Monday, September 18, 2017

Avast download site compromised to host a malicious CCleaner

If you downloaded "CCleaner" software from antivirus company Avast between August 15 and September 12, you have a problem. Cisco's Talos threat research group discovered that company's software download page was compromised to host a malicious version of CCleaner that contains malware.

Computers that downloaded and ran that software became part of a botnet, a network of computers under the control of whomever is behind that malware.

Those that follow my advice to use the free OpenDNS service for their home networks are partially protected - your computer would still download and install the malware, but would be prevented from accessing the command and control servers the criminals use to deliver instructions to your computer.

If you use CCleaner, check your antivirus software to be sure it is completely up-to-date, and run a full system scan. Now that the malware is known, most commercial antivirus programs will begin to detect it (with varying degrees of success).

I have long recommended automatically updating software with the latest available patches and updates, as a core tenet of basic security for individuals and small businesses. After a Ukranian software company was hacked to deliver malware to taxpayers in that country, I wrote up an analysis of why I still held that recommendation. 

I said then:
In over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.
It is becoming increasingly difficult to maintain that position... I suspect I am up to two hands now, but for the time being, I still find quickly updating is less risky than not patching.


Thursday, September 14, 2017

A change of scenery for this security engineer


If you are looking for a seasoned infosec architect with red team skills in the Austin (Texas) area, or know someone that is, take a few seconds to read on.

Who am I? An incident responder, a log correlation junkie, a malware analyst, a forensic investigator, a threat intelligence handler (real intelligence, not the threat data often thrown under that label), a network engineer, and a security architect.

I've defended a Fortune 50 company, primarily doing network defense, intrusion detection and incident handling, and threat intelligence.

I've built security from the ground up for a mid-sized company you may not even know works for you.

I break and fix things, so I can stop others from breaking or detect them when they do.

I won't list the products I have used because honestly, the right tool for the job depends on large part on what you have in place today, and what problem needs to be solved. That, and I'm an OSINT junkie - I know exactly how useful a list of tools used by my previous employers would be. Suffice to say I know commercial tools and have built custom solutions with open source tools as well. If I don't know a tool vital to your operation, I'll be competent at it shortly.

Why am I writing this? I recently found myself on the wrong side of a "reduction in force." So now I have a chance to build security for you.

Friday, September 8, 2017

Equifax breach exposes 143 million to identity fraud

Updated to add a link to Equifax's official incident response website, https://www.equifaxsecurity2017.com/ . Fake sites and phishing email are already appearing, by criminals attempting to deceive and defraud worried consumers. Also updated to add a comment about identity theft potentially leading to tax fraud.

This breach is likely to be in the news for a while, and the effects will linger long after the media moves on.

Between mid-May and the end of July 2017, criminals accessed sensitive information on a website owned by financial credit reporting bureau Equifax. According to the company, personal information for approximately 143 million US consumers was compromised. An undisclosed number of Canadian and UK residents were also affected. This being a credit bureau - a company whose primary business is keeping track of consumers' financial identities - the information stolen was significant: social security numbers, birth dates, and addresses. In some cases, driver's licenses, credit card numbers and specific details related to dispute documents were also compromised.

For perspective, 143 million is more or less the same number as every working-age human in the United States.

I do not plan on going into how it happened - Brian Krebs did an excellent job of that. My goal is to provide my readers with advice on what to do now.

Monday, August 28, 2017

In the wake of Hurricanes Harvey and Irma, be alert for relief scams

Gulf of Mexico radar image August 24, credit NOAA

Update 30 August 2017: the Federal Trade Commission is reporting scam robocalls telling victims their flood insurance premiums are past due, and demanding immediate payment in order for their Hurricane Harvey damages to be covered. Don’t do it. Instead, contact your insurance agent.

Update 11 September 2017: everything said of Hurricane Harvey in Texas is equally true of Hurricane Irma in Florida and Georgia.

This is a blog post I do not enjoy updating after each major natural disaster, but alas where there is disaster, there are lowlifes looking to profit from it.

August 25, Hurricane Harvey hit the middle Texas Coast as a major hurricane, packing sustained 130 mph winds. It then camped out in southeast Texas, dropping heretofore unheard of amounts of rain along a path from east of Austin, to the Houston metro area. 


Two weeks later, Hurricane Irma trashed the Caribbean before running up the west coast of Florida, again bringing widespread wind damage and flooding to much of that state and its neighbors.

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of the day.

Tuesday, June 27, 2017

To Patchnya, or Not to Patchnya


Heads-up: there's another ransomware worm making the rounds. Initially thought to be a variant of the Petya ransomware family, it was later determined to be something entirely different, and has been dubbed "NotPetya" in many tweets and reports.

Like the WannaCry worm that made such a splash in May, it exploits a (now-patched) vulnerability in the Windows file sharing protocol known as SMB. Unlike WannaCry, it also harvests credentials from compromised systems, then uses standard Windows administration tools such as WMIC and psexec to spread within an organization.

Wednesday, May 24, 2017

Samba remote code execution exploit: what you need to know

This is going to hurt home users with Samba shares mounted on their SoHo routers or NAS, among other things. 

Samba is a file sharing service for Linux, similar to Windows SMB file shares (yes, the same SMB that was exploited in the recent WannaCry ransomware worm). A vulnerability in Samba could enable a similar attack on Linux systems. A malicious actor with access to upload files to a Samba share, can upload malicious code and then use this vulnerability to cause the server to execute it.

Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one. 

A quick query of Internet scanner Shodan shows that nearly a half million devices running Samba are publicly accessible on the Internet. Interestingly, the large majority of those appear to be in the United Arab Emirates, leading one to wonder if Emirates Telecommunications Corporation is equipping its customers with a gateway router that has Samba enabled by default.

What can you do?



Update Samba


The best course of action is to update Samba to a non-vulnerable version (4.6.4 or newer; 4.5.10 or newer; or 4.4.14 or newer, according to the Samba Project advisory).

For most IoT devices, you are likely dependent on the manufacturer to release a firmware update that includes this fix.



Disable writable shares


This vulnerability can only be exploited using shares that allow uploading or writing files; read-only shares cannot be exploited.



Disable "named pipe endpoints" in your Samba config file


Similar to the way port numbers allow multiple layer 4 connections to the same layer 3 network address, named pipes allow multiple layer 5 (SMB) connections to the same layer 4 port (TCP 445). This is also the feature that can be exploited due to this vulnerability. Disabling named pipes prevents exploitation, though it may also disable expected functionality in some cases.

To disable named pipes, add the parameter:


nt pipe support = no


to the [global] section of your smb.conf file and restart smbd. You can modify smb.conf on a couple of IoT devices as follows:




Double-check that Samba is not exposed to the Internet


  • Browse to http://www.ipchicken.com/ to check your public Internet address
  • Browse to https://shodan.io and search for your address. You do not want to see the following - if you do, you'll need to check your router or firewall and disable public (or WAN) access to port 445:

Friday, May 19, 2017

Hit by WannaCry? It may also be a HIPAA breach

Ransomware is a common form of malware, designed to encrypt personal and business data, making it unusable unless the victim pays a "ransom" fee to the attacker to purchase the recovery key. It most often affects one person at a time, delivered by email or a malicious web browser download. 

Beginning May 12 however, the "WannaCry" or "WannaCrypt" ransomware spread rapidly by exploiting a flaw in the Windows operating system -- a flaw patched by Microsoft in March, but that nonetheless remained exposed in many organizations that had not yet updated their systems.

Under guidance issued by the US Department of Health and Human Services (HHS) last summer:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414. 

The HHS ransomware fact sheet (PDF download) includes the following Q&A:

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?


When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification...in accordance with HIPAA breach notification requirements.


How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?


To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors must be conducted: 
  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used the PHI or to whom the disclosure was made
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated. 
A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing, for example: the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers; and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.