Monthly Archives: May 2017

Belgian Privacy Commission Releases 2016 Annual Activity Report

On May 26, 2017, the Belgian Privacy Commission (the “Belgian DPA”) published its Annual Activity Report for 2016 (the “Annual Report”) highlighting its main accomplishments from the past year.

In 2016, the Belgian DPA focused on the following topics:

  • EU General Data Protection Regulation (“GDPR”). The GDPR was enacted in May 2016 and will come into force in May 2018. The Belgian DPA initiated a number of projects to help companies and public organizations prepare for the GDPR. Such projects include, inter alia, the publication of a 13-Step Plan, a thematic dossier and FAQs on its website, as well as guidelines and recommendations that contribute to the interpretation of the GDPR.

On May 25, 2017, the Belgian DPA issued a press release (in French and in Dutch) addressing companies’ concerns regarding the enforcement of the GDPR. In the press release, the Belgian DPA confirmed that its priority is to raise awareness on the GDPR and conclude clear agreements with the industry. It also stated that it will favor mediation regarding potential infringements of the GDPR, and that fines will be imposed only as a last resort where a data controller does not answer the Belgian DPA’s questions and concerns or formally refuses to comply with the GDPR.

  • Cloud computing. The Belgian DPA issued an Opinion that addresses obligations related to cloud computing and provides guidelines to companies and public organizations regarding the use of cloud computing.
  • Social fraud. The Belgian DPA published an Opinion on a draft bill for the systematic transmission of personal data related to citizens’ use of energy to the Federal Social Security Institutions. This bill is part of the Belgian government’s initiative to fight social fraud by using data mining and data crossing.
  • Anti-terrorism. The Belgian DPA issued an Opinion on (1) the creation of a common database for “foreign terrorist fighters,” (2) the anonymity of prepaid card users and (3) existing draft bills aimed at preventing the financing of terrorism.
  • Facebook case. On June 29, 2016, the Court of Appeal annulled a November 2015 judgment that had convicted Facebook in summary proceedings for the illegal collection of non-users’ personal data. The Court of Appeal ruled that the Belgian DPA had no jurisdiction over Facebook Ireland and Facebook Inc.

The Annual Report also stated that the Belgian DPA processed 4,491 requests or complaints (an increase of 299 compared to 2015), including requests for information, mediation and control. Most requests for information were related to the use of CCTV, data subjects’ rights, the right to one’s image, data processing registrations and contractual clauses.

Read the Annual Activity Report for 2016 (in French and Dutch) and the press release (in French and Dutch). View the brochure (in French and Dutch).

Amended Oregon Law Reinforces Importance of Adhering to Privacy Policies

On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites (e.g., in privacy policies) or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information. Pursuant to H.B. 2090, a company engages in an unlawful trade practice if it makes assertions to consumers regarding the handling of their information that are materially inconsistent with its actual practices. Consumers can report violations to the Oregon Attorney General’s consumer complaint hotline. H.B. 2090 reinforces the significance of carefully drafting clear, accurate privacy policies and complying with those policies’ provisions.

Privacy Shield First Annual Joint Review to Take Place in September 2017

On May 29, 2017, a high-level EU Commission official and Politico reported that the primary objective of the first annual joint review of the EU-U.S. Privacy Shield (“Privacy Shield”) is not to obtain more concessions from the U.S. regarding Europeans’ privacy safeguards, but rather to monitor the current U.S. administration’s work and steer U.S. privacy debates to prevent privacy safeguards from deteriorating. On March 31, 2017, the EU Commissioner for Justice, Věra Jourová, announced that the joint review will take place in September 2017.

The review will focus on two important points:

  • The EU Commission will verify that the key foundations of the Privacy Shield remain in place, in particular with respect to government access for national security reasons. The Commissioner recalled the importance of maintaining the protections provided under Presidential Policy Directive 28, as well as the Ombudsperson mechanism. In addition, the EU Commission will follow closely the debates around the reform of section 702 of FISA and the potential impact on Europeans’ personal data.
  • The EU Commission will also focus on day-to-day implementation and robust follow-up of the Privacy Shield by companies that have self-certified. In this context, the Department of Commerce will monitor the compliance of companies with the Privacy Shield principles on an ongoing basis, including through detailed questionnaires that companies will have to complete to identify issues that may require further follow‐up action.

Most recently, the European Parliament passed a Resolution on the adequacy of the protection afforded by the Privacy Shield, pointing out several weaknesses to be fixed in the upcoming review of the framework, including the lack of specific rules on automated decisions, the lack of a general right to object, the need for stricter guarantees on the independence and powers of the Ombudsperson mechanism, and the lack of concrete assurances with respect to bulk collection of data.

On the basis of the annual review, the EU Commission will issue a public report to the European Parliament and the Council.

Raspbian/Kano OS in QEMU

Quick notes


I wanted to be able to boot the Kano OS in a virtual machine so i could play hack minecraft with the kids and play along with the Kano OS desktop/games.  I was trying to avoid plugging a raspberry pi into an monitor to use and wanted to use it on my local laptop.

Well, not so easy. VirtualBox/VMware dont support ARM. However QEMU does.

This repo (https://github.com/dhruvvyas90/qemu-rpi-kernel/wiki/Emulating-Jessie-image-with-4.x.xx-kernel) had the recent raspberry pi kernels to use with QEMU.

If you follow the steps on that page with regards to mounting the image and editing /etc/ld.so.preload and /etc/fstab I was able to get the image to boot up successfully...slow as hell...but it technically was working.

command to boot with vnc:


$ qemu-system-arm -vnc :1 -kernel qemu-rpi-kernel/kernel-qemu-4.4.34-jessie -cpu arm1176 -m 256 -M versatilepb  -append "root=/dev/sda2 rootfstype=ext4 rw"  -hda Kanux-Beta-v3.9.0-Lovelace-jessie-rc-2017-03-23_04-48.img

OS with vnc:





I was so horribly slow i don't think this is feasible.  I am going to try using libvirt to make it better or just see if i can play hack minecraft another way.  If I get anywhere further with the project i'll post an update.




Enterprise Security Weekly #46 – Sexy Cryptography

Atif Ghauri of Herjavec Group joins us. In the news, stopping insider threats with machine learning, uncovering encrypted threats, end-user experience matters everywhere, and are too many SEIM alerts overwhelming your staff? All that and more in this episode of Enterprise Security Weekly!Full Show Notes: https://wiki.securityweekly.com/ES_Episode46Visit http://www.securityweekly.com for all the latest episodes!

The complexity of password complexity

Deploying password quality checking on your Debian-base Linux servers can help to ensure that your users assign reasonable passwords on their accounts, but the settings themselves can be a bit misleading. For example, setting a minimum password length of 12 characters does not mean that your users' passwords will all have twelve or more characters. Let's stroll down Complexity Boulevard and see how the settings work and examine some settings worth considering.

First, if you haven't done this already, install the password quality checking library with this command:

apt-get -y install libpam-pwquality

The files that contain most of the settings we're going to look at will be:

To read this article in full, please click here

Gravityscan, keeping WordPress sites safe

If your website, in common with roughly 25% of all websites, is running WordPress then it's pretty much certain that it's being constantly attacked. WordPress is to hackers what raw meat is to jackals because unless sites are assiduously maintained, they quickly become vulnerable to a huge number of exploits.

The root cause of this vulnerability is WordPress' ecosystem of complex core software augmented by thousands of third party developers whose themes and plugins are often buggy and not quickly (or often, never) updated to fend off known security problems. Add to that many site owners being slow to update their core WordPress installation and you have an enormous and easily discovered collection of irresistible hacking targets.

To read this article in full, please click here

Bavarian DPA Tests GDPR Implementation of 150 Companies

On May 24, 2017, the Bavarian Data Protection Authority (“DPA”) published a questionnaire to help companies assess their level of implementation of the EU General Data Protection Regulation (“GDPR”).  

The DPA announced that it has sent the questionnaire to 150 randomly selected Bavarian companies.

The questionnaire examines the following topics:

  • procedures relating to the GDPR and the Data Protection Officer’s responsibilities;
  • data processing activities, inventories and privacy by design;
  • onboarding of external vendors and data processing agreements;
  • transparency, privacy notices and individuals’ rights;
  • accountability, the risk-based approach and security measures; and
  • data breach notification.

The DPA noted that it will be increasing its investigations after May 2018, and that this questionnaire provides an indication of how the investigations will be conducted.

Read the questionnaire (in German).

Read the press release (in German).

Target and State Attorneys General Resolve Investigation with Largest Multi-State Breach Settlement to Date

On May 23, 2017, various attorneys general of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date.

Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan led the investigation, which found that hackers used credentials stolen from a third-party vendor to access Target’s gateway server and install malware that enabled them to capture consumer data, including names, contact information and payment card information of over 40 million customers. In addition to the monetary settlement, Target will adopt measures to secure and protect consumer information. For example, Target has 180 days to develop and implement a comprehensive information security program to be overseen by an executive reporting to its CEO and Board of Directors. The settlement also requires Target to obtain a third-party assessment of the measures it adopts and submit the assessor’s findings to the states.

Attorney General Madigan described the measures as setting “industry standards for companies that process payment cards and maintain secure information about their customers.” Attorney General Jepsen not only commended Target for its actions in response to the breach, including its cooperation with the states’ investigation and settlement negotiations, but also hoped the settlement would “serve to inform other companies as to what is expected of them in terms of the security of their consumers’ information.”

New York AG Settles with Wireless Lock Maker Over Security Flaws

On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”

The Settlement stems from Safetech’s representations that its products would allow users the ability to protect personal belongings inside their homes by turning doors and closets into secure areas. In August 2016, however, a team of independent security researchers discovered that Safetech’s Bluetooth-enabled locks left consumers susceptible to hacking and theft because the locks failed to secure passwords and other security information required for operation. Specifically, the researchers found that Safetech’s locks transmitted passwords between the locks and users’ smartphones in plain text and without encryption, allowing potential perpetrators to intercept the passwords and open the locks. The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

The Settlement requires Safetech to encrypt all passwords, electronic keys or other security credentials in their locks and other Bluetooth-enabled devices, as well as prompt users to change the default password upon the users’ initial setup of wireless communication. The Settlement also requires Safetech to establish and implement a written comprehensive security program reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality and integrity of security information, including:

  • designating an employee or employees to coordinate and be accountable for the security program;
  • identifying material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality and integrity of security information;
  • designing and implementing reasonable safeguards to control the risks identified through the risk assessment;
  • regularly testing or monitoring the effectiveness of the safeguards’ key controls, systems and procedures, including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  • developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the Settlement, and contractually requiring service providers to implement and maintain appropriate safeguards consistent with the Settlement; and
  • evaluating and adjusting Safetech’s security program in light of the results of the testing and monitoring required by the Settlement.

Hack Naked News #126 – May 23, 2017

Booby-trapped subtitles, Netgear is recording your IP and MAC addresses, net neutrality is on the chopping block, and more. Jason Wood of Paladin Security joins us to explain why companies should hack back on this episode of Hack Naked News!Full Show Notes: https://wiki.securityweekly.com/HNNEpisode126Visit http://www.securityweekly.com for all the latest episodes!

The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report

q1 headline image - blog

Developments in Cyber-crime, Cyberwarfare and AI mark the first quarter of 2017, as indicated by PandaLabs Q1 Report. The Report by Panda Security’s malware resource facility identifies prominent tactics, attack methods and shifts in the industry.

The Cyber-crime industry continues to grow on the back of profitable attacks. The development of Ransomware-as-a-Service (RaaS) and organisations like Vdos, an organisation specialising in DDos attacks, indicate the professionalism of the cyber-crime industry. In Q1 we continue to see new and adapted attack methods such as RDPatcher, malware detected by PandaLabs in its attempt to access the victim’s endpoint and prepare it for rental on the Dark Web.

Politically motivated cyber-attacks

Fueling the continued development of the cyber-crime industry are politically motivated cyber-attacks. In recent months, Cyberwarfare has become a popular tactic in enforcing political agendas. In Q4 of 2016, we saw some of the first high profile instances of cyberwarfare, with accusations of Russia’s interference in the 2016 US elections. The gravity the development is clear as countries like Germany have now begun to develop cyber-command centres to monitor online activity – this quarter France and the Netherlands reconsidered electronic voting procedures to avoid situations like the 2016 US elections.

Targeted IoT device attacks

Targeted attacks on IoT devices continue to threaten our safety in line with the ever-increasing number of IoT devices. In February, at the European Broadcasting Union Media Cyber Security Seminar, security consultant Rafael Scheel demonstrated more ways these devices can breach unsecured networks by creating an exploit that would allow an attacker to take control of a Smart TV using only a DDT signal.

A perfect device for eavesdropping

Recent developments in Robotics and AI have led to that belief that the fourth industrial revolution is not far off. Robotics and AI technology could do more than just take over jobs – introducing virtual assistants like Google Home and Amazon Echo, can become a dangerous in road for hackers. Introduced in February 2017, Google Home can tune into your home IoT devices while waiting to be called on – making it the perfect device for eavesdropping. Police recently requested access to an Amazon Echo device as it may have held evidence that could be useful to their case.

Over the course of 2016 Ransomware attacks earned criminals billions of Rand. Fueled by its profitability, Ransomware attacks continue to increase, with new variants created daily. In Q1 PandaLabs discovered Ransomware variant WYSEWYE -that allows the attacker to select and take control of specific folders on the victim’s endpoint, ultimately demanding a ransom to give back control to the victim.

See the full report by PandaLabs here.

The post The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report appeared first on CyberSafety.co.za.

Startup Security Weekly #40 – I’m On a Roll

How to come up with worthy startup ideas, why your explainer video matters, and what does “Minimum Viable Product” actually mean, anyway? Paul and Michael give updates on their startup journeys and report on Karamba, Crowdstrike, Wandera, and more on this episode of Startup Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/SSWEpisode40 Visit http://www.securityweekly.com for all the latest episodes!

Toolsmith #125: ZAPR – OWASP ZAP API R Interface

It is my sincere hope that when I say OWASP Zed Attack Proxy (ZAP), you say "Hell, yeah!" rather than "What's that?". This publication has been a longtime supporter, and so many brilliant contibutors and practitioners have lent to OWASP ZAPs growth, in addition to @psiinon's extraordinary project leadership. OWASP ZAP has been 1st or 2nd in the last four years of @ToolsWatch best tool survey's for a damned good reason. OWASP ZAP usage has been well documented and presented over the years, and the wiki gives you tons to consider as you explore OWASP ZAP user scenarios.
One of the more recent scenarios I've sought to explore recently is use of the OWASP ZAP API. The OWASP ZAP API is also well documented, more than enough detail to get you started, but consider a few use case scenarios.
First, there is a functional, clean OWASP ZAP API UI, that gives you a viewer's perspective as you contemplate programmatic opportunities. OWASP ZAP API interaction is URL based, and you can invoke both access views and invoke actions. Explore any component and you'll immediately find related views or actions. Drilling into to core via http://localhost:8067/UI/core/ (I run OWASP ZAP on 8067, your install will likely be different), gives me a ton to choose from.
You'll need your API key in order to build queries. You can find yours via Tools | Options | API | API Key. As an example, drill into numberOfAlerts (baseurl ), which gets the number of alerts, optionally filtering by URL. You'll then be presented with the query builder, where you can enter you key, define specific parameter, and decide your preferred output format including JSON, HTML, and XML.
Sure, you'll receive results in your browser, this query will provide answers in HTML tables, but these aren't necessarily optimal for programmatic data consumption and manipulation. That said, you learn the most important part of this lesson, a fully populated OWASP ZAP API GET URL: http://localhost:8067/HTML/core/view/numberOfAlerts/?zapapiformat=HTML&apikey=2v3tebdgojtcq3503kuoq2lq5g&formMethod=GET&baseurl=.
This request would return




in HTML. Very straightforward and easy to modify per your preferences, but HTML results aren't very machine friendly. Want JSON results instead? Just swap  out HTML with JSON in the URL, or just choose JSON in the builder. I'll tell you than I prefer working with JSON when I use the OWASP ZAP API via the likes of R. It's certainly the cleanest, machine-consumable option, though others may argue with me in favor of XML.
Allow me to provide you an example with which you can experiment, one I'll likely continue to develop against as it's kind of cool for active reporting on OWASP ZAP scans in flight or on results when session complete. Note, all my code, crappy as it may be, is available for you on GitHub. I mean to say, this is really v0.1 stuff, so contribute and debug as you see fit. It's also important to note that OWASP ZAP needs to be running, either with an active scanning session, or a stored session you saved earlier. I scanned my website, holisticinfosec.org, and saved the session for regular use as I wrote this. You can even see reference to the saved session by location below.
R users are likely aware of Shiny, a web application framework for R, and its dashboard capabilities. I also discovered that rCharts are designed to work interactively and beautifully within Shiny.
R includes packages that make parsing from JSON rather straightforward, as I learned from Zev Ross. RJSONIO makes it as easy as fromJSON("http://localhost:8067/JSON/core/view/alerts/?zapapiformat=JSON&apikey=2v3tebdgojtcq3503kuoq2lq5g&formMethod=GET&baseurl=&start=&count=")
to pull data from the OWASP ZAP API. We use the fromJSON "function and its methods to read content in JSON format and de-serializes it into R objects", where the ZAP API URL is that content.
I further parsed alert data using Zev's grabInfo function and organized the results into a data frame (ZapDataDF). I then further sorted the alert content from ZapDataDF into objects useful for reporting and visualization. Within each alert objects are values such as the risk level, the alert message, the CWE ID, the WASC ID, and the Plugin ID. Defining each of these values into parameter useful to R is completed with the likes of:
I then combined all those results into another data frame I called reportDF, the results of which are seen in the figure below.
reportDF results
Now we've got some content we can pivot on.
First, let's summarize the findings and present them in their resplendent glory via ZAPR: OWASP ZAP API R Interface.
Code first, truly simple stuff it is:
Summary overview API calls

You can see that we're simply using RJSONIO's fromJSON to make specific ZAP API call. The results are quite tidy, as seen below.
ZAPR Overview
One of my favorite features in Shiny is the renderDataTable function. When utilized in a Shiny dashboard, it makes filtering results a breeze, and thus is utilized as the first real feature in ZAPR. The code is tedious, review or play with it from GitHub, but the results should speak for themselves. I filtered the view by CWE ID 89, which in this case is a bit of a false positive, I have a very flat web site, no database, thank you very much. Nonetheless, good to have an example of what would definitely be a high risk finding.


Alert filtering

Alert filtering is nice, I'll add more results capabilities as I develop this further, but visualizations are important too. This is where rCharts really come to bear in Shiny as they are interactive. I've used the simplest examples, but you'll get the point. First, a few, wee lines of R as seen below.
Chart code
The results are much more satisfying to look at, and allow interactivity. Ramnath Vaidyanathan has done really nice work here. First, OWASP ZAP alerts pulled via the API are counted by risk in a bar chart.
Alert counts

As I moused over Medium, we can see that there were specifically 17 results from my OWASP ZAP scan of holisticinfosec.org.
Our second visualization are the CWE ID results by count, in an oft disdained but interactive pie chart (yes, I have some work to do on layout).


CWE IDs by count

As we learned earlier, I only had one CWE ID 89 hit during the session, and the visualization supports what we saw in the data table.
The possibilities are endless to pull data from the OWASP ZAP API and incorporate the results into any number of applications or report scenarios. I have a feeling there is a rich opportunity here with PowerBI, which I intend to explore. All the code is here, along with the OWASP ZAP session I refer to, so you can play with it for yourself. You'll need OWASP ZAP, R, and RStudio to make it all work together, let me know if you have questions or suggestions.
Cheers, until next time.

China Releases Revised Draft on Measures for Implementation of the New Cybersecurity Law

On May 19, 2017, the Cyberspace Administration of China (“CAC”) issued a revised draft (the “Revised Draft”) of its Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data. The original draft was issued in April 2017, and similar to the original draft, the Revised Draft does not have the impact of law; it does, however, provide an indication of how the CAC’s views on the Cybersecurity Law have evolved since the publication of the original draft. The Revised Draft was issued after the CAC received comments on the original draft from numerous parties.

The principal issues and challenges presented in the original draft remain largely the same in the Revised Draft, although certain issues have been clarified. Below are some key issues addressed in the Revised Draft:

  • The Revised Draft maintains the original draft’s restrictions on cross-border transfers of personal data, and applies the restrictions to “network operators.” Prior to conducting cross-border transfers, “network operators” are required to notify data subjects and obtain their consent.
  • Data subject consent to a cross-border transfer will not be required during emergencies (i.e., when the life or property of a data subject is in danger).
  • The data subject’s consent can be established in implied form by way of an affirmative act by the data subject.
  • The Revised Draft maintains the original draft’s requirement to conduct a “security assessment” on all cross-border transfers of personal data. Large-scale transfers, or transfers involving relatively sensitive information, must be conducted before a regulatory authority. The original draft defined large-scale transfers as those involving personal data of more than 500,000 individuals or involving files larger than 1,000 GB; the Revised Draft’s definition no longer includes files larger than 1,000 GB.
  • The definition of “network operator” remains very broad under the Revised Draft, and may apply to practically any material enterprise.
  • The Revised Draft is stated to go into effect together with the Cybersecurity Law itself on June 1, 2017. However, the Revised Draft also contains a grace period for the cross-border transfer restriction. Under that grace period, “network operators” will only have to comply with the requirements on cross-border transfers beginning on December 31, 2018.

SMBv1 isn’t safe

Long before WannaCry used a recently patched Microsoft vulnerability to exploit machines, the recommendation was to disable SMBv1.

Disabling old protocols isn’t sexy.   You’re breaking things, and not introducing new features.  You’re fixing theoretical future attacks.   Perhaps the willingness to take on this challenge is a good measure of the maturity level of a security program.  Are you sitting around waiting for an attack so you have the justification of making a change.  Are you sitting around waiting for a vendor to do it for you.  (“I didn’t want to disable SSL3, your default browser did that.  Guess you need to update the server application.”)  Disabling it before an attack or before a vendor disables it for you is a better idea.  You can proceed at your own pace. You can do testing.

This doesn’t mean it’s an easy road.   One of my security product vendors sent out an alert today warning customers that disabling SMBv1 will lead to an unspecified loss of functionality.   This is the other problem.   Security vendors are all too lax about security.

Leaving old protocols enabled exposes you to vulnerabilities.  Frequently even when newer versions of protocols are available, downgrade attacks force you to use the vulnerable protocol.  Stay up to date on best practices.  Be proactive about your company security rather than just being a sit filler waiting for the next emergency.

The post SMBv1 isn’t safe appeared first on Roger's Information Security Blog.

Enterprise Security Weekly #45 – The Memes Were Great

April Wright of Verizon Enterprise and Matt Ploessel of Markley Group join us to discuss vendor response to WannaCry. In the news, Identropy and Exabeam team up, five pitfalls to avoid during a CASB evaluation, FirstWave partners with Fortinet, and more in this episode of Enterprise Security Weekly!Full Show Notes: https://wiki.securityweekly.com/ES_Episode45Visit http://www.securityweekly.com for all the latest episodes!

WannaCry happened and nobody called me during my vacation – I tell you why

I was since last Wednesday on a biking trip through Austria and Bavaria, when on Friday reading main stream media the world broke down with WannaCry. Ok, I thought sensationalism by the main media but now as I’m at home, I cannot believe what I read in tech blogs and the IT media. I won’t link all of them here, just the one I plainly can’t understand and to which I disagree in the strongest way possible – telling plainly patching is hard and we can’t do anything.

Lets start with how a WannaCry infection spreads through a company.

  • The malware needed to get into the company network – be it via open SMB ports (445 TCP) to the Internet and via Email. As I read through the articles its not 100% clear how the infection – lets assume both methods have been used for this post
  • In the second case a user clicks onto the attachment and the malware gets executed
  • Than it searches through the company network and tries with a RCE (remote code execution) to infect other PCs
  • It encrypted the local hard drive

Now lets talk why this should not have been any problem in your organization

  • Port 445 TCP reachable from the Internet? Really? If you’re unsure, quickly go to Shodan and type into the search field net:"xxx.xxx.xxx.xxx/yy" with xxx.xxx.xxx.xxx you IP address range followed by the yy subnet mask and take a look if you know about open ports and services.
  • And now lets take a look at all the stuff I wrote over a year ago, what you should have done before the Locky malware happened (yes this is not the first ransomware making big waves), to be not affected:Stop panicking about the Locky ransomware [Update 2]
    • For the Email infection vector:
      • Block EXE attachments in emails
      • Remove active code from Word, Excel and Powerpoint files by default
      • Block EXE downloads on the Proxy
    • For both  infection vectors:
      • Use application white-listing – we moved to whitelisting for firewall rules a long time ago, its past time to do that for applications. Guess why there is not so much iPhone malware – Apple is effectively white-listing software.
      • Block client 2 client traffic – Even if that is not possible on a day2day basis, it should be prepared to be enabled in a case of emergency.

    With one of the last two alone an widespread infection would not have been possible.

  • Microsoft provided a patch on March 14 and called the vulnerability critical. Lets take a look when Microsoft calls some vulnerabilities  critical and when important. The difference is that with important the user gets asked and than infected, with critical there is nothing, just infection. So important is remote code execute and critical is wormable remote code execution.
    And at last take a look at following text from Microsoft: “Mitigating Factors: Microsoft has not identified any mitigating factors for this vulnerability.” To make it short if you read about such a vulnerability in Windows and know that an exploit is in the wild, drop everything and start patching that hole at once.

Looking at the above ways the malware/worm could have easily been blocked. Anyway at last I really want now to take a look at the post linked above from the SMBlog by Steven M. Bellovin.

  • Because patching is very hard and very risk, and the more complex your systems are, the harder and riskier it is.
    Thats not true in this case.

    • Port 445 open to the Internet, no real network separation, deactivated local Windows Firewall and still have SMB1 activated on Windows Client Systems (see Microsoft recommendation from 2016) – thats not at patching problem, thats a security policy failure (e.g. base hardening of operating systems)
    • standard client PCs (for the normal employee) not patched  – not talking about special systems – we patch thousand PCs every month after the Windows patches are released without any problems in years. The special systems needed to get infected after all by something.
    • If non company managed client PCs got connected to the network and infected special systems, its a failure in network access control – plane and simple
    • no mitigation prepared for a case like a worm breakout – Just to make a point, we prepared a client2client block  ACLs for all edge switches, which could be activated within a few minutes, in 2011 – as you newer can know. This is a missing emergency plan like required in ISO 27001.
    • 2 month window for patching an remote code execution wormable vulnerability. If it was not possible in 2 month to patch something like that, than the company has a high technical/security debt. This is a management failure.
    • still running non supported software – that is a management failure, by not making correct contracts with the vendor or ignoring the problem like a Ostrich.
  • So—if you’re the CIO, what do you do? Break the company, or risk an attack? (Again, this is an imaginary conversation.)
    Thats the wrong question – if the CIO is at the questing he has done a bad job before:

    • All your critical software should have a maintenance contract which specially handles security updates (and specially the timeline) of the underlaying operating system and the software itself and there must be contractual penalty in it. Done that for year now with “call for bids” – Big IT companies provide that security handling without you asking for it – so this is mainly for special software.
    • If the IT department has not the time to patch everything a Triage needs to be done. The vulnerabilities with the highest probability and potential for damage need to be patched first – this vulnerability must have been on the top of any list.
    • The systems are not as in German is called “Stand der Technik” which can be translated as “state of the art” – an Windows XP system is not state of the art, no meaningful network separation is not state of the art, …..
  • That patching is so hard is very unfortunate. Solving it is a research question. Vendors are doing what they can to improve the reliability of patches, but it’s a really, really difficult problem.
    • Ok patching might be not a easy as it could be but
      • A big institution that got caught by this malware did leave the back door open and is now complaining that a herd of wild boars went through the house and did damage.
      • the security and IT department just failed at their job – just do a postmortem without finger pointing and fix the problems. I’m quite sure the affected IT departments got caught also by the Locky malware and didn’t learn a thing.
      • Vendors doing not enough, sure in this case Microsoft did patch it but specially with IoT devices vendor to nothing.
      • Searching through Google for problems after installing MS17-010 reviles only a few post after billions of updated PCs –> there are no problems with this patch –> no reason to not install it

So thats my view onto the WannaCry stuff after being on vacation ….. tell me your views – did I miss something?

OCR Fines Texas Health System For Alleged HIPAA Privacy Rule Violation

On May 10, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced a $2.4 million civil monetary penalty against Memorial Hermann Health System (“MHHS”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule. 

The penalty followed an OCR compliance review of MHHS based on multiple media reports suggesting that MHHS had disclosed a patient’s protected health information (“PHI”) without authorization. OCR’s review focused on an incident that occurred when a MHHS patient allegedly presented fraudulent identification and was subsequently arrested. MHHS senior management approved the publishing of a press release about the incident that contained the patient’s name, an impermissible disclosure of PHI in violation of the Privacy Rule. OCR’s review further determined that MHHS failed to timely document the sanctions it issued to its personnel for disclosing the patient’s PHI. Under the terms of OCR’s resolution agreement, MHHS must update its policies and procedures on safeguarding PHI from impermissible uses and disclosures, as well as train its workforce on compliance.

“Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response,” said OCR Director Roger Severino. “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.” This settlement, the eighth announced this year, signals OCR’s increased enforcement of the Privacy Rule.

Global Ransomware Attacks Raise Key Legal Considerations

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.

These types of incidents can have significant legal implications for affected entities and industries for whom data access and continuity is critical (health care and finance are particularly vulnerable). As affected entities work to understand and respond to the threat of ransomware, below is a summary of key legal considerations:

  • FTC Enforcement. In a November 2016 blog entry, the FTC noted that “a business’ failure to secure its networks from ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked. And in some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency.” The FTC also noted that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” In various FTC enforcement actions (including those against Wyndham Worldwide Corporation and ASUSTeK Computer, Inc.), the FTC has demonstrated its willingness to bring Section 5 enforcement actions against companies who experience data security incidents resulting from malware exploitation of vulnerabilities. In the event of a security compromise, the FTC also may consider the accuracy of consumer promises an organization has made regarding the security of its systems. The FTC has used the unfairness and deception doctrines to pursue companies that misrepresented the security measures used to protect consumers’ personal information from access by unauthorized parties. Nearly all data security actions brought by the FTC have been settled and have resulted in comprehensive settlement agreements that typically impose obligations for up to 20 years.
  • Breach Notification Laws. In the U.S., 48 States, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have laws that require notification to affected individuals (and in some states, regulators) in the event of unauthorized acquisition of or access to personal information. Certain federal laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”), also require notification for certain breaches of covered information, and there is an increasing number of breach notification laws being adopted internationally. To the extent a ransomware attack results in the unauthorized acquisition of or access to covered information, applicable breach notification laws may impose notification obligations on affected entities.
  • Litigation. In the event that ransomware results in a breach of covered information, litigation is another potential risk. Despite the difficulty in bringing successful lawsuits against affected entities, plaintiffs’ lawyers continue to actively pursue newsworthy breaches, as businesses are paying significant amounts in settlements with affected individuals. Affected entities also may face lawsuits from their business partners whose data is involved in the attack, and often battle insurers over coverage of costs associated with the attack. Businesses must also be cognizant of cyber-related shareholder derivative lawsuits, which increasingly follow from catastrophic security breaches.
  • Data Security Laws. A number of U.S. states have enacted laws that require organizations that maintain certain types of personal information about state residents to adhere to general information security requirements with respect to that personal information. As a general matter, these laws (such as Section 1798.81.5 of the California Civil Code) require businesses that own or license personal information about state residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification or disclosure. To the extent a ransomware attack results from a failure to implement reasonable safeguards, affected entities may be at risk of legal exposure under the relevant state security laws.
  • Agency Guidance. Given the evolving nature of ransomware attacks, government agencies are continuously developing recommendations to help businesses respond. For example, the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA, published a fact sheet advising health care entities on methods for preventing, investigating and recovering from ransomware attacks. The FBI has also developed ransomware resources directed towards Chief Information Security Officers and CEOs. This guidance should be carefully considered to help prevent and recover from ransomware attacks and to understand the potential criminal and enforcement implications of such attacks.

Ransomware is a growing concern, and while the recent global attack has been the most high-profile attack to date, it is part of an overall trend in the evolving threat landscape. Businesses and other organizations should take into account the above legal considerations in their efforts to prevent, investigate and recover from these disruptive attacks.

Chinese Hackers Fined for Hack of New York Law Firms

On May 5, 2017, the U.S. District Court for the Southern District of New York entered a default judgment in favor of the SEC against three Chinese defendants accused of hacking into the nonpublic networks of two New York-headquartered law firms and stealing confidential information regarding several publicly traded companies engaged in mergers and acquisitions. The defendants allegedly profited illegally by trading the stolen nonpublic information. After the defendants failed to answer the SEC’s complaint, the court entered a default judgment against them, imposing a fine of approximately $8.9 million against the defendants (three times the profits they gained by the unlawful trading, the maximum penalty allowable under the relevant section of the Securities Exchange Act of 1934).

6 ways to lock down your iPhone’s lock screen

Just because your iPhone is locked with a passcode or Touch ID doesn’t mean it’s safe from prying eyes and fingers. From text message notifications to Siri, your phone’s lock screen is brimming with alerts, features, and settings that anyone can tamper with, even after you’ve locked your handset.

Luckily, iOS has plenty of settings that can help lock down your phone’s lock screen. For example, you can keep sensitive notifications hidden, disable controls that could put your lost phone in airplane mode, turn off lock-screen access to Siri, and more.

Turn off lock screen notifications

You’d probably never dream of letting a stranger rifle through your text messages and email inbox, but that’s what could happen if you allow apps like Messages and Mail to put alerts on your iPhone’s lock screen. It’s even possible to reply to a text message or trash a mail message directly from the notification, even if your iPhone is locked.

To read this article in full, please click here

Paul’s Security Weekly #513 – Two iPhones & A Pocket Full of Dongles

Steve Lipner of SAFECode joins us, Roi Abutbul and Guy Franco of Javelin Networks show us the importance of protecting AD, and we discuss the latest security news!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/Episode513

Visit http://www.securityweekly.com for all the latest episodes!

Subscribe to YouTube Channel: https://www.youtube.com/channel/UCg--XBjJ50a9tUhTKXVPiqg

Security Weekly Website: http://securityweekly.com

Follow us on Twitter: @securityweekly

EMP Attack – Prepping For A Modern-Day Dark Age (Recoil-OffGrid Issue 19)

Recoil-OffGrid Issue 19

If an EMP attack rendered all technology worthless, would you be prepared? In Issue 19, of Recoil-Offgrid, I join subject matter experts Tim MacWelch and Kevin Reeves in exploring what a possible EMP attack might look like, and some possible strategies for survival. Thanks to the guys at Recoil-OffGrid, we have been given permission to post an excerpt from the full article to give our readers a sneak peek.

Read the full “What-If” scenario in Issue 19, on-sale now. Don’t miss out! (Click Here To Read Excerpt.)

Copyright 2017 by TEN: The Enthusiast Network Magazines, LLC. All Rights Reserved. (Reprinted with Permission.)

The post EMP Attack – Prepping For A Modern-Day Dark Age (Recoil-OffGrid Issue 19) appeared first on Quick Start Survival.

Enterprise Security Weekly #44 – What Are We Bethesing Today

Ryan Hays of TBG Security joins us. In the news, VMware falls out with Tanium, machine learning at Invincea, the war on legacy IT, Cisco Cloudlock releases an apps firewall, and more in this episode of Enterprise Security Weekly!Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode44 Visit http://www.securityweekly.com for all the latest episodes!

President Trump Signs Executive Order on Cybersecurity

On May 11, 2017, President Trump signed an executive order (the “Order”) that seeks to improve the federal government’s cybersecurity posture and better protect the nation’s critical infrastructure from cyber attacks. The Order also seeks to establish policies for preventing foreign nations from using cyber attacks to target American citizens.

Read the full text of the Order.

Second Circuit Affirms Dismissal of Putative Data Breach Class Action for Lack of Article III Standing

On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges.

The Second Circuit agreed with the trial court that these injuries were not sufficient to establish Article III standing. The appellate court noted that because the plaintiff was not asked to pay (or did not pay) any fraudulent charges, this alleged injury was neither concrete nor particularized. The Second Circuit also found that the allegation of future identify fraud was not plausible because the plaintiff had cancelled the exposed credit card and no other information needed for identity fraud was stolen in the breach. Finally, the Second Circuit held that the plaintiff’s vague allegations that she and the putative class were injured due to the considerable time and expense of monitoring their financial accounts—with no further facts—lacked the substance and specificity to establish injury for Article III purposes.

Hack Naked News #123 – May 9, 2017

Phishing in Google’s waters, HandBrake has been compromised, Dell releases patches galore, and more. Jason Wood of Paladin Security delivers expert commentary on how ultrasonic beacons can track your phone on this episode of Hack Naked News!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/HNNEpisode123

Visit http://www.securityweekly.com for all the latest episodes!

MS17-013 – Critical: Security Update for Microsoft Graphics Component (4013075) – Version: 3.0

Severity Rating: Critical
Revision Note: V3.0 (May 9, 2017): Microsoft has re-released security update 4017018 for affected editions of Windows Server 2008. The re-release has been re-classified as a security update. Microsoft recommends that customers should install update 4017018 to be fully protected from CVE-2017-0038. Customers who have already installed the update do not need to take any further action. In addition, this security update correction also applies to Windows Server 2008 for Itanium-based Systems.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync. The most serious of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Using Wildcards To Change the Functionality of Search

In the packet capture framework Moloch, there are a large variety of keywords you can use to grep through packets, such as http.uri. An http.uri query would look something like this:
http.uri == "misc.php?v=4112&js=js" That's a powerful tool, but what if you wanted to just see all packets with an URI in the last hour? http.uri and other search fields require a boolean, (==, >=) and then a search string. The simple way to change the functionality of the search is just to wildcard the search string.
http.uri == * will show you all the packets that contain an URI in the timeframe specified. Easy way to expand the functionality of the search when you're not sure exactly what you're searching for.

Startup Security Weekly #38 – We Need To Pivot!

Steven Grossman of Bay Dynamics joins us. In the news, why your startup doesn’t necessarily need early stage funding, Cisco acquires Viptela, the risks of startup debt, and why do chefs and soldiers make the best product managers?

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/SSWEpisode38 Visit http://www.securityweekly.com for all the latest episodes!

Enterprise Security Weekly #43 – There’s Always Time For Lube

Don Pezet of ITPro.TV talks about deception technologies and honeypots. In the news, Duo launches its MSP program, Fortscale beefs up its partner programs, integrating threat intelligence into your operations, and more in this episode of Enterprise Security Weekly!Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode43 Visit http://www.securityweekly.com for all the latest episodes!

Securing a Successful Transaction through Focused Privacy and Data Security Due Diligence

Privacy and data security issues have become the subject of critical focus in corporate mergers, acquisitions, divestitures and related transactions. In 2016 and 2017, several large transactions, especially those involving telecommunications, entertainment and technology companies, have been impacted by either concerns about the collection and use of personal information or significant information security breaches. The FTC has sharpened its focus on the use of personal information as a factor in evaluating the competitive effects of a given corporate transaction, and the SEC is now closely scrutinizing privacy and data security representations made to investors in public filings connected to transactions. More broadly, privacy and data security problems that are not timely discovered before entering into an M&A transaction can become significant liabilities post-closing and also lead to litigation.

The Importance of Thorough Due Diligence

Because of this heightened concern, it is imperative that companies conduct thorough due diligence about privacy and data security issues before entering into a transaction. The goals of the due diligence process should be to help the parties in a transaction understand (1) what promises and representations a company has made with respect to privacy and data security; (2) whether a company needs to obtain any consents from consumers, employees or others post-transaction to be able to use the personal information previously collected; (3) how the parties’ information security programs are structured; (4) how the company has responded or could potentially respond to significant data breaches; and (5) the buyer’s potential liability for privacy and data security issues post-closing.

Hunton & Williams Can Help

Hunton & Williams has created a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. The new team brings together the firm’s renowned capabilities in privacy and cybersecurity with its recognized strength in M&A transactions.

Read the full client alert.

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations.

A unique aspect of the incidents was how the group installed the CARBANAK backdoor for persistent access. Mandiant identified that the group leveraged an application shim database to achieve persistence on systems in multiple environments. The shim injected a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawned a CARBANAK backdoor process.

Mandiant identified that FIN7 also used this technique to install a payment card harvesting utility for persistent access. This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access.

Application Compatibility Shims Background

According to Microsoft, an application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles the operation itself, or redirects the operation elsewhere, such as additional code stored on a system. Today, shims are mainly used for compatibility purposes for legacy applications. While shims serve a legitimate purpose, they can also be used in a malicious manner. Mandiant consultants previously discussed shim databases at both BruCon and BlackHat.

Shim Database Registration

There are multiple ways to register a shim database on a system. One technique is to use the built-in “sdbinst.exe” command line tool. Figure 1 displays the two registry keys created when a shim is registered with the “sdbinst.exe” utility.

Figure 1: Shim database registry keys

Once a shim database has been registered on a system, the shim database file (“.sdb” file extension) will be copied to the “C:\Windows\AppPatch\Custom” directory for 32-bit shims or “C:\Windows\AppPatch\Custom\Custom64” directory for 64-bit shims.

Malicious Shim Database Installation

To install and register the malicious shim database on a system, FIN7 used a custom Base64 encoded PowerShell script, which ran the “sdbinst.exe” utility to register a custom shim database file containing a patch onto a system. Figure 2 provides a decoded excerpt from a recovered FIN7 PowerShell script showing the parameters for this command.

Figure 2: Excerpt from a FIN7 PowerShell script to install a custom shim

FIN7 used various naming conventions for the shim database files that were installed and registered on systems with the “sdbinst.exe” utility. A common observance was the creation of a shim database file with a “.tmp” file extension (Figure 3).

Figure 3: Malicious shim database example

Upon registering the custom shim database on a system, a file named with a random GUID and an “.sdb” extension was written to the 64-bit shim database default directory, as shown in Figure 4. The registered shim database file had the same MD5 hash as the file that was initially created in the “C:\Windows\Temp” directory.

Figure 4: Shim database after registration

In addition, specific registry keys were created that correlated to the shim database registration.  Figure 5 shows the keys and values related to this shim installation.

Figure 5: Shim database registry keys

The database description used for the shim database registration, “Microsoft KB2832077” was interesting because this KB number was not a published Microsoft Knowledge Base patch. This description (shown in Figure 6) appeared in the listing of installed programs within the Windows Control Panel on the compromised system.

Figure 6: Shim database as an installed application

Malicious Shim Database Details

During the investigations, Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of “services.exe” with their CARBANAK payload. This occurred when the “services.exe” process executed at startup. The shim database file contained shellcode for a first stage loader that obtained an additional shellcode payload stored in a registry key. The second stage shellcode launched the CARBANAK DLL (stored in a registry key), which spawned an instance of Service Host (“svchost.exe”) and injected itself into that process.  

Figure 7 shows a parsed shim database file that was leveraged by FIN7.

Figure 7: Parsed shim database file

For the first stage loader, the patch overwrote the “ScRegisterTCPEndpoint” function at relative virtual address (RVA) “0x0001407c” within the services.exe process with the malicious shellcode from the shim database file. 

The new “ScRegisterTCPEndpoint” function (shellcode) contained a reference to the path of “\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM”, which is a registry location where additional malicious shellcode and the CARBANAK DLL payload was stored on the system.

Figure 8 provides an excerpt of the parsed patch structure within the recovered shim database file.

Figure 8: Parsed patch structure from the shim database file

The shellcode stored within the registry path “HKLM\SOFTWARE\Microsoft\DRM” used the API function “RtlDecompressBuffer” to decompress the payload. It then slept for four minutes before calling the CARBANAK DLL payload's entry point on the system. Once loaded in memory, it created a new process named “svchost.exe” that contained the CARBANAK DLL. 

Bringing it Together

Figure 9 provides a high-level overview of a shim database being leveraged as a persistent mechanism for utilizing an in-memory patch, injecting shellcode into the 64-bit version of “services.exe”.

Figure 9: Shim database code injection process

Detection

Mandiant recommends the following to detect malicious application shimming in an environment:

  1. Monitor for new shim database files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”
  2. Monitor for registry key creation and/or modification events for the keys of “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”
  3. Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe” utility 

Diving into the Issues: Observations from SOURCE and AtlSecCon

Last week I had the pleasure of presenting three times, at two conferences, in two different countries: SOURCE in Boston, MA and at the Atlantic Security Conference (AtlSecCon) in Halifax, NS, Canada.

The first event of my week was SOURCE Boston. This year marked the tenth anniversary of SOURCE Conference and it continues to pride itself on being one of the only venues that brings business, technology and security professionals together under one roof to focus on real-world, practical security solutions for some of todays toughest security issues. Though I was only there for the first day, I was able to catch up with friends, play some Hacker Movie Trivia with Paul Asadoorian (@securityweekly), and chat with attendees on some of the biggest challenges we face around detecting and mitigating ransomware attacks.

After my presentation, I rushed off to Logan Airport to sit in, on what I now choose to call, the “Air Canada Ghetto” – a small three gate departure area segregated from the rest of the airport and its amenities. A minor four hour delay later, I was on my way to Halifax for AtlSecCon.

Between meetings and casual conversations I was enlightened by several presentations. Raf Los (@Wh1t3Rabbit), managing director of solutions research & development at Optiv, discussing Getting Off the Back Foot – Employing Active Defence which talked about an outcome-oriented and capabilities-driven model for more effective enterprise security.

After his talk, Aunshul Rege (@prof_rege), an assistant professor with the Criminal Justice department at Temple University, gave a very interesting talk entitled Measuring Adversarial Behavior in Cyberattacks. With a background in criminology, Aunshul presented her research from observations and interviews conducted at the Industrial Control Systems Computer Emergency Response Team’s (ICS-CERT) Red/Blue cybersecurity training exercise held at Idaho National Laboratory. Specifically, she covered how adversaries might engage in research and planning, offer team support, manage conflict between group members, structure attack paths (intrusion chains), navigate disruptions to their attack paths, and how limited knowledge bases and self-induced mistakes can possibly impact adversaries.

The last presentation was Mark Nunnikhoven’s (@marknca) highlighting Is Your Security Team Set up To Fail? Mark, the VP of cloud research at Trend Micro and a personal friend, examined the current state of IT security programs and teams…delving into the structure, goals, and skills prioritized by the industry.

The second day of the conference was filled with meetings for me but I was able to sit through Michael Joyce’s talk entitled A Cocktail Recipe for Improving Canadian Cybersecurity.  Joyce described the goals and objectives of The Smart Cybersecurity Network (SERENE-RISC) – a federally funded, not-for-profit knowledge mobilization network created to improve the general public’s awareness of cybersecurity risks and to empower all to mitigate them through knowledge. He was an excellent presenter and served as a call to action for those looking to help communicate the need for cybersecurity to all Canadians.

At both conferences I presented my latest talk entitled The Not-So-Improbable Future of Ransomware which explored how thousands of years of human kidnap and ransom doctrine have served as a playbook for ransomware campaign operators to follow. It was well received by both audiences and sparked follow-up conversations and discussions throughout the week. The SOURCE version can be found here and the AtlSecCon version here.

The conversation was received some early praise on the SOURCE session in addition to written pieces by Bill Brenner (@billbrenner70) from Sophos:


And Taylor Armerding (@tarmerding2) from CSO:


At AtlSecCon I joined a panel entitled Security Modelling Fundamentals: Should Security Teams Model a SOC Around Threats or Just Build Layers? Chaired by Tom Bain (@tmbainjr1), VP of marketing at CounterTack, the session served as a potpourri of security threats and trends ranging from ransomware, to regulation, to attack mitigation. It was quite fun and a great way to end the day.

Though it was a long series of flights home to the Bay Area I thoroughly enjoyed both conferences. I would highly recommend attending and/or speaking at both next year if you are provided with the opportunity.

Next up, (ISC)² CyberSecureGov 2017 in Washington, D.C. and the Rocky Mountain Information Security Conference (RMISC) in Denver, CO. Perhaps I’ll see some of our readers there!

The post Diving into the Issues: Observations from SOURCE and AtlSecCon appeared first on LEO Cyber Security.

China Publishes Final Measures for Security Reviews of Network Products and Services

On May 2, 2017, the Cyberspace Administration of China published the final version of the Measures for the Security Review of Network Products and Services (for trial implementation) (the “Measures”), after having published a draft for public comment in February. Pursuant to the Cybersecurity Law of China (the “Cybersecurity Law”), if an operator of key information infrastructure purchases a network product or service that may affect national security, a security review of that product or service is required. The Measures provide detailed information about how these security reviews will actually be implemented. The Measures will come into effect on June 1, 2017, together with the Cybersecurity Law. The Measures should not be confused with the final version of the draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data, which was published on April 11, 2017, and remain open for public comment.

Pursuant to the Measures, critical network products and services used in network and information systems relating to national security are subject to a network security review. Any network product or service purchased by operators of key information infrastructure will also be subject to a network security review, if such product or service might affect national security.

The Measures require that the security assessments focus on verifying that the products or services are “secure and controllable.” The Measures do not provide the precise requirements for finding that a product or service is “secure and controllable,” but indicate that the process for determining whether a product or service is “secure and controllable” will take the form of a risk assessment, which will focus on the following risks: (1) the risk in the product or service itself, and the risk that the product or service may be illegally controlled, interfered with or suspended; (2) the supply chain risks arising during the manufacturing, testing, delivery and technical support of the product or service; (3) the risk that the provider of the product or service may use it to illegally collect, store, process or use its users’ personal information; (4) the risk that the provider of the product or service may jeopardize cybersecurity or infringe upon the interests of users, by taking advantage of their reliance on the product or service; and (5) any other risks that may jeopardize national security.

The Cyberspace Administration of China will establish a network security review commission which will cooperate with experts and third-party institutions to evaluate the foregoing risks.

Hack Naked News #122 – May 2, 2017

Microsoft VB macro barriers have been penetrated, the website that doesn’t let you change your password, IBM flash drives have malware, and more. Jason Wood of Paladin Security joins us to deliver expert commentary on NATO’s cyberwar games on this episode of Hack Naked News!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/HNNEpisode122

Visit http://www.securityweekly.com for all the latest episodes!

Enterprise Security Weekly #42 – Patents Like Candy

Paul, John, and Michael discuss building a bug bounty program. In the news, LockPath and SailPoint join forces, Skyhigh Networks announces a cloud security partnership, Acalvio is building deception farms, and more in this episode of Enterprise Security Weekly!Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode42 Visit http://www.securityweekly.com for all the latest episodes!

Startup Security Weekly #37 – Speaking the Startup Language

Mike Simon of Cryptonite NTX joins us. In the news, how to drive maximum performance in your business, 6 reasons your small business will fail, how McAfee is securing its future, and how well do you know the language of startups?

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/SSWEpisode37 Visit http://www.securityweekly.com for all the latest episodes!

Wireless Provider Reaches $2.5 Million Settlement with OCR

On April 24, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had entered into a resolution agreement with CardioNet, Inc. (“CardioNet”) stemming from gaps in policies and procedures uncovered after CardioNet reported breaches of unsecured electronic protected health information (“ePHI”). CardioNet provides patients with an ambulatory cardiac monitoring service, and the settlement is OCR’s first with a wireless health services provider.

In early 2012, CardioNet submitted two breach notifications to OCR, one of which was prompted by the theft of a laptop from an employee’s parked vehicle outside of the employee’s home. During its subsequent investigation, OCR determined that CardioNet did not have an adequate risk analysis or risk management plan in place at the time of the theft, and that certain CardioNet policies and procedures addressing HIPAA Security Rule requirements existed only in draft form, having never been implemented. Additionally, CardioNet failed to produce any final policies and procedures regarding the implementation of safeguards for ePHI.

The resolution agreement required CardioNet to pay $2.5 million and enter into a corrective action plan (the “CAP”), which obligates CardioNet to:

  • conduct a risk analysis;
  • develop and implement a risk management plan;
  • implement secure device and media controls;
  • certify that all laptops, flashdrives, SD cards and other portable media devices are encrypted; and
  • review and revise its training program for the Security Rule.

In addition to the above, the CAP requires CardioNet to report to OCR if it determines that a member of its workforce has failed to comply with its Security Rule policies and procedures (including corrective actions taken) and to submit reports on its compliance with the CAP to OCR.

OCR Director Roger Severino stated that “[m]obile devices in the health care sector remain particularly vulnerable to theft and loss” and that “[f]ailure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.”

Network monitoring tools: Features users love and hate

Managing the health of the corporate network will directly affect the productivity of every user of that network. So network administrators need a robust network monitoring tool that helps them manage the network, identify problems before they cause downtime, and quickly resolve issues when something goes wrong.

Five of the top network monitoring products on the market, according to users in the IT Central Station community, are CA Unified Infrastructure Management, SevOne, Microsoft System Center Operations Manager (SCOM), SolarWinds Network Performance Monitor (NPM), and CA Spectrum.

To read this article in full, please click here

(Insider Story)