the cloud? Unfortunately it depends on how sophisticated the criminals will program, and it is definitely possible to get all files encrypted. The name of the game is money $$$ and if the hackers in eastern Europe are making more money as a hacker than a programmer at legitimate companies than our adversary will improve their attacks.

You cannot avoid this phenomenon for too long. The criminals are looking to make up to $7Bil dollars:

$7Bilpotentialhack$

This is easy to figure out - As of 2013 there were 220 million PC's in the USA (I'm not even counting the world). 10% of PCs are not patched correctly (from my blog post and research here at Oversitesentry.com¹ and more background²) Microsoft Statistics as they know how many PCs are being patched.

 

We know from news reports and experience that an unpatched computer is susceptible to these types of attacks. Thus I have drawn a conclusion - 22million PCs are susceptible and with that the criminal has a potential 6.6Bil$ ransomware market - and if there are a few computers that the hacker can steal more information that he can resell then one can project $7Bil ransomware market.  That is a lot of potential money...

So we can't assume the threats will be the same as last year, in fact the threats will become more sophisticated and dangerous.

Instead of throwing up our hands and giving up... the thing to do is to make sure you spend more time on security this year.

There are ways  to shore up or improve your perimeter (firewall), make sure to do patching ontime and effectively. Maybe a new firewall which can do more than filter traffic.  By filtering traffic, I mean make sure certain traffic stays out and others are allowed to run. The problem with this old model is what if the traffic is allowed (like JavaScript inside Facebook?).

Patching your computer is actually not so easy because not all updates are good updates³. So sometimes IT pros recommend to wait until the patch/update has been tested and only then will it be installed. This  process takes time even in the best run IT department. there is always some bits of time which create some vulnerability.

 

Testing your backup is also an important part of security defense. Since if Ransomware gets through you can't afford to see if the criminals wrote good Ransomware software to recover your data when you pay. Our recommendation is to never pay - assume you will lose data and backup - test the backup to make sure you will recover all data properly.

You can't get away from it these days - A company which has computers on the Internet cannot just have a regular firewall anymore - must get a NGFW (Next Generation FireWall) which now will inspect the traffic and is essentially another layer of defense.

 

PAthreat_prevention

A regular firewall cannot inspect data like Social Security numbers or Credit card numbers. set up correctly you can do many things with a NGFW(4) . Here is one:  If I see my social security numbers then  email me.   I.e. if somebody is stealing these numbers then email me!

 

 

Because the criminals have such a large budget you can't just trust your capable IT department, you have to make sure that everything is working as it should. Test the IT department

systemengineeringassecurity

I would be happy to discuss this diagram where your IT department works on the output and Fixvirus.com uses CEH(Certified Ethical Hackers) to test your environment.

 

If you want to discuss how to improve your security (audit security, test backup, and more) in 2016 contact me 314-504-3974 tonyz@fixvirus.com Tony Zafiropoulos Now.

 

 

  1. http://oversitesentry.com/happy-new-year-2016/
  2. http://oversitesentry.com/is-your-it-system-low-hanging-fruit-for-criminal-hackers/
  3. http://oversitesentry.com/are-we-falling-behind-on-patching-computers/
  4. http://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/
  5. http://oversitesentry.com/ransomware-vaccine-can-it-be-done/

On News of Day I discuss http://www.darkreading.com/operations/5-pitfalls-to-avoid-when-running-your-soc-/a/d-id/1318218

Specifically:

"Our goal is to protect our critical assets, quickly know when they have been compromised and respond with immediate action to contain and eradicate the threat. If anyone believes they are going to create the perfect secure environment, let me save you some pain in discovery: It does not exist. However, if you can narrow your attack surface area through smart security operations that fully integrate the right people, the right processes, and good technology, then you drive up the skill required by an attacker to the point where most threat actors will give up and go after easier, softer targets."

In Tip of Day I discuss how Netcat can help you do some "banner grabbing"

Which will help you view applications as they send information in the first review

from the Netcat Power Tools pdf Chapter 4:  http://dl.acm.org/citation.cfm?id=2155689

The Web server will take this request, locate the file requested, and send it back to
the client. When given a file of “/”, Linux and UNIX servers will return index.html,
while Windows Internet Information Server (IIS) will find and return default.htm.

I recommend to obfuscate your web and other applications banners:

"For many different reasons, usually security-related, many Web sites do not wish to
show the version software that they’re running. They can alter this information by
editing their Web server configuration to use a new ServerTokens value, or by using
third-party software."

 

You can actually test your webserver to see what it responds with:

For protocols like HTTP that require user interaction, it is still possible to
automate the process. All you need to do is pipe the echo of your input to
Netcat. Simple enough, no? The trick that catches many people is how to
transmit that extra carriage return after the command. This can easily be
done with the following Linux command:
echo –e “GET / HTTP/1.0\n” | nc <host> <port>
In the example above, echo uses the \n string to signify a new line.

 

 

Let me know if you need help with this.

Contact Us.

Since we advocate testing your IT services and devices, what if your organization has cloud services?

How about Amazon EC2?  AWS compliance  keep this in mind.

It is as Amazon AWS(Amazon Web Services) says it is a shared responsibility.

Rackspace has a security page - Rackspace Security   rackspace says it is a shared responsibility as well.

There are different cloud providers with specific missions and infrastructure services.

Serversincage

Let's say you need PCI compliance completed for your website. That is on a cloud provider.

Rackspace has scanning rootkits among other links in a search.

As a computer professional in the Security field, one cannot just scan or perform penetration tests on any computer on the Internet, in fact we must get written approval to perform a scan on a computer.

Why? How about this example:

Internet Storm Center example

"However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems."

So when scanning for heartbleed on HP Proliant hardware iLO cards have a problem:

An iLO card allows a specific system administration remote ability:

"Before using an ILO card you must plug an Ethernet cable in to the server's ILO Ethernet jack. Once the ILO card is connected to the Internet, you must set up an ILO user account and IP network address in the server's BIOS menu"

This capability of the iLO card has a drawback, its software actually caused the server to crash, with a hard boot to recover (must press the power button). This side effect of a heartbleed scan is a disaster to many cloud providers. As a reboot of a hypervisor server may cause a loss of service in 10-30 minutes or more if the system has to be manually reset in some way by a technician.
All Certified Ethical Hackers must be aware of the problems  that can arise.
we must test for compliance and to uncover vulnerabilities, but it must be done in a way that does not affect services if at all possible.

 

 

 

Session Hijacking is where an attacker Steals a network session by guessing (or other ways) the session ID (identification number). Each packet has a session ID in tcp sessions from client to server.

Session_Hijacking__from_owasp.org

Once the hacker has a web server session they will try and gain more access on your webserver.

The problem is cataloged on www.owasp.org

Once the hacker has an in they will go and add from there (this is called  a beachhead). The beachhead is only the start as an initial command line will most likely add to their access.  As the hacker tries to gain and add to their conquest.

This is why a defense in depth strategy is important, as new hacking methods may come in, The system administration overhead has to be kept up, otherwise the hackers win.

 

Contact us to find and test your webserver.