Monthly Archives: November 2017

Understanding the GDPR

The European Union’s Parliament approved and adopted the General Data Protection Regulation (GDPR) in April 2016. This regulation will take effect after a two-year transitional period, meaning it will be fully enforced on May 25, 2018. At this time, if organizations are non-compliant, they will face hefty fines. There is a tiered approach to these fines; however, at a maximum an organization can be charged 4% of annual global turnover or 20 million euros ($23,554,200).

The GDPR applies to all organizations that process and hold the personal information of EU residents, regardless of the company’s location. To exemplify, the regulation pertains to all organizations located within the EU, as well as organizations that are located outside of the EU that offer good, services, or observe the behavior of EU citizens. These rules also apply to both controllers and processors of information, meaning that the cloud and other technologies are not exempt from the GDPR.

If information can be used to identify a person, directly or indirectly, it is protected under the GDPR. This includes but is not limited to names, email addresses, financials, medical data, and computer IPs.

Steps to take to prepare for the GDPR:

  1. Perform a compliance audit against the GDPR legal framework to identify where gaps exist, then work to remediate these shortcomings.
  2. Classify the personal data your organization possesses that is protected by the GDPR and implement the appropriate security measures. This includes understanding what information you have, where it came from, who it is shared with, and who has access to it.
  3. Appoint a data protection officer for your organization.
  4. Document all processes and keep a record for the Data Protection Association (DPA) in the country or countries your organization conducts business.
  5. Make sure the appropriate contracts are in place to protect your organization and ensure that the businesses you engage with are employing the same security measures.

Infringements of the GDPR include:

  • Not having sufficient customer consent to process personal information.
  • Not having records in order.
  • Violating the “Privacy by Design” and “Privacy by Default” concepts.
  • Failing to notify the data subject and the supervising authority about a breach or incident.
  • Not conducting an impact assessment.

Altogether, the GDPR is the most important change to data privacy regulations in decades. It is intended to make organizations more secure and accountable to their data subjects during all stages of their interactions. For more questions or to implement GDPR standards in your organization, please CONTACT US.

UK: NHS TO LAUNCH £20M CYBER SECURITY OPERATIONS CENTER

In the recent years, most developed countries are investing significantly in cyber defence & attack capabilities. The NHS is now spending £20m to set up a security operations centre that will oversee the health service's digital defences.

Among others, NHS will employ "ethical hackers" to look for weaknesses in health computer networks, not just react to breaches – Such hackers use the same tactics seen in cyber-attacks to help organisations spot weak points.

--------------------------
UPDATES: The UK's Information Commissioner's Office states that organisations must take "appropriate" security measures to protect personal data and consider notifying the individuals concerned if there is a breach.
--------------------------

In May, one-third of UK health trusts were hit by the WannaCry worm, which demanded cash to unlock infected PCs.

In a statement, Dan Taylor, head of the data security centre at NHS Digital, said the centre would create and run a "near-real-time monitoring and alerting service that covers the whole health and care system".


The centre would also help the NHS improve its "ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats", he said.

And operations centre guidance would complement the existing teams the NHS used to defend itself against cyber-threats.

NHS Digital, the IT arm of the health service, has issued an invitation to tender to find a partner to help run the project and advise it about the mix of expertise it required.
Kevin Beaumont, a security vulnerability manager, welcomed the plan to set up the centre –  "This is a really positive move," he said.

Many private sector organisations already have similar central teams that use threat intelligence and analysis to keep networks secure.

"Having a function like this is essential in modern-day organisations," Mr Beaumont said.

"In an event like WannaCry, the centre could help hospitals know where they are getting infected from in real time, which was a big issue at the time, organisations were unsure how they were being infected".



In October, the UK's National Audit Office said NHS trusts had been caught out by the WannaCry worm because they had failed to follow recommended cyber-security policies.


The NAO report said NHS trusts had not acted on critical alerts from NHS Digital or on warnings from 2014 that had urged users to patch or migrate away from vulnerable older software.

Why the government isn’t a fan of commercial encryption


Federal governments and major technology firms are arguing for or against encryption, respectively. But why?

Due to recent political turmoil and devastating events overseas, the topic of end-to-end encryption has reentered public discussion. At the center of the debate, you have federal governments and major technology firms, each arguing for or against encryption.

Unprotecting VBS Password Protected Office Files

Hi folks,
today I'd like to share a nice trick to unprotect password protected VB scripts into Office files. Nowadays it's easy to find out malicious contents wrapped into OLE files since such a file format has the capability to link objects into documents and viceversa. An object could be a simple external link, a document itself or a more complex script (such as Visual Basic Script) and it might easily interact with the original document  (container) in order to change contents and values.

Attackers are frequently using embedded VB Scripts to perform malicious actions such as for example (but not limited to): payload downloading, landing steps, environment preparation and payload execution. Such a technique needs "the user agreement" before the execution takes place, but once the user gave the freedom to execute (see the following image) the linked code on the machine, the VB script would be free to download content from malicious website and later on to execute it the victim machine.

Enable "Scripting" Content

Cyber Security Analysts often need to read "raw code"  by opening it and eventually digging into obfuscation techniques and anti-code analysis in order to figure out what it really does. Indeed contemporary malware performs evasive techniques making the simple SandBox execution useless and advanced attackers are smart enough to block VB code through complex and strong passwords. Those techniques make the "raw code analysis" hard if the unlocking password is unknown. But again, the a Cyber Security Analyst really needs to open the document and to dig into "raw code" in oder to defend victims. How would I approach this problem ?

Following a simple method to help cyber security analysts (NB: this is a well known technique) to bypass password protected VB Scripts.

Let's suppose you have an Excel file within Visual Basic code, and you want to read the password protected VB Script. Let's call such a first Excel file: victim_file.

As a first step you need to open the victim_file. After opening it you need to create a additional excel file. Let's call it: injector_file.xlsm. Open the VB editor and add the following code into Module1.




Now create a new module: Module2 with the following code. It represents the "calling function". Run it and don't close it. 



It's time to come back to your original victim_file, let's open the VB Editor and: here we go ! Your code is plain clear text !

At that point you are probably wondering how this code works. So let's have a quick and dirty explanation about it. Once the VBProject gets opened it visualizes a dialogBox asking for a password (a String). The WinAPI eventually checks if the input string is equals to the encoded static string (file body not code body) and it returns "True" (if the strings are equals) or "False" (if the strings are not equals). The function Hook() overrides the User32.dll DialogBoxParamA returning parameter by making it returns always the value "True".  

Technically speaking:
  • Raw 45 saves the original "call" (User32.dll DialogBoxParamA) parameters into TmpBytes
  • If the password is correct TempBytes(0) gets the right pointer to the current process 
  • If the password is not correct the script saves the original bytes into OriginalBytes (length 6)
  • Raw 50  takes the address of MwDialogBoxProgram
  • Raw 52  forces the right handler 
  • Raw 53  saves the current value
  • Raw 54  forces the return par as True
  • Raw 56  moves the just crafted parameters into the right location into user32.dll
Have nice VBA Password un-protection :D

Disclaimer:
This is a well-known method: it is not new.
I wrote it down since it becomes useful for cyber security analyst to fight against Office Macro malware. Don't use it unlawfully.
Do not use it to break legal documents.
I am not assuming any responsibility about the usage of such a script.
It works on my machine :D  and I will not try to get it working on your :D (programming Horror humor)












Holiday Security Best Practices

The fourth, holiday quarter is the most critical revenue driver for retail businesses, as consumers purchase gifts for their family and friends. However, the increased spending and transfers of personally identifiable information provides an ideal opportunity for an attacker to steal user credentials, payment information, and consumer goods.

Whether you are traveling, using your mobile device, or shopping in-store, COMPASS recommends that you take the following precautions to protect your sensitive information this holiday season:

  • Create an email address specifically for any shopping sites to limit the likelihood of your information being compromised if one of your online retailers experiences a data breach.
  • Be wary of apps that impersonate well-known retailers. Red flags to look out for are misspelled words in the description and recent creation dates.
  • Do not use untrusted or unknown Wi-Fi hotspots, especially to make online purchases.
  • Make sure the websites you are on are secure. Look for HTTPS rather than HTTP in the address bar.
  • Designate a single card for any credit transactions to monitor suspicious activity.

For more holiday security best practices, download our Holiday Security Guide and follow the tips in the upcoming weeks to protect your information from being compromised.

 

TEDxMilano: What a great adventure !

Hi folks, 
today I want to share my "output" of a super nice adventure I had this year which took me to actively participate to TEDxMilano. It is definitely one of the most exiting stage I've been so far.

My usual readers would probably think: "Hey Man, you are a technical person, you should participate to DefCON, Black Hat, NullCon, SmooCon, Toorcon and much more technical conferences like these where you have the opportunity to show reverse engineering techniques, new vulnerabilities or new attack paths,  I wont see you on a TEDx conference! ".

Well actually I have participated to a lot of such a conferences (just take a look to "Selected Publications" on top of this page) but you know what ? CyberSecurity is a hybrid world where technologies meet people, where most sophisticated evasion techniques meet human irrationality and where a simple "click" can make the difference between "levelUP" or "GameOver". So I believe being able to comunicate such a complex world to a "not technical people" is a great way to contribute to the security of our digital Era. If you agree (and you know Italian language) please have a look ! I will appreciate.  




“As long as a human being is the one profiting from an attack, only a human being will be able to combat it.” This is how we can define Marco Ramilli’s essence, a computer engineer and an expert in hacking, penetration testing, and cyber security. Marco obtained a degree in Computer Engineering and, while working on a Ph.D. in Information Security, served the security division of the U.S. Government’s National Institute of Standards and Technology, where he conducted research on Malware Evasion and Penetration Testing techniques for the electronic voting system. In 2014 he founded Yoroi, a startup that has created one of the best cyber security defense centers he ever developed. This talk was given at a TEDx event using the TED conference format but independently organized by a local community.

UKUAJI WA MATUMIZI YA TEHAMA WAONGEZA UHALIFU MTANDAO

Mataifa mengi yameendelea kuwekeza katika sekta ya TEHAMA ili kurahisisha huduma mbali mbali kwa jamii za mataifa husika – Ikiwa ni pamoja na mawasiliano, huduma za Afya, kifedha na hata usafirishaji ambapo TEHAMA imekua ikitumika kwa kiwango cha juu zaidi tofauti na miaka iliyopita.

---------------------
UPDATE:Apple has addressed a glitch that caused some iPhones to unexpectedly start auto-correcting the letter "i" to a capital "A" and a question mark.
--------------------

Kuwepo na Kinacho tambulika kama “Internet of things (IoT)” ambapo kimsingi ni kila kitu kitakua kimeunganishwa kwenye mtandao kunapelekea kuendelea kukua kwa uhalifu mtandao ambapo madhara yake yanategemewa kua makubwa zaidi ya ilivyo zoeleka.

Katika kipindi cha mwaka 2016/2017 Tumeshuhudia matukio kadhaa ya kihalifu mtandao ambapo mataifa mengi yamejikuta katika hasara kubwa kutokana na mashambulizi mtandao.

--------------------
NEWS UPDATE:A group of researchers and private industry experts, along with DHS officials, remotely hacked a Boeing 757 airplane owned by the DHS that was parked at the airport in Atlantic City, New Jersey.
--------------------


Mategemeo ni kwamba, 2018 – Mashambulizi mtandao yatakua na athari zaidi kutokana na vitu vingi kuunganishwa kwenye mtandao.

Nikizungumza katika vikao vya viongozi wa TEHAMA vilivyo kamilika nilipata kuainisha mashambulizi mbali mbali ya kimtandao kuanzia katika sekta za kifedha, kielimu, Afya, Serikali mbali mbali na hata katika vyombo vya usafiri ambapo magari aina ya “Jeep” pamoja na “Volkswagen” ni miongoni mwa wahanga wakubwa ma uhalifu mtandao.

Aidha, Nili aninisha mambo ya msingi tuliyo kubaliana mapema mwaka huu na kuingiza katika machapisho juu ya namna ya kukabiliana na aina mbali mbali ya matukio ambayo yamejitokeza zaidi kwa kipindi cha mwaka 2016 – 2017.

--------------------
ALERT:Europol boss, Rob Wainright has warned that Ransomware attacks now number as many as 4000 per day, with cybercrime operations large and sophisticated enough to threaten critical infrastructure.
--------------------