Tuesday, June 27, 2017

To Patchnya, or Not to Patchnya


Heads-up: there's another ransomware worm making the rounds. Initially thought to be a variant of the Petya ransomware family, it was later determined to be something entirely different, and has been dubbed "NotPetya" in many tweets and reports.

Like the WannaCry worm that made such a splash in May, it exploits a (now-patched) vulnerability in the Windows file sharing protocol known as SMB. Unlike WannaCry, it also harvests credentials from compromised systems, then uses standard Windows administration tools such as WMIC and psexec to spread within an organization.

Wednesday, May 24, 2017

Samba remote code execution exploit: what you need to know

This is going to hurt home users with Samba shares mounted on their SoHo routers or NAS, among other things. 

Samba is a file sharing service for Linux, similar to Windows SMB file shares (yes, the same SMB that was exploited in the recent WannaCry ransomware worm). A vulnerability in Samba could enable a similar attack on Linux systems. A malicious actor with access to upload files to a Samba share, can upload malicious code and then use this vulnerability to cause the server to execute it.

Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one. 

A quick query of Internet scanner Shodan shows that nearly a half million devices running Samba are publicly accessible on the Internet. Interestingly, the large majority of those appear to be in the United Arab Emirates, leading one to wonder if Emirates Telecommunications Corporation is equipping its customers with a gateway router that has Samba enabled by default.

What can you do?



Update Samba


The best course of action is to update Samba to a non-vulnerable version (4.6.4 or newer; 4.5.10 or newer; or 4.4.14 or newer, according to the Samba Project advisory).

For most IoT devices, you are likely dependent on the manufacturer to release a firmware update that includes this fix.



Disable writable shares


This vulnerability can only be exploited using shares that allow uploading or writing files; read-only shares cannot be exploited.



Disable "named pipe endpoints" in your Samba config file


Similar to the way port numbers allow multiple layer 4 connections to the same layer 3 network address, named pipes allow multiple layer 5 (SMB) connections to the same layer 4 port (TCP 445). This is also the feature that can be exploited due to this vulnerability. Disabling named pipes prevents exploitation, though it may also disable expected functionality in some cases.

To disable named pipes, add the parameter:


nt pipe support = no


to the [global] section of your smb.conf file and restart smbd. You can modify smb.conf on a couple of IoT devices as follows:




Double-check that Samba is not exposed to the Internet


  • Browse to http://www.ipchicken.com/ to check your public Internet address
  • Browse to https://shodan.io and search for your address. You do not want to see the following - if you do, you'll need to check your router or firewall and disable public (or WAN) access to port 445:

Friday, May 19, 2017

Hit by WannaCry? It may also be a HIPAA breach

Ransomware is a common form of malware, designed to encrypt personal and business data, making it unusable unless the victim pays a "ransom" fee to the attacker to purchase the recovery key. It most often affects one person at a time, delivered by email or a malicious web browser download. 

Beginning May 12 however, the "WannaCry" or "WannaCrypt" ransomware spread rapidly by exploiting a flaw in the Windows operating system -- a flaw patched by Microsoft in March, but that nonetheless remained exposed in many organizations that had not yet updated their systems.

Under guidance issued by the US Department of Health and Human Services (HHS) last summer:
The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414. 

The HHS ransomware fact sheet (PDF download) includes the following Q&A:

Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?


When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification...in accordance with HIPAA breach notification requirements.


How can covered entities or business associates demonstrate “…that there is a low probability that the PHI has been compromised” such that breach notification would not be required?


To demonstrate that there is a low probability that the protected health information (PHI) has been compromised because of a breach, a risk assessment considering at least the following four factors must be conducted: 
  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
  2. The unauthorized person who used the PHI or to whom the disclosure was made
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated. 
A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process above by revealing, for example: the exact type and variant of malware discovered; the algorithmic steps undertaken by the malware; communications, including exfiltration attempts between the malware and attackers’ command and control servers; and whether or not the malware propagated to other systems, potentially affecting additional sources of electronic PHI (ePHI). Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform. Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity’s enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate data, or whether or not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthorized access, among other factors

Friday, May 12, 2017

Ransomware now comes in worm flavor

If you have SMBv1 in your enterprise, and haven't completed deploying MS17-010 (released in March), now would be a good time to expedite that. Multiple news outlets are reporting a widespread outbreak of the "WannaCry" ransomware. 

Ransomware is malware that encrypts all the data on a computer, holding it hostage until the victim pays a ransom fee. This particular attack is especially insidious because it acts as a "worm" - it spreads from computer to computer on its own, without any interaction from users.

The saving grace is that the vulnerability it exploits to spread, was fixed by Microsoft in March. Most home users are safe because Windows Updates apply automatically (yes, it's annoying to have a computer reboot when you do not want it to, but today you are thanking your lucky stars).


Some reports of note:


CCN-CERT, the computer emergency response team for Spain, first issued a warning (in Spanish) of this outbreak Friday morning.

Spanish telecommunications company Telef√≥nica reported (in Spanish) that they too have been affected.

The British Broadcasting Company has a running commentary on effects in the UK, and specifically the effects on the National Heathcare Service of the UK.

The Register reports that UK hospitals have effectively shutdown, and are not accepting new patients.

Global delivery company FedEx reported that it has been affected, but has not specified what locations or if deliveries have been interrupted. At least one FedEx customer reported Customer Service being unable to provide support due to server outages.


What can you do:


Home users by and large are not affected by this. If you follow the basic steps I recommend in https://securityforrealpeople.com/cybertips (in particular, setting Windows to automatically install updates), Windows lomng ago installed the patch to protect you from this worm.

For corporate and small business readers:
  • Block TCP 445 and 135 inbound from the Internet
     
  • Install MS17-010 everywhere. Note that the April and May cumulative updates for Windows include this patch
     
  • Kill off SMBv1. SMB version 1 is a 30-year-old protocol that has outlived its usefulness. Every modern operating system - including all supported Windows variants, MacOS and OS X, and the Samba product for Linux file sharing, supports the newer v2 and v3 versions.

    SMBv1 can be disabled by creating or editing the following value in the Windows Registry:



    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Name: SMB1
    Type: DWORD
    Value: 0


    Then run the following command to disable SMBv1 on the client side:


    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled


  • Block client-to-client SMB (TCP 445) traffic. Generally speaking, laptops don't need to map file shares of other laptops. Blocing lateral SMB traffic prevents this malware from spreading laptop-to-laptop. Then focus on patching your domain controllers and enterprise file servers - which genuinely do need to share services on TCP 445.
     
  • Run Windows Firewall and block inbound TCP 445 connections when on an untrusted network (public WiFi, for example).

Friday, May 5, 2017

Hacking the SIEM

Day 1 of Security B-Sides Austin is in the books. One talk in particular stuck with me: "Hack the SIEM" by John Griggs of Meta Studios, Inc.

Your SIEM is an aggregation of lots of data about your company - it contains information about endpoints, network controls, detective capabilities, and incidents. To an attacker, it is a gold mine of recon.

John brought up a different point, one I had not considered: your Security Information and Event Management system, or SIEM, may also be the single pane of glass that your SOC relies on. If an attacker doesn't show up in the SIEM, your SOC may not be aware of the incident - even if the originating network control is squawking at the top of its lungs.

Ergo, an attacker doesn't have to cover all of its tracks - they only need to stop their actions from showing up in the SIEM. Sure, original logs will show the attacker's trail in the post-mortem, but depending on their objectives, avoiding real-time detection may be all the attacker needs.

Is your SIEM locked down to prevent it from being used and abused by an attacker?

Tuesday, April 18, 2017

A letter from the IRS

Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits.


This weekend I had the dubious pleasure of reading a letter that begins with these two paragraphs.

In March, the Internal Revenue Service removed a Data Retrieval Tool from its website, a tool used by many families to retrieve income and tax information necessary to fill out the Free Application for Financial Student Aid, but also a tool that had been compromised by criminals to obtain personal information on some 100,000 taxpayers.

According to a story by Brian Krebs, the Data Retrieval Tool was intended as a way for students who may not have ready access to their parents' tax returns, to look up the parents' Adjusted Gross Income - a key figure used by colleges and universities to determine how much and what forms of aid to award enrollees.

The letter from the IRS though suggests far more information could be accessed through the Data Retrieval Tool though.
"Fraudsters may have viewed information appearing on your federal tax return. Information viewed may include: type of tax return filed, type and amounts of income reported, income tax, untaxed pensions, untaxed individual retirement account distributions and payments, exemptions, and education credits."
The IRS has arranged for credit monitoring, identity theft insurance, and "other services that will allow you to monitor your personal accounts." A possible interpretation of this letter is, the attackers could see complete federal tax returns rather than just the income information intended to be accessed through this tool. I have no inside knowledge of what was truly exposed. I am only reading between the lines based on what the IRS stated in their letter.

Depending on exactly what was exposed, "IRA distributions" could include not only the dollar amount but also the financial institution and account numbers. IRS form 5498 ("IRA Contribution Information," which your financial institution provided to the IRS) includes a field for your account number. In other words, a tax return has more than enough information for a scammer to convincingly impersonate you to your bank, to social engineer bank personnel into granting them access to bank accounts.



What can you do?


If you are affected by this data breach (or any breach of personally identifying information for that matter), here are a few things you can do:

  1. Take advantage of the credit monitoring offered by the IRS. Stolen identity information can be used to open new credit accounts in your name, and as far as the lender is concerned, you are on the hook. Credit monitoring alerts you to such new accounts quickly, giving you a chance to do something about it before the crook runs up debt.
     
  2. Place a Fraud Alert or Security Freeze on your credit report. In truth, every US consumer should do this, whether or not you are the victim of identity theft. A Fraud Alert tells potential creditors to take extra care in verifying your identity before issuing credit. Generally that means the creditor will call you at the phone number you provide in the fraud alert. While it is not mandatory, it is in the creditor's best interest since by US law they are on the hook for fraudulent credit.

    A Security Freeze, on the other hand, denies would-be creditors access to your credit report. They cannot view your credit history, and they cannot place new accounts on your credit report.
     
  3. Establish an IRS Identity Protection PIN (IP PIN). An IP PIN is essentially a password for your tax return. Crooks use taxpayer information to file fraudulent tax returns, claiming significant refunds. While the tax filing deadline for the 2016 calendar year just ended, tax fraud will undoubtedly spike again next February and March. With an IP PIN, a fraudster cannot file a return using your identity without also having that PIN.
     
  4. File early next year (and every year following). A criminal cannot file "your" tax return if you get there first.
     
  5. Call your bank: alert them to the possibility someone may try to impersonate you. Ask what options they have for extra protection. USAA just sent the below memo to all of its customers, extending multifactor authentication to telephone customer service. This is a fantastic idea: customers calling in for service (or scammers calling in to steal your money) will need an extra password sent by email or SMS. To my knowledge USAA is the only bank that offers this added layer of security, but I will be very happy to be proven wrong -- please comment below if you are aware of other banks that do this.

USAA is extending multifactor authentication to customer service calls.

Tuesday, March 28, 2017

Hackers threaten mass iCloud carnage: don't panic, but do enable 2FA

There have been rumblings in recent weeks (with varying degrees of credibility and/or paranoia) of several hundred million Apple accounts stolen by hackers, with a threat that the iPhones, iPads, and iCloud backups associated with these accounts will be deleted on April 7 unless Apple pays a ransom fee. The threat is that owners of those account could wake up to find all their pictures, all their files, all their data, deleted forever.

ZDNet's Zack Whittacker has a sane take on the matter: Apple has not been hacked, but people are prone to reusing the same passwords across all the apps and websites they use - many of which have been breached. ZDNet's analysis has found that not all the accounts the hackers claim to have compromised, are indeed compromised - but a not insignificant number are.

What you need to know:
  • If you haven't changed your Apple (aka iCloud) password recently (as in, within the last 6 months or so), it wouldn't be a bad idea to change it now. 
  • Use separate passwords for each account, so one stolen password doesn't put all your other accounts at risk.
  • Enable two-factor authentication on any accounts that matter to you, so a stolen password by itself isn't enough to break into your account and steal or delete your valuable data. Here's how to enable it on your Apple ID: https://support.apple.com/en-us/HT204915

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.