Monthly Archives: July 2018

Defining Counterintelligence

I've written about counterintelligence (CI) before, but I realized today that some of my writing, and the writing of others, may be confused as to exactly what CI means.

The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security Center. I am more familiar with the old name of this organization, the  Office of the National Counterintelligence Executive (ONCIX).

The 2016 National Counterintelligence Strategy cites Executive Order 12333 (as amended) for its definition of CI:

Counterintelligence – Information gathered and activities conducted to identify, deceive,
exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities. (emphasis added)

The strict interpretation of this definition is countering foreign nation state intelligence activities, such as those conducted by China's Ministry of State Security (MSS), the Foreign Intelligence Service of the Russian Federation (SVR RF), Iran's Ministry of Intelligence, or the military intelligence services of those countries and others.

In other words, counterintelligence is countering foreign intelligence. The focus is on the party doing the bad things, and less on what the bad thing is.

The definition, however, is loose enough to encompass others; "organizations," "persons," and "international terrorist organizations" are in scope, according to the definition. This is just about everyone, although criminals are explicitly not mentioned.

The definition is also slightly unbounded by moving beyond "espionage, or other intelligence activities," to include "sabotage, or assassinations." In those cases, the assumptions is that foreign intelligence agencies and their proxies are the parties likely to be conducting sabotage or assassinations. In the course of their CI work, paying attention to foreign intelligence agents, the CI team may encounter plans for activities beyond collection.

The bottom line for this post is a cautionary message. It's not appropriate to call all intelligence activities "counterintelligence." It's more appropriate to call countering adversary intelligence activities counterintelligence.

You may use similar or the same approaches as counterintelligence agents when performing your cyber threat intelligence function. For example, you may recruit a source inside a carding forum, or you may plant your own source in a carding forum. This is similar to turning a foreign intelligence agent, or inserting your own agent in a foreign intelligence service. However, activities directing against a carding forum are not counterintelligence. Activities directing against a foreign intelligence service are counterintelligence.

The nature and target of your intelligence activities are what determine if it is counterintelligence, not necessarily the methods you use. Again, this is in keeping with the stricter definition, and not becoming a victim of scope creep.


Beware Of Crypto Risks – 10 Risks To Watch

With bitcoin's meteoric rise in 2017, moving from $1,000 at the beginning of the year to $20,000 by the end of the year, investor, regulatory and entrepreneurial interest in cryptocurrencies have peaked. Knowing the potential risks in this market can improve outcomes and broaden adoption.

U.S SENATORS URGE FTC TO INVESTIGATE SMART TV PRIVACY CONCERNS



IN BRIEF: Two US senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate smart TV makers amid fears and evidence that companies might be using devices to collect data and track users without their knowledge.

----------------------------------------------------

The open letter comes while smart TV advancements have "ushered in a new era of innovation and interactivity," they must not come at the expense of consumer privacy. "Televisions have entered a new era, but that does not mean that users' sensitive information no longer deserves protection," the senators said. "The content consumers watch is private, and it should not be assumed that customers want companies to track and use information on their viewing habits."

They said that, any company that collects this type of information should have to "comprehensively and concisely detail who will have access to that data, how that data will be used and what steps will be taken to protect that information," and added that consumers should have the opportunity to consent to that sort of data collection.

Senators Edward Markey  and Richard Blumenthal
TO JUSTIFY THEIR ALARMING LETTER.

The two senators cited a recent New York Times report about Samba TV, a vendor of smart TVs. According to the report, while


Samba tells users and lets them decide if to enable data collection for analytics purposes, it does not inform customers of the real depth of the collected data, which includes much more information than users believe they are agreeing to.

Recent reports suggest that Samba TV, one of the largest companies tracking smart TV users' viewing behavior, offers consumers the opportunity to enable their tracking service, but does not provide sufficient information about its privacy practices to ensure users can make truly informed decisions

Reports also suggest that smart TVs can identify users' political affiliations based on whether they watch conservative or liberal media outlets – Regrettably, smart TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits.

The two senators also noted that the FTC has taken action on this before, investigating Vizio for collecting viewing data on 11 million smart TVswithout consumers' knowledge. Last year, the company settled with both the FTC and the New Jersey Attorney General, agreeing to pay $2.2 million in penalties and to delete data collected

Another case, which was not cited by the two senators in their letter, is South Korean company Samsung. In February 2016, an EFF researcher spotted a change in the company's terms of service that warned customers not to speak personal information out loud near their smart TV because there was a danger the voice recognition feature would pick it up, send it, and store it on Samsung's servers.

Based on these previously documented cases, the two senators are now asking the FTC to start an industry-wide investigation into the data collection practices of smart TV vendors and get the ball rolling on privacy-boosting regulation for a sector they believe has been allowed to infringe in users' privacy rights.

"Regrettably, smart TV users may not be aware of the extent to which their televisions are collecting sensitive information about their viewing habits," write Senators Markey and Blumenthal. "Televisions have entered a new era, but that does not mean that users' sensitive information no longer deserves protection."


IS THIS THING NEW?


There’s nothing new about smart TV spying.

2012: Zero-day vulnerabilities in Samsung Smart TVs were exposed at the end of 2012; if exploited, attackers could gain control of the webcam and microphone.

2013: Smart TVs were called the perfect target for spying on users back in 2013 – the same year as a Black Hat presentation about hacking Samsung Smart TVs. It was not just exploits that allowed for spying as a scandal erupted about LG Smart TV spying in 2013.

2014: Philips TV was a victim as well, I wrote on an article that can be read HERE, showing how hackers could play around with Philips TV and the way an individual can mitigate the challenge.

2015: Samsung took heat in 2015 for its privacy policy and its use of voice recognition – being able to record and listen in on what users were saying – it later came to light that the CIA had a Weeping Angel attack against Samsung Smart TVs back in 2014, making it possible to record conversations and send them back to a covert CIA server.
Also, in 2015, thanks to Smart Interactivity, Vizio was busy tracking what 10 million smart TV owners were watching and then selling that data to advertisers. Vizio was full of denials, but the FTC slapped Vizio for this. And in 2017, Vizio agreed to pay $2.2 million to settle charges by the FTC.

FACTS – SMART TV USER TRACKING IS REALITY

Many internet-connected smart TVs are equipped with sophisticated technologies that can track the content users are watching and then use that information to tailor and deliver targeted advertisements to consumers. By identifying the broadcast and cable shows, video games, over-the-top content like Netflix, and other applications that users are viewing, smart TVs can compile detailed profiles about users' preferences and characteristics.



Blumenthal and Markey have also recently pressed both Facebook and Google on their data policies. They have both also sought greater FTC oversight of Facebook following the Cambridge Analytica scandal.



AfICTA Board members during its 5th Board Meeting on June 6, 2018, have unanimously approved the proposal submitted by one of its stakeholders, CSK- Computer Society of Kenya to host the 6th Annual Summit in Mombasa, Kenya from October 8 - 9, 2018.

This important event was first hosted in Lagos, Nigeria in 2013. The Egyptian ICT industry association and the government of Egypt hosted the second edition in 2014. The third edition took place in Johannesburg. The 4th edition was hosted by the ICT Professionals Association of Namibia with the support of the Namibian Ministry of ICT and last year 5th edition was held in Nigeria by the ADD Consortium. Further datails coming soon.


TAKE NOTE: Cybercriminals consider small businesses a "target of choice," and a vast number of owners may be leaving their websites and companies unnecessarily vulnerable to attack, a new report suggests. Training employees on sound cybersecurity practices is an integral part of protecting a business.

In a recent survey of 250 website owners, cloud-based security firm SiteLock found that 59 percent are responsible for their own website upkeep but only 41 percent update website applications at least once a month. Experts consider software updates vital to protecting computer systems.

Among other survey findings: Of owners who had experienced a security incident, 24 percent reported that it damaged their business reputation while more than 35 percent reported that it endangered their bottom line.

This may leave businesses with websites vulnerable to a variety of cyberattacks. It also begs the question, what other cybersecurity vulnerabilities are being left exposed? All too often, one of the weak links in the cybersecurity chain for corporations is employee awareness.



Microsoft Updates Microsoft 365 With Free Teams, Workspace Analytics, AI Enhancements And Nudges

Microsoft surprised everyone with just how quickly it pivoted from on-prem only solutions to cloud and mobile with a sprinkling of AI. The new wrapper for all this Microsoft goodness is called “Microsoft 365”. Here’s my rundown of the new capabilities coming to Microsoft 365 on the eve of Ignite.

Coping With Big Data And Big Influence

As businesses and governments hoard personal data and leverage technologies to know and predict your every move, how can people cope with the age of big data and big influence? Privacy, cybersecurity regulation and the occasional tech reprieve can help make a difference.

A Trillion $ Cyber Security Question for Microsoft and CISOs Worldwide

Folks,

Today, to give a hint for the answer to this 1 question, I asked possibly the most important cyber security question in the world, one that directly impacts the foundational security of 1000s of organizations worldwide, and thus one that impacts the financial security of billions of people worldwide -


What's the World's Most Important Active Directory Security Capability?




Those who don't know why this is the world's most important cyber security question may want to connect one, two and three

I sincerely hope that someone (anyone) at Microsoft, or that some CISO (any ONE) out there, will answer this ONE question.

Best wishes,
Sanjay.

Happy 4th of July!

Folks,

Here's wishing you all a very Happy Fourth of July!  Hope you have a great one!


I was supposed to answer a certain question today, but I decided to take the day off, so I'll answer it in days to come.

Best wishes,
Sanjay.

Mimikatz DCSync Mitigation

Folks,

A few days ago I asked a (seemingly) very simple question ; no I'm not referring to this one, I'm referring to this one here  -

Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?

Here's why I did so - While there's a lot of info out there on the WWW about how to use Mimikatz DCSync, and/or how to detect its use, there isn't one other* single correct piece of guidance out there on how to mitigate the risk posed by Mimkatz DCSync.

So, as promised, today I am (literally) going to show you exactly how thousands of organizations worldwide can now easily and demonstrably actually mitigate the very serious cyber security risk posed to their foundational security by Mimikatz DCSync.


In light of what I've shared below, organizations worldwide can now easily mitigate the serious risk posed by Mimikatz DCSync.




First, A Quick Overview

For those who may not know, and there are millions who don't, there are three quick things to know about Mimikatz DCSync.


Mimikatz DCSync, a Windows security tool, is the creation of the brilliant technical expertise of Mr. Benjamin Delpy, whose work over the years has very likely (caused Microsoft a lot of pain ;-) but/and) helped substantially enhance Windows Security.

Mimikatz DCSync targets an organization's foundational Active Directory domains, and instantly gives any attacker who has sufficient privileges to be able to replicate sensitive content from Active Directory, access to literally everyone's credentials!

Thus far, the only guidance out there is on how to DETECT its use, but this is one of those situations wherein if you're having to rely on detection as a security measure, then its unfortunately already TOO late, because the damage has already been done.



Detection Is Hardly Sufficient

They say a picture's worth a thousand words, so perhaps I'll paint a picture for you. Relying on detection as a security measure against Mimikatz DCSync is akin to this -

Castle romeo2

Lets say a nuclear weapon just detonated in a city, and the moment it did, detection sensors alerted the city officials about the detonation. Well, within the few seconds in which they received the alert, the whole city would've already been obliterated i.e. by the time you get the alert, literally everyone's credentials (including of all privileged users) would've already been compromised!

Make not mistake about it - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory domain is tantamount to a complete forest-wide compromise, and should be considered a massive organizational cyber security breach, the only way to recover from which is to completely rebuild the entire Active Directory forest from the ground up!

This is why detection is grossly insufficient as a security measure, and what organizations need is the ability to prevent the use of Mimikatz DCSync's against their foundational Active Directory domains & thus the ability to mitigate this risk is paramount.



How to Mitigate Mimikatz DCSync

The key to mitigating this risk lies in identifying what it technically takes to be able to successfully use Mimikatz DCSync.

Specifically, if you know exactly what privileges an attacker needs to be able to successfully use Mimikatz DCSync against your Active Directory domain, then by ensuring that only highly-trustworthy, authorized individuals (and not a single other individual) actually currently possess those required privileges in your IT infrastructure, you can easily mitigate this risk.


Technically speaking, all that an attacker needs to successfully use Mimikatz DCSync is sufficient Get Replication Changes All effective permissions on the domain root object of an Active Directory domain, so all that organizations need to do is accurately identify exactly who has these effective permissions on the domain root object of each of their Active Directory domains.

While by default only the default administrative Active Directory security groups are granted this permission, since most Active Directory deployments have been around for years, and have likely gone through a substantial amount of access provisioning, in most Active Directory, a lot many more individuals than merely the members of the default AD admin groups may likely have this highly sensitive effective permission granted to them, either directly or via group membership, some of which may be direct, whilst others may be via nested group memberships, resulting in a potentially large and unknown attack surface today.

Now, it is paramount to understand ONE subtle but profound difference here - it is NOT who has what permissions on the domain root that matters, but who has what effective permissions on the domain root that matters, and this difference could be the difference between a $100 B organization being completely compromised or being completely protected from compromise.



The Key - Active Directory Effective Permissions

If you've followed what I've shared above, then you'll agree and understand that the key to being able to successfully mitigate the serious risk posed by Mimikatz DCSync lies in being able to accurately determine effective permissions in Active Directory.



In fact Effective Permissions are so important, essential and fundamental to Windows and Active Directory Security, that of the four tabs in all of Microsoft's Active Directory Management Tooling, one entire tab is dedicated to Effective Permissions.

Unfortunately, it turns out that not only is Microsoft's native Effective Permissions Tab not always accurate, it is substantially inadequate, and while I could elaborate on that, I'd rather let you come to the same conclusion yourself, and this ONE glaring inadequacy will be self-evident the moment you attempt to use it to try and find out exactly whom amongst the thousands of domain user account holders in your Active Directory domain(s), actually has the required effective permissions. In fact, the same is true of all tools/scripts that involve the use of Microsoft's APIs to do so, such as this dangerously inaccurate free tool.

Fortunately, in a world whose population is 7,000,000,000+ today, thanks to one (1) inconsequential individual, there's hope...



Finally, How to Easily and Reliably Mitigate the Risk Posed by Mimikatz DCSync

Here's a very short (and perhaps boring but insightful) video on how organizations worldwide can reliably mitigate this risk -


Note: This is NOT intended to demonstrate our unique tooling. It is solely intended to show what it takes to mitigate this serious risk. We have no particular interest in licensing our unique tooling to anyone. As such, over the years, we have NEVER, not once pitched our tooling to anyone; we've had almost 10,000 organizations worldwide knock at our doors completely unsolicited, so I hope that makes this point unequivocally.

Thus, as seen in the short video above, with the right guidance (knowledge) and capability (tooling), organizations worldwide can now easily and reliably mitigate the serious cyber security risk posed by Mimikatz DCSync to their foundational security.

Complete, illustrated, step-by-step details on how to easily and correctly mitigate Mimikatz DCSync can now be found here.


I'll say this one last time - a single successful use of Mimikatz DCSync against an organization's foundational Active Directory is tantamount to a forest-wide compromise and constitutes a massive cyber security breach, which is why mitigation is paramount.

Best wishes,
Sanjay


PS: *Here are 4 posts I've previously penned on Mimikatz DCSync - a summary, technical details, a scenario and the question.

PS2: In days to come, I'll answer this question too.