Author: Fahmida Y. Rashid

0

Waah! WannaCry shifts the blame game into high gear

More and more, information security seems to be about finding someone to blame for the latest crisis. The blame game was in full gear within hours of the WannaCry ransomware outbreak, and even after a few days there’s still a lot of anger to go around. People want heads to roll, but that won’t help contain the current damage or spur improvements to minimize the impact of future attacks.

The WannaCry ransomware[1] successfully infected so many machines because it crafted the malware to use multiple infection vectors, including traditional phishing, remote desktop protocol (RDP), and a vulnerability in the SMB protocol. It took advantage of the fact that people don’t always recognize phishing links, and that many systems aren’t running the latest versions of applications or the operating system.

Those are the facts. But arguing that if one factor or another hadn’t been present then this outbreak would never have happened shows a complete misunderstanding or willful disregard of the complexities of IT, software development, and the technology ecosystem.

Stop with the victim-blaming 

Blaming the victim is a common tactic. Right now scorn is being heaped on individual users for not having applied Windows updates, for using older and no-longer-supported operating systems such as Windows Vista, or for not recognizing phishing attacks.

While it’s important to teach users to recognize scams and to be careful about their online activities, no amount of training will ever be sufficient to keep up with the increasing sophistication of phishing. Likewise, users still have trouble seeing why they can’t stick with the software they’re comfortable with if it still works. It’s an awareness challenge, but yelling at them for running old stuff won’t make things better.

Software is going to have bugs

As always, you can hear the grumbling about software being infested with bugs and how Microsoft should not release software containing vulnerabilities. But the reality of software development dictates that the number of vulnerabilities in the code can only be reduced—bug-free software is just a lovely fantasy.

Yes, way back when, Microsoft and other tech companies failed to focus on security during the development lifecycle, but those days are gone. Now vendors focus on hardening software and patching on a regular basis. Microsoft patched the bugs in this case as soon as it learned about them, which is all it could do. It even went the extra mile to release patches for no-longer-supported systems, even though end-of-life policies dictate that older systems don’t receive updates.

Spies will spy

With WannaCry, the NSA gets its due[5] once again. Like clockwork, critics shout that the agency should not be stockpiling vulnerabilities and creating its own exploits, but rather reporting the flaws to vendors so that they can be patched. Even Microsoft president and chief legal officer Brad Smith[6] lashed out in a blog post: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”

Just as bug-free software is a fantasy, demanding that spies refrain from creating spying tools[7] is going to fall on deaf ears.

Setting aside the question of whether the NSA should be doing its own bug-hunting and exploit development, plenty of people argue that the NSA was negligent for letting the tools be stolen. But security researchers believe the Shadowbrokers got their hands on this cache through an insider who had acces[8]s to the tools. At this point, it feels like a stretch to blame the NSA for the theft.

Perhaps the NSA needs better vetting on who can use the tools in the first place, but malicious insider activity is not the same as negligence. It appears that the NSA notified Microsoft as soon as the leak of the tools seemed likely.

But the bottom line is that this attack code was going to happen. Even if the NSA had never created EternalBlue and other tools[9], it’s very likely that someone would have created the attack code as soon as Microsoft was told about the bug. Exploit and malware writers reverse-engineer software patches to figure out the underlying flaw and then develop their own exploit to trigger the bug. That’s the reality of exploit development.

When Microsoft rates a vulnerability as “critical,” it believes that criminals would be able to develop a working exploit within 30 days. WannaCry came about eight weeks after the flaws were patched, and appears to be based off the exploit code from penetration testing tool Metasploit and not the actual NSA implant. The question of how much longer before a working exploit would have been available in underground circles is academic.

IT and security are doing their best

Here comes everyone’s favorite scapegoat: IT, eternally shamed for not patching systems, using older systems, or not prioritizing security over everything else. The tendency to assume that IT is negligent or incompetent reflects a profound misunderstanding of the kind of challenges IT faces[10].

IT can’t upgrade older systems if there is a custom application purchased years ago or a critical software application that requires the older OS—and the vendor no longer exists to even update the software. Organizations with serious cost constraints, such as government or non-profit organizations, tend to be particularly vulnerable.

Still want to blame IT for not patching? Well, it could be that a new CTO just came on board and realized there is no documentation or understanding of the current network architecture. There is no way to roll out patches on vulnerable systems “immediately” until the CTO has completed inventory. Or perhaps the critical system is already under maintenance for a different critical patch—perhaps an Apache web server, Oracle, or even for an enterprise application—and it’s highly irresponsible to be rolling out multiple updates at once.

IT is already under a lot of pressure due to constraints on time, money, and manpower. Accusing IT of falling down on the job can be wildly unfair, particularly if senior management never made the funds available for upgrades, hired more IT staff, or invested in “better” technology. 

Does the buck stop with security professionals and security vendors? After all, despite the investments organizations have made in security technology and defenses, WannaCry bypassed controls and successfully infected users. It doesn’t make sense to complain that white hat bug hunters should have found and reported the flaws earlier.

Work together—the bad guys already do

Nothing is gained from all the finger wagging and sanctimony, and it just makes it harder to react to the crisis during an attack as well as to make changes in order to prevent being the victim the next time.

Resilience is the name of the game, and it requires a collaborative approach. Hardening the network and segmenting different parts to make it harder for malware and attackers to move laterally requires cooperation between IT, end-users, and business stakeholders. Understanding what parts of the infrastructure need upgrades and what kind of expenses that would entail, either in terms of new hardware, user training, or even new application development, means creating an actual plan and roadmap to balance competing schedules and deadlines.

Regularly backing up systems and making sure the backups are ready to go is part of business continuity and not traditionally part of security, which goes to show that not all solutions require some kind of a security answer.

Ultimately, we need to assign blame where it belongs: to those who created WannaCry and the criminals that are using ransomware to bilk victims out of money. And to defeat them, we need to pull together and collaborate on finding real solutions.

References

  1. ^ WannaCry ransomware (www.infoworld.com)
  2. ^ Windows PC from getting hit by ransomware (www.infoworld.com)
  3. ^ 18 surprising tips for security pros (www.infoworld.com)
  4. ^ Security Report newsletter (www.infoworld.com)
  5. ^ NSA gets its due (www.infoworld.com)
  6. ^ chief legal officer Brad Smith (blogs.microsoft.com)
  7. ^ spies refrain from creating spying tools (www.infoworld.com)
  8. ^ insider who had acces (www.infoworld.com)
  9. ^ EternalBlue and other tools (www.infoworld.com)
  10. ^ challenges IT faces (twitter.com)
0

WannaCry ransomware slipped in through slow patching

The plain truth about security updates is that enterprises will always have a lag time between when patches are released and when they’re deployed. Even so, too many organizations are taking too long to test and schedule, and they’re paying the price.

0

Microsoft rushes emergency fix for critical antivirus bug

The point of antivirus is to keep malware off the system. A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems. 

The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection. These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.

Microsoft released an emergency out-of-band security update to fix the remotely exploitable type confusion bug (CVE-2017-0290) on Monday, along with a security advisory. 

“Vulnerabilities in MsMpEng [Microsoft Malware Protection Engine] are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, a security researcher with Google’s Project Zero, who found the flaw along with fellow researcher Natalie Silvanovich, who called it “crazy bad.” 

Attackers hide the malicious payload in files, and when the antivirus scanner checks the file to determine whether it is malicious, the scan inadvertently executes the malicious code on the system with administrative privileges. The malware gets full control of the system and can perform any number of tasks, such as installing spyware and other tools or stealing data. 

 “Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release,” Microsoft’s security team wrote in the advisory. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.” 

Ormandy initially teased the existence of the bug on Twitter toward the end-of-day Friday, but didn’t provide any details because Project Zero was discussing the flaw with Microsoft’s security team. The engine runs on the system level without sandboxing and is remotely accessible without authentication via different Windows services.

The component within the engine that evaluates the filesystem or network activity that looks like JavaScript is “an unsandboxed and highly privileged JavaScript interpreter that is used to evaluate untrusted code, by default on all modern Windows systems,” Ormandy wrote. The function JsDelegateObject_Error::toString() reads the object’s message property, but doesn’t validate the input to make sure it is a string.

The type confusion allows any attacker to pass arbitrary other objects. 

Despite the severity of the flaw, Microsoft said its exploitability was low—or “less likely” that someone would develop an exploit and take over vulnerability systems. Even so, no one wants a critical bug, described by Silvanovich as “the worst Windows remote code [execution] in recent memory, floating around in the system, hoping the patch arrives before criminals figure out the bug. The prospect of having to wait until next month to get the security update meant there was not much Windows administrators could do until them. 

There were some mitigations: Ormandy recommended adding a blanket exception for c: to prevent automatic scanning of the filesystem activity. Turning off real-time protection doesn’t help, though, since the payload will be executed during the next scheduled scan. 

“Still blown away at how quickly Microsoft Security responded to protect users,” Ormandy wrote on Twitter on Monday. “I can’t give enough kudos. Amazing.”

References

  1. ^ Make threat intelligence meaningful: A 4-point plan (www.infoworld.com)
  2. ^ Security Report newsletter (www.infoworld.com)
0

How the Macron campaign slowed cyberattackers

In the wake of French president-elect Emmanuel Macron’s victory over Marine Le Pen, IT armchair quarterbacks should look at the Macron campaign’s security playbook for ideas on how to fight off targeted phishing and other attacks.

When 9GB of files belonging to the Macron campaign was dumped[1] on file-sharing website Pastebin less than two days before the French election, it looked too much like what had happened during the U.S. presidential election last fall.

There isn’t enough evidence[4] to conclusively link the Russians to the Macron leak, and security experts believe some of the supposed clues are sloppy attempts at misdirection. The difference this time around seems to be the fact that Macron’s team was prepared for the attacks and engaged in a disinformation campaign of its own, according to The Daily Beast[5].

“You can flood these [phishing] addresses with multiple passwords and log-ins, true ones false ones, so the people behind them use up a lot of time trying to figure them out,” the head of Macron campaign’s security team, Mounir Mahjoubi, told The Beast.

The Macron campaign was targeted by phishing emails with links to URLs that looked similar to official sites, such as en-nnarche.com, which could trick users into misreading the “nn” as a “m.” Some recipients likely fell for the phish and logged in with legitimate credentials, giving attackers access to all their emails. “If you speed read the URL, you can’t make the distinction,” Mahjoubi said, noting the fake sign-in pages were “pixel perfect.” The campaign’s security team flagged the phishing sites as they were identified and submitted fake login credentials.

That sounds suspiciously like cyberdeception.

The attackers had gotten hold of valuable information, so the defenders mixed fake and real data to make it harder for attackers to waste hours trying to verify what was real, said Gadi Evron[6], founder and CEO of Cymmetria. With cyberdeception, defenders take control of the battleground by deciding what kind of information the attackers get and directing the attackers to go after decoy systems rather than real systems holding sensitive data.

“If we can control the information our opponent collects about us, we can control where they go and how they act, detect them sooner, and neutralize them,” Evron said. The following video goes into more detail about how cyberdeception works.

One cyberdeception tactic is to leave documents—”deceptive data”—on carefully prepared systems for attackers to steal, then have the documents beacon back to let the defenders know the file has been opened. Attackers can be tricked into using “incriminating evidence.” It’s possible the security team left behind fake files in the user accounts or accessed the phishing sites from the prepared systems holding only dummy files, and that level of technical detail hadn’t made its way into The Daily Beast article. At this point, there’s no proof one way or another.

“There’s no evidence the Macron campaign ‘outsmarted’ or deceived anybody. You can’t ‘sign on’ to APT28 phishing sites and ‘plant’ info,” said Thomas Rid[7], the Kings College researcher who recently testified at Congress about the Russian interference of the U.S. election.

The campaign claimed[8] the documents revealed the normal day-to-day operations of a presidential campaign, but authentic documents had been mixed on social media with fake ones[9] to sow “doubt and misinformation.” Without specifics, that statement doesn’t mean much, but taking into the consideration the campaign appears to be familiar with cyberdeception tactics, it’s possible the security team knew what files had been available to steal and had a clear idea of what had been compromised.

“The campaign seemed able to quickly identify what it called fake documents in the mix of the data dump. That suggests that they had an inventory beforehand to work with,” Evron said, noting this was a “working theory.”

The campaign also made it harder for attackers to move around and find data, which may be one of the reasons there wasn’t any high-value information buried in the dump. AP reported[10] the campaign had servers protected by sophisticated software filters, recommended the use of encrypted messaging and cellphone networks, and required double and triple authentication to access emails. Information was stored in multiple-partitioned cells, with databases separated like fortresses, accessible only by passwords that were complex and regularly changed.

Hindsight is 20/20, and there’s always something a IT security team should’ve or could’ve done in order to avoid a data breach or a security incident. While it’s important to beef up the defenses, make it hard to steal data, and train users to recognize attacks, letting defenders control the environment and tricking the attackers can also help minimize the effects of an attack.

“Finally, someone uses cyberdeception to beat attackers at their own game,” Evron wrote.

References

  1. ^ Macron campaign was dumped (www.networkworld.com)
  2. ^ 18 surprising tips for security pros (www.infoworld.com)
  3. ^ Security Report newsletter (www.infoworld.com)
  4. ^ enough evidence (www.wired.com)
  5. ^ The Daily Beast (www.thedailybeast.com)
  6. ^ Gadi Evron (medium.com)
  7. ^ Thomas Rid (twitter.com)
  8. ^ campaign claimed (twitter.com)
  9. ^ fake ones (twitter.com)
  10. ^ AP reported (www.securityweek.com)
0

NIST to security admins: You’ve made passwords too hard

Despite the fact that cybercriminals stole more than 3 billion user credentials in 2016[1], users don’t seem to be getting savvier about their password usage. The good news is that how we think about password security is changing as other authentication methods become more popular.

Password security remains a Hydra-esque challenge for enterprises. Require users to change their passwords frequently, and they wind up selecting easy-to-remember passwords. Force users to use numbers and special characters to select a strong password and they come back with  passwords like Pa$$w0rd[2].

Fortunately, the number online services supporting hardware security keys is growing, including the likes of GitHub, Google, and Facebook. Google even uses hardware security keys internally to secure its employee workforce.

The final version of NIST’s Digital Identity Guidelines (SP 800-63-3) also challenges the effectiveness of what has been traditionally considered authentication best practices, such as requiring complex passwords. When most credentials-based attacks no longer bother with brute-force methods, relying on password complexity doesn’t really help. When attackers can discover the actual password string via keyloggers, phishing, or other social engineering tactics[5], it doesn’t matter how complex the string is. Attackers can harvest credentials directly from the domain controller while moving laterally through the network, look up passwords from previously breached databases, or intercept passwords transmitted in plaintext.

While the public comment period for the password guidelines closed on May 1, NIST has not yet released the final version. It wound up extending the comment period[6] for the parent document—on Digital Identity—for an additional 30 days while closing comments for the companion documents Enrollment & Identity Proofing (SP 800-63A), Authentication & Lifecycle Management (SP 800-63B), and Federation & Assertions (SP 800-63C) to get more details on how to make digital identity management “simpler for agency officials, mission owners, and implementers alike.” The NIST guidelines provide technical requirements for federal government agencies, but they act as a helpful blueprint for the private sector to follow as well.

Out with the old

Here’s what’s out in the new guidelines:

  • Having special composition rules on creating strong passwords (such as requiring both uppercase and lowercase characters, at least one number, and a special character)
  • Requiring routine password changes for the sake of changing them; passwords should be changed only when there is a risk of compromise
  • Password hints and knowledge-based questions, such as the name of the first pet, the mother’s maiden name, or the high school mascot, as social media and social engineering have made it easy for attackers to use these pieces of information to bypass passwords

NIST recommends administrators leave out overly complex security requirements that make it harder for users to do their jobs and don’t really improve security, since frustrated users are more likely to look for shortcuts. For example, users struggle to memorize large numbers of passwords—the average user accesses more than 40 accounts—so they may either write down passwords, which defeats the purpose of having a “secret” password; reuse passwords, which makes it easier to break into accounts; or use variations of existing passwords, which makes it easier for attackers to guess the patterns.

“The username and password paradigm is well past its expiration date,” said Phil Dunkelberger, CEO of Nok Nok Labs. “Increasing password complexity requirements and requiring frequent resets adds only marginal security while dramatically decreasing usability. Most security professionals will acknowledge that while such policies look good on paper, they put a cognitive load on end users, who respond by repeating passwords across sites and other measures to cope that dramatically weaken overall security.”

While it’s true there are other ways to get passwords, brute-force attacks still exist, so don’t give up on complex passwords yet. Enterprises should encourage employees to use a password manager and not try to remember passwords. Even with recent issues found in popular password managers, these applications remain the best tool for creating and storing unique and strong passwords.

In with the new

Now, here’s what’s in the new guidelines:

  • Users should be able to choose freely from all printable ASCII characters, as well as spaces, Unicode characters, and emojis
  • Increase the minimum length of passwords to eight
  • Check passwords against blacklists of unacceptable credentials, including previously breached databases, dictionary words (monkey), common passwords (letmein), and passwords with repeating or sequential characters (pass123)
  • Lock accounts after several incorrect attempts to login
  • Hash passwords with a salt when storing passwords to prevent cybercriminals from acquiring passwords that are stored in plaintext or with weak hash algorithms

Password managers only solve the password challenge; they don’t address the overall authentication problem when attackers already have the password. NIST also recommends adding another line of defense by turning on multifactor authentication. Attackers typically don’t have multiple proofs of identity, such as the user’s mobile device or some kind of physical token, they wouldn’t be able to break in even with a password.

However, NIST warned against relying on sending one-time passwords via SMS messages as a form of two-factor or multifactor authentication. SMS can easily be intercepted, so NIST suggests using software-based one-time-password generators, such as apps installed on mobile devices.

Biometrics are also gaining popularity, especially as more user devices come equipped with fingerprint readers. For example, the Samsung Galaxy S8 has both a fingerprint scanner and an upgraded retinal scanner that is currently used for unlocking the device. The scanner could likely be used as a second factor authentication method for online services that decide to adopt retinal scanning. There are rumors that LG G6 will have facial recognition software that could be used to unlock devices.

Microsoft announced plans to replace passwords with a smartphone-based authentication method. Instead of the standard two-step verification, where users first enter a password and then enter a PIN sent to their mobile device, the new “phone sign-in” method will require users to use the device to sign in with a PIN or user the fingerprint scanner to authenticate.

References

  1. ^ 3 billion user credentials in 2016 (info.shapesecurity.com)
  2. ^ Pa$$w0rd (arstechnica.com)
  3. ^ 18 surprising tips for security pros (www.infoworld.com)
  4. ^ Security Report newsletter (www.infoworld.com)
  5. ^ keyloggers, phishing, or other social engineering tactics (www.ncsc.gov.uk)
  6. ^ extending the comment period (trustedidentities.blogs.govdelivery.com)
       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games