Tuesday, October 10, 2017

Exploiting Office native functionality: Word DDE edition

Sensepost researchers show a way to exploit DDE to run code from Word, without macros or buffer overflows. Here's how to detect it.

Updated 11 October: I originally wrote that this exploit technique bypassed both disabled macros, and Protected View. That is incorrect: this technique will work if macros are disabled, but the code does not trigger while in Protected View. Thanks to Matt Nelson (@enigma0x3) for pointing out my mistake.

I love reading exploit techniques that rely on native features of the operating system or common applications. As an attacker, I find it diabolically clever to abuse features the target fully expects to be used and cannot turn off without disrupting business. As a defender, I am intrigued by the challenge of detecting malicious use of perfectly legitimate features.

Researchers Etienne Stalmans and Saif El-Shereisuch of Sensepost wrote of a slick way to execute code on a target computer using Microsoft Word - but without the macros or buffer overflows usually exploited to this end. Instead, they use dynamic data exchange, or DDE - an older technology once used for coding and automation withyin MS Office applications. This is particularly clever because it works even with macros disabled - because it's not using the macro subsystem.

Thursday, October 5, 2017

Enable two-factor on your Yahoo account... if you can

Yahoo! accounts have very different security options depending on their origin.
Unless you've been living under a rock, you know by now that Yahoo! suffered a massive data breach in 2013. The number of accounts reportedly affected changed a number of times, until this week it announced that every single account had been compromised. All 3 billion of them.

Zack Whittaker, security editor for ZDNet, had this to say:

Secure your Yahoo account with 2FA, but do not delete it. Deleting it will recycle your account after 30 days — and anyone can hijack it.

That's good advice - if you can. Many cannot.

Monday, October 2, 2017

Seven steps to minimize your risk of financial identity fraud

Credit Card Fraud spelled out using Scrabble tiles


This is one of a few Security for Real People blog posts routinely updated once or twice a year, to offer up-to-date advice to consumers and small businesses as threats evolve over time. The recent Equifax breach has put most Americans at a higher risk of identity fraud and is a good reason for an update.

How many times have you replaced your credit or debit card after the number was stolen?

Now how many of those times did you suffer actual harm due to the fraud?

Credit card fraud is frequently in the news - perhaps less now than it was a few years ago, but it still remains a hot topic. Between Sonic, Sabre, Target, The Home Depot, Sears/Kmart, Dairy Queen, Wendy's, Cici's Pizza, Goodwill - the list of businesses whose payment systems were breached to steal card numbers goes on and on.

In a widely-circulated news story in late 2016, researchers at UK's Newcastle University discovered a way to collect Visa card numbers without breaching a merchant. Generally speaking, a card number cannot be used online without also knowing the expiration date and the 3- or 4-digit code on the back. Visa's payment network will block repeated attempts to guess the expiration and security code coming from a merchant - but does not detect guessing attempts spread out across many merchants.

The result is, by automatically and systematically generating different versions of security data for a card number, and trying the different combinations across thousands of merchant websites, a malicious hacker can successfully guess the correct combination of account number, expiration date, and security code in just a few seconds.

So what can you do to take credit card fraud off the top of your list of worries?

Tuesday, September 19, 2017

Incremental wins: iOS11 strengthens the idea of Trust

Two years ago, a friend piqued my curiosity with a question about a iPhone / iPad app teenagers were using to hide content from nosy peers (and parents). This person wondered whether the app was more than "security by obscurity" - did the app actually protect and encrypt the hidden data, or did it merely hide it out of obvious sight?

The answer turned out to be the latter, but along the way I noticed a curious oversight in the iOS security model.

Monday, September 18, 2017

Avast download site compromised to host a malicious CCleaner

If you downloaded "CCleaner" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to host a malicious version of CCleaner that contains malware.

Computers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.

Those that follow my advice to use the free OpenDNS service for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.

If you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).

I have long recommended automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to deliver malware to taxpayers in that country, I wrote up an analysis of why I still held that recommendation. 

I said then:
In over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.
It is becoming increasingly difficult to maintain that position... I suspect I am up to two hands now, but for the time being, I still find quickly updating is less risky than not patching.


Thursday, September 14, 2017

A change of scenery for this security engineer


If you are looking for a seasoned infosec architect with red team skills, or know someone that is, take a few seconds to read on. I am currently in Austin, Texas, but could be talked into relocating for the right opportunity.

Who am I? An incident responder, a log correlation junkie, a malware analyst, a forensic investigator, a threat intelligence handler (real intelligence, not the threat data often thrown under that label), a network engineer, and a security architect. I break and fix things, so I can stop others from breaking or detect them when they do.

Having recently found myself on the wrong side of a "reduction in force," I now have a chance to build security for you.

I'm a dyed-in-the-wool defender. I have some red team skills (and a few CVEs to my credit), but those skills just make me a better defender and detector. My ideal job is building systems and automation to detect and triage incidents, and to find and address risks before they become incidents. It's what I've done for the better part of 20 years.

I've built security from the ground up for a mid-sized company you may not even know works for you. I ran vulnerability scans and assisted SMEs with prioritizing patching versus business priorities, and with coming up with mitigating options when patching was not immediately advisable. I built the company’s incident response program, then drilled it with a simulated data breach. I designed a log management strategy, enriched logs with open-source and company-specific context, and built a SIEM with open-source software to correlate events and highlight potential incidents.

Prior to that, I spent 20 years with a Fortune 50 enterprise. The early years were Windows and *nix system administration, along with switch, router and firewall administration, while from 2001 on it was a variety of direct security roles - primarily network defense; intrusion detection, triage and incident handling; risk assessment and threat intelligence. 

Friday, September 8, 2017

Equifax breach exposes 143 million to identity fraud

Updated to add a link to Equifax's official incident response website, https://www.equifaxsecurity2017.com/ . Fake sites and phishing email are already appearing, by criminals attempting to deceive and defraud worried consumers. Also updated to add a comment about identity theft potentially leading to tax fraud.

This breach is likely to be in the news for a while, and the effects will linger long after the media moves on.

Between mid-May and the end of July 2017, criminals accessed sensitive information on a website owned by financial credit reporting bureau Equifax. According to the company, personal information for approximately 143 million US consumers was compromised. An undisclosed number of Canadian and UK residents were also affected. This being a credit bureau - a company whose primary business is keeping track of consumers' financial identities - the information stolen was significant: social security numbers, birth dates, and addresses. In some cases, driver's licenses, credit card numbers and specific details related to dispute documents were also compromised.

For perspective, 143 million is more or less the same number as every working-age human in the United States.

I do not plan on going into how it happened - Brian Krebs did an excellent job of that. My goal is to provide my readers with advice on what to do now.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.