Thursday, October 18, 2018

KB4462928 - Critical Update for WS2016 Storage Spaces Direct Deployments


The 10C update for Windows Server 2016 has just been published, it includes critical updates for Storage Spaces Direct deployments and we recommend all customers aggressively adopt.  This update addresses all top known supportability issues.

 

October 18, 2018—KB4462928 (OS Build 14393.2580)


 

 

Important Updates


Specifically, this update includes fixes for the following issues:

 

"Event 5120" with STATUS_IO_TIMEOUT c00000b5 after an S2D node restart on Windows Server 2016 May 2018 update or later


 

Virtual Disks resources are in No Redundancy or Detached status in a Storage Spaces Direct cluster

2018 NY Metro Joint Cyber Security WEBINAR


The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.

To register please go here
Conference Agenda
Time
Slot
Topic Speaker
2:00
- 2:40
Behavior-based Internal Controls that Prevent Ransomware, Employee Theft, and Denial of Service attacks
Jeffrey Wagar
Past President,
ISACA New Orleans Chapter
2:45
- 3:25
Cyber Risk: It's All About People
Alan Brill
CISSP, CFE, CIPP/US, FAAFS
Senior Managing Director,
Cyber Risk, North America,
Kroll (a division of Duff & Phelps)
3:30
- 4:10
Cyber Dogfighting: Hacker Decision-Making and the Korean Air War
Mathew J. Heath Van Horn
Assistant Professor,
SUNY Delhi School of Business
4:15
- 4:55
Assessing Legal and Contractual Risk and Uncertainty with Bug Bounty Programs, Vulnerability Disclosures and Information Sharing
Mark H. Francis
Partner - Tech & Data,
Holland & Knight
4:50
- 5:30
"Not If but When?" - Leveraging AI to Jettison Mantras of the Past: How AI will Liberate Security of the Future
John McClurg
VP & Ambassador-At-Large,
Cylance
 

Free NYC Secure app

This new app from NYC
  • Alerts you to unsecure Wi-Fi networks, unsafe apps in Android, system tampering & mor
  • Helps you protect your phone and your privacy
  • $0 to download, $0 to use, no in-app purchases, no ads

How does the app help protect me?

The app detects potential threats in real time to your device, to Wi-Fi networks you may connect to, and for Android users, it detects whether any app you’ve downloaded might 
be unsafe. When the app detects a threat, it will send you an alert in real time and offer a recommendation on how to address the threat, such as suggesting you disconnect from a particular Wi-Fi network. These alerts include:
  • Device alerts—These alerts warn you about settings or activity that could potentially put your device at risk.
  • Network alerts—These alerts warn you about potentially compromised networks you are connected to
  • .App alerts (Android only)—These alerts warn you when issues arise on apps you have installed that could compromise your device's security.
Go here to learn more https://secure.nyc/

Free Credit Protection Information


f you haven’t frozen your credit reports yet, this could be your moment.

Under the Economic Growth, Regulatory Relief, and Consumer Protection Act, freezing your credit at all three major credit bureaus — Equifax(1-800-525-6285), Experian (1-800-397-3742)  and TransUnion ( 1-800-680-7289). Now is for free, previously, states set prices for credit freezes, which typically cost about $10.

Other links of importance


        Federal Trade Commission www.ftc.gov

        Identity Theft Hotline 1-877-438-4338

        Social Security 1-800-269-0271

        In the United States, you can report tech support scams with the Internet Crime Complaint Center (IC3) or use the FTC Complaint Assistant form.
Another tool you might want to look at is  Lock & Alert 


Equifax offers a Lock & Alert service allows you to lock and unlock your Equifax credit report for free, online or with the Equifax Lock & Alert app. By locking your credit report, you can restrict access to it by third parties, with certain exceptions. These exceptions, for instance, may include lenders and creditors where you have existing accounts. Federal, state and local government agencies are also exceptions.
Locking your Equifax credit file will prevent access to it by certain third parties. Locking your Equifax credit file will not prevent access to your credit file at any other credit reporting agency. Entities that may still have access to your Equifax credit file include: companies like Equifax Global Consumer Solutions which provide you with access to your credit report or credit score, or monitor your credit file; federal, state, and local government agencies; companies reviewing your application for employment; companies that have a current account or relationship with you, and collection agencies acting on behalf of those whom you owe; for fraud detection purposes; and companies that wish to make pre-approved offers of credit or insurance to you. To opt out of such pre-approved offers, visit www.optoutprescreen.com.

Draft of NIST’s Transport Layer Security (TLS) Guidance Now Available for Comment:(SP) 800-52 Rev. 2


NIST has released a second draft of NIST Special Publication (SP) 800-52 Revision 2,Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. It provides guidance for selecting and configuring TLS protocol implementations that utilize NIST-recommended cryptographic algorithms and Federal Information Processing Standards (FIPS). The document requires that government TLS servers and clients support TLS 1.2 configured with FIPS-based cipher suites, and recommends that agencies develop migration plans to support TLS 1.3 by January 1, 2024.

 

A public comment period for this document is open until November 16, 2018.

 

CSRC Update:


Publication Details:


 

Disaster Relief: Don't be a victim of fraud

As a public Service announcement I am copy and posting this on my blog. The original content comes form CENTER FOR CYBER SAFETY AND EDUCATION,

We have all seen the devastation and trail of destruction that events such as hurricanes, tornadoes, and earthquakes can cause. But before you take out your credit card, make sure your donations are really going to the victims and those that are helping provide them with the materials to survive and start their lives over again. While our hearts ache with helplessness, others’ fill with greed and see this as the perfect opportunity to exploit your sympathies and deceive you into sending money.
If you want to help by donating, make sure you know who you are really donating to before you give out your credit card number or write a check.

Any time you give to a charity, you want to do your homework, but in a crisis like this, we are often inspired by social media or by what we see on television and rush to make a donation. It is in times like these that we recommend you stick with the bigger, established organizations with proven track records. These organizations have the resources and structures to maximize your donation with minimal overhead, meaning more of your money will go to help victims.  You can find a great list of them at https://www.nvoad.org/voad-members/national-members/. Some unknown “charities”, GoFundMe-style requests, and social media outreaches you come across may be legitimate, but many are not. Even if they are really trying to help, it is not uncommon for organizations like these to have high overhead and administrative cost that will result in only a small amount of your donation actually making its way to help the victims.

TIPS WHEN GIVING DURING A CRISIS:
  • Don’t give over the phone or click on links found in emails or social media. Go directly to the official website for a charity that you are familiar with and donate on their page. Don’t give to any third party solicitations.
  • Be skeptical of cash requests in front of your local grocery store or other establishments. Who are these people? Don’t be fooled by what they say or how they are dressed. Ask questions, or better yet, go back home, research them and then donate online.
  • Don’t be fooled by celebrity names being attached to a campaign. The organization could be using someone’s name without their permission, or that celebrity could also have been duped and is unwittingly lending their name to what they think is a good cause.
  • Don’t fall for all the sad stories you are going to see and read about where they ask you to give to help a specific victim. There will be hundreds of thousands of such stories. You can best help by supporting legitimate charities, not by sending them money directly.
  • Give directly to your charity of choice and designate that you want the money to go to their Hurricane Michael Relief efforts. This will restrict them from using the money to fund their other ongoing programs.
Now is not the time to take a chance or fall for a phone or email scam. People really do need help, and it is best to support the experts who are trained and prepared to help those in need.
Your help and support of others is greatly appreciated. Just make sure you don’t get scammed and become a victim yourself.

Friday, October 5, 2018

GhostDNS: 100,00 Infected Routers

Several research labs have been releasing their finding on a new take of DNSChanger.  A new router-based exploit known as GhostDNS seems to be made up of three variations of DNSChanger.  By using Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger, GhostDNS can infect over 70 different router models. However, GhostDNS is more than the sum of its DNSChanger components. Analysts have also identified that it also is made up of a web admin module, a RougeDNS module, and a phishing module. 

GhostDNS scans the internet looking for routers that it can exploit due to vulnerability or weak security by using its scripts to attack poorly secured Web Administration consoles via Shell, Java, Python, PHP to deploy its payload. The primary purpose is to change the devices’ DNS setting to forward traffic to RougeDNS servers. Once this is done the unsuspecting user is redirected to the phishing landing pages of online services when they attempt to go to various web services. Banking portals, Telecom’s, ISP’s and Netflix seem to be among the most common phishing targets of this malware.   

While there has been some disagreement about the time frame this campaign has been running, it is widely agreed the campaign has infected over 100,000 routers with 86% located in Brazil. The other 24% have been reported across other South American countries. The DNS redirection service know as Rouge has been detected on many notable cloud services like Amazon, OVH, Google, Telefonica, and Oracle but researchers have been in contact with larger networks and ISP’s to shut down the network. 

The GhostDNS payload can deliver over 100 scripts via remote access or utilizing exploits, and can attack hardware from older HP (3Com), A-Link, Alcatel / Techicolor, Antena, C3-Tech, Cisco, D-Link, Elsys, Fibrehome, Fiberlink, Geneko, Greatek, Huawei, Intelbras, Kaiomy, LinkOne, MikroTik, MPI Networks, Multilaser, OIWTECH, Perfect, Qtech, Ralink, Roteador, Sapido, Secutech, Siemens, Technic, Tenda, Thomson, TP-Link, Ubiquiti, Viking, ZTE, and Zyxel routers. 
Analysts have some advice to not become a victim this kind of attack. It is recommended that you update your firmware to the latest version available for your router and use complex and strong passwords. Consider disabling any web administration on your device. Finally, hardcode your DNS setting to use only trusted DNS servers in both your Router and OS. 

Sources
https://thehackernews.com/2018/10/ghostdns-botnet-routerhacking.html https://www.theregister.co.uk/2018/10/02/ghostdns_router_hacking/ 
http://blog.netlab.360.com/70-different-types-of-home-routers-alltogether-100000-are-being-hijacked-by-ghostdns-en/ h

Thursday, October 4, 2018

Supply Chain Issue

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

 
here a great article on Supply chain  on the Bloomberg site. The article is here

Wednesday, October 3, 2018

Facebook Breach



10/03/2018 01:30 PM EDT

 

Original release date: October 03, 2018

The Federal Trade Commission (FTC) has released an alert to provide Facebook users with recommended precautions against identity theft after the recent breach of the Facebook social media platform.

NCCIC encourages users and administrators to review the FTC Alert and the NCCIC Tip on Preventing and Responding to Identity Theft. If you believe you are a victim of identity theft, visit the FTC’s identity theft website to make a report.

Tuesday, October 2, 2018

2018 NY Metro Joint Cyber Security WEBINAR

October 18th WEBINAR

The 2018 NY Metro Joint Cyber Security WEBINAR will take place on Thursday October 18th. NYMJCSC is now in its fifth year; featuring keynotes, panels and sessions aimed at various aspects of information security and technology.

This year will feature a webinar format allowing NYMJCSC to reach and educate a broader audience.


Time Slot Topic Speaker
2:00 - 2:40 Behavior-based Internal Controls that Prevent Ransomware, Employee Theft, and Denial of Service attacks Jeffrey Wagar
2:45 - 3:25 Cyber Risk: It's All About People Alan Brill
3:30 - 4:10 Cyber Dogfighting: Hacker Decision-Making and the Korean Air War Mathew J. Heath Van Horn
4:15 - 4:55 Assessing Legal and Contractual Risk and Uncertainty with Bug Bounty Programs, Vulnerability Disclosures and Information Sharing Mark H. Francis
4:50 - 5:30 "Not If but When?" - Leveraging AI to Jettison Mantras of the Past: How AI will Liberate Security of the Future John McClurg




Register Here for the Webinar on Thursday, October 18th

Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019

icrosoft is pleased to announce the draft release of the security configuration baseline settings for Windows 10 version 1809 (a.k.a., “Redstone 5” or “RS5”), and for Windows Server 2019. Please evaluate these proposed baselines and send us your feedback via blog comments below.

Download the content here: Windows-10-1809-Security-Baseline-DRAFT.zip

The downloadable attachment to this blog post includes importable GPOs, a PowerShell script for applying the GPOs to local policy, custom ADMX files for Group Policy settings, documentation in spreadsheet form and as a Policy Analyzer file (MSFT-Win10-v1809-RS5-WS2019-DRAFT.PolicyRules). In this release, we have changed the documentation layout in a few ways:

  • MS Security Baseline Windows 10 v1809 and Server 2019.xlsx – multi-tabbed workbook listing all Group Policy settings that ship in-box with Windows 10 v1809 or Windows Server 2019. Columns for “Windows 10 v1809,” “WS2019 Member Server,” and “WS2019 DC” show the recommended settings for those three scenarios. A small number of cells are color-coded to indicate that the settings should not be applied to systems that are not joined to an Active Directory domain. Cells in the “WS2019 DC” columns are also highlighted when they differ from the corresponding cells in the “WS2019 Member Server” column. Another change from past spreadsheets is that we have combined tabs that used to be separate. Specifically, we are no longer breaking out Internet Explorer and Windows Defender AV settings into separate tabs, nor the settings for LAPS, MS Security Guide, and MSS (Legacy). All these settings are now in the Computer and User tabs.
  • BaselineDiffs-to-v1809-RS5-DRAFT.xlsx – This Policy Analyzer-generated workbook lists the differences in Microsoft security configuration baselines between the new baselines and the corresponding previous baselines. The Windows 10 v1809 settings are compared against those for Windows 10 v1803, and the Windows Server 2019 baselines are compared against those for Windows Server 2016.
  • Windows 10 1803 to 1809 New Settings.xlsx – Lists all the settings that are available in Windows 10 v1809 that were added since Windows 10 v1803. (We used to highlight these settings in the big all-settings spreadsheets.)
  • Server 2016 to 2019 New Settings.xlsx – Lists all the settings that are available in Windows Server 2019 that were added since Windows Server 2016. (We used to highlight these settings in the big all-settings spreadsheets.)

Highlights of the differences from past baselines, which are listed in BaselineDiffs-to-v1809-RS5-DRAFT.xlsx:

  • The MS Security Guide custom setting protecting against potentially unwanted applications (PUA) has been deprecated, and is now implemented with a new setting under Computer Configuration\...\Windows Defender Antivirus.
  • We have enabled the “Encryption Oracle Remediation” setting we had considered for v1803. At the time we were concerned that enabling the newly-introduced setting would break too many not-yet-patched systems. We assume that systems have since been brought up to date. (You can read information about the setting hereand here.)
  • Changes to Virtualization-Based Security settings (used by Credential Guard and Code Integrity):
    • “Platform Security Level” changed from “Secure Boot and DMA Protection” to “Secure Boot.” If system hardware doesn’t support DMA protection, selecting “Secure Boot and DMA Protection” prevents Credential Guard from operating. If you can affirm that your systems support the DMA protection feature, choose the stronger option. We have opted for “Secure Boot” (only) in the baseline to reduce the likelihood that Credential Guard fails to run.
    • Enabled the new System Guard Secure Launch setting which will enable Secure Launch on new capable hardware. Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment.
    • Enabled the “Require UEFI Memory Attributes Table” option.
  • Enabled the new Kernel DMA Protection feature described here. The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated.
  • Removed the BitLocker setting, “Allow Secure Boot for integrity validation,” as it merely enforced a default that was unlikely to be modified even by a misguided administrator.
  • Removed the BitLocker setting, “Configure minimum PIN length for startup,” as new hardware features reduce the need for a startup PIN, and the setting increased Windows’ minimum by only one character.
  • Enabled the new Microsoft Edge setting to prevent users from bypassing certificate error messages, bringing Edge in line with a similar setting for Internet Explorer.
  • Removed the block against handling PKU2U authentication requests, as the feature is increasingly necessary.
  • Removed the configuration of the “Create symbolic links” user rights assignment, as it merely enforced a default, was unlikely to be modified by a misguided administrator or for malicious purposes, and needs to be changed to a different value when Hyper-V is enabled.
  • Removed the deny-logon restrictions against the Guests group as unnecessary: by default, the Guest account is the only member of the Guests group, and the Guest account is disabled. Only an administrator can enable the Guest account or add members to the Guests group.
  • Removed the disabling of the xbgm (“Xbox Game Monitoring”) service, as it is not present in Windows 10 v1809. (By the way, consumer services such as the Xbox services have been removed from Windows Server 2019 with Desktop Experience!)
  • Removed Credential Guard from the Domain Controller baseline. (Credential Guard is not useful on domain controllers and is not supported there.)
  • Created and enabled a new custom MS Security Guide setting for the domain controller baseline, “Extended Protection for LDAP Authentication (Domain Controllers only),” which configures the LdapEnforceChannelBinding registry value described here.
  • The Server 2019 baselines pick up all the changes accumulated in the four Windows 10 releases since Windows Server 2016.
See the rest of the changes here

NIST final public draft Special Publication 800-37, Revision 2


NIST announces the final public draft Special Publication 800-37, Revision 2Risk Management Framework for Information Systems and Organizations--A System Life Cycle Approach for Security and Privacy.

There are seven major objectives for this update:

  • To provide closer linkage and communication between the risk management processes and activities at the C-suite or governance level of the organization and the individuals, processes, and activities at the system and operational level of the organization;
  • To institutionalize critical risk management preparatory activities at all risk management levels to facilitate a more effective, efficient, and cost-effective execution of the RMF;
  • To demonstrate how the NIST Cybersecurity Framework can be aligned with the RMF and implemented using established NIST risk management processes;
  • To integrate privacy risk management processes into the RMF to better support the privacy protection needs for which privacy programs are responsible;
  • To promote the development of trustworthy secure software and systems by aligning life cycle-based systems engineering processes in NIST Special Publication 800-160, Volume 1, with the relevant tasks in the RMF;
  • To integrate security-related, supply chain risk management (SCRM) concepts into the RMF to address untrustworthy suppliers, insertion of counterfeits, tampering, unauthorized production, theft, insertion of malicious code, and poor manufacturing and development practices throughout the SDLC; and
  • To allow for an organization-generated control selection approach to complement the traditional baseline control selection approach and support the use of the consolidated control catalog in NIST Special Publication 800-53, Revision 5.

The addition of the Prepare step is one of the key changes to the RMF—incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes.

In addition to seeking your comments on this final public draft, we are specifically seeking feedback on a new RMF Task P-13, Information Life Cycle. The life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. Identifying and understanding all stages of the information life cycle have significant implications for security and privacy. We are seeking comment on how organizations would executive this task and how we might provide the most helpful discussion to assist organizations in the execution.  

The public comment period for the draft publication is October 2 through October 31. Please submit comments using the comment template to sec-cert@nist.gov.

Thursday, September 27, 2018

Great articel about Maleware and Small Businesses

Small businesses targeted by highly localized Ursnif campaign

Cyber thieves are continuously looking for new ways to get people to click on a bad link, open a malicious file, or install a poisoned update in order to steal valuable data. In the past, they cast as wide a net as possible to increase the pool of potential victims. But attacks that create a lot of noise are often easier to spot and stop. Cyber thieves are catching on that we are watching them, so they are trying something different. Now we’re seeing a growing trend of small-scale, localized attacks that use specially crafted social engineering to stay under the radar and compromise more victims.
In social engineering attacks, is less really more?
A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets. Macro-laced documents masqueraded as statements from legitimate businesses. The documents are then distributed via email to target victims in cities where the businesses are located.
With Windows Defender AV’s next gen defense, however, the size of the attack doesn’t really matter.
Several cloud-based machine learning algorithms detected and blocked the malicious documents at the onset, stopping the attack and protecting customers from what would have been the payload, info-stealing malware Ursnif.

TO read the full article on Microsoft site go here

Tuesday, September 25, 2018

Introducing Microsoft Learn


Microsoft announced a launch more than 80 hours of learning for Azure, Dynamics 365, Power BI, PowerApps, and Microsoft Flow. The new learning platform includes experiences that will help you, your customers, and partners to up-level your skills, prepare for new role-based certification exams, and explore additional training offerings such as instructor-led training and Pluralsight.  Check out www.microsoft.com/learn

Highlights include:

  • Content organized by learning path, experience level, role and product, for an end-to-end view of a technology area and ensuring a comprehensive skillset
  • Learning paths consist of step-by-step tutorials with interactive coding environments that provide free fixed-time access to Azure resources - without requiring a credit card
  • As you and your customers use Microsoft Learn, you can track progress, check knowledge, and validate deployments to earn points, levels, achievements, and trophies 
 










Role-based certifications and training

Microsoft introduced new role-based certifications, starting with 3 new roles: Microsoft Certified Azure Developer, Microsoft Certified Azure Administrator and Microsoft Certified Azure Solutions Architect. With additional roles to follow.  The launch of these certifications also includes new exams and updated instructor-led training to prepare for these exams. Learn more: http://aka.ms/RoleBasedCert

 

 

Friday, September 21, 2018

Magecart? Again?

I don’t like writing breach stories because they occur far too often. On the other hand, when the breach is the fault of the sales merchant, one hopes exposure would cause a renewed interest in other merchants to better secure their retail websites to assure such data loss doesn’t happen to them.
With the numbers of breaches so large, how easily we forget that back in June, Magecart applied a kind of cross-site-scripting (XSS) attack to effectively digitally skim the credit card information from Ticketmaster buyers used for payment. In defense of Ticketmaster, the actual attack appeared to be a code insertion compromise against Inbenta, a thirdparty supplier for their website. Although obfuscated, and having no impact on the site’s functionality, the subtle change captured and diverted the information to Magecartowned servers with legitimate looking names.

 This attack was nothing new to Magecart, who’s been behind such malaise since 2015 and focuses on e-commerce. At the time of the Ticketmaster breach, RiskIQ believed that there were over 800 different commerce websites also targeted based on their analysis. Clearly Magecart continued with attacks as evidenced by the large compromise of British Airways (having lost over 380,000 transactions). One might imagine that other smaller sites are also being targeted based on the announcement that just this week ABC-CBN (who’s on-line store was compromised) may have lost information on 213 customers.

You’d think with such publicity, e-commerce sites, especially those with a large customer base would be watching for similar Magecart activity to assure they don’t fall victim. Or not. Per Threatpost yesterday, “Newegg is a top online merchant with tens of millions of registered users in 50 countries, according to its website. It sells a range of consumer electronics, entertainment, smart-home and gaming products, and is the 161st most popular site in the U.S. according to Alexa. In all, it receives more than 50 million site visitors per month. And between Aug. 14 and Sept. 18, a Magecart-linked payment skimmer was active on the Newegg site”. Like the attacks on the other e-commerce sites, with an eloquent injection of only 8 lines of code (similar to the code used in the British Airways incident but improved), Magecart diverted information to a domain with a legitimate Comodo-issued certificate called neweggstats[.]com. In the analysis of these attacks, RiskIQ further states: “Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly.”

Who’s to blame for these breaches? Clearly web service providers in the e-commerce arena need to improve their approaches to security. How many sites have been compromised? Perhaps there are some we may never know about, but for many more, my guess is we will learn about them in the near future as e-commerce providers take a closer look at their websites for some unauthorized Magecart additions. 
Sources:
 https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.computerworlduk.com/security/magecart-who-what-is-behindbritish-airways-attack-3683768/ https://threatpost.com/magecart-strikes-againsiphoning-payment-info-from-newegg/137576/

This article was created by Peraton

Saturday, September 15, 2018

Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment


Draft Cybersecurity Practice Guide SP 1800-14, Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation, is Available for Comment

It is difficult to overstate the importance of the internet to modern business and society in general. The internet is not a single network, but rather a complex grid of independent interconnected networks that relies on a protocol known as Border Gateway Protocol (BGP) to route traffic to its intended destination.

Unfortunately, BGP was not designed with security in mind and a route hijack attack can deny access to internet services, misdeliver traffic to malicious endpoints, and cause routing instability. A technique known as BPG route origin validation (ROV) is designed to protect against route hijacking.

NIST’s National Cybersecurity Center of Excellence (NCCoE), together with several technology vendors, has developed proof-of-concept demonstrations of BGP ROV implementation designed to improve the security of the internet's routing infrastructure. 

Comments for this draft are due by October 15, 2018. To review Draft Special Publication (SP) 1800-14, and for information on submitting comments, please visit the links below.

CSRC Update: https://csrc.nist.gov/news/2018/nist-requests-comments-on-draft-sp-1800-14  
Publication details: https://csrc.nist.gov/publications/detail/sp/1800-14/draft  
Project Homepage: https://www.nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing 

Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool

Here are a group of articles on Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool, by Microsoft.

Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 1 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 2 Link is here
 
Every Question Tells a Story – Mitigating Ransomware Using the Rapid Cyberattack Assessment Tool: Part 3 Link is here
 
 

Deep dive on Windows Server 2019 updates

Here is a link to a video on Deep dive on Windows Server 2019 updates..

Link is here

McAfee Researchers Falsify Patient Vitals in Real Time.

During the 26th DEFCON conference this past week McAfee researchers showed how they have successfully been able to falsify patient vitals that are reported to the central monitoring stations. Two variations of the attack are possible due to weak communication protocols between client devices and the central monitoring station. In the first scenario, the attacker would need direct access to the patient and the equipment, where they would be able to disconnect the patient and plug in their own device that would then transmit false information.

However, McAfee researchers found that it was possible to also use a method called ARP spoofing to feed false information to the monitoring station by capturing data coming from a client device, manipulating it, and sending the data on to the central monitoring station because of a UDP based protocol called RWHAT. RWHAT is used by many medical devices, most of which are wired and wireless capable devices. While this is not a widely known protocol, it is easy to see and manipulate due to the simplicity of the UDP packets. Additionally, these devices often use no authentication or weak authentication. 
The doctors that helped the researchers vet the potential threat indicated that it is common practice to make diagnoses based on the data on the central monitoring stations. The method that was used by the McAfee researchers was to acquire a client monitoring station and a central monitoring system from eBay. While the units used are from 2004, they are still commonly used today. McAfee was careful not to mention the manufacturer of the units used as they are still in the process of working with the company to patch the vulnerabilities. Once they had the equipment and were able to crack the networking component, their next step was to acquire an ECG simulator from eBay for about $100. With the ECG simulator available, they determined that the traffic was unencrypted and contained counter and patient information.

Using the emulation as a springboard they successfully were able to modify the data being sent to the monitoring station. Then in real-time they were able to simulate a flatline signal to the central monitoring station as well as manipulate oxygen levels and blood pressure information. This creates the potential to falsify information to staff that might result in unneeded or unwanted procedures or prescriptions. This attack could potentially make staff believe that a patient is resting peacefully when they are not hooked up to their bedside equipment, or worse. While this threat vector might not be subjected to mass exploitation it could be leveraged in cases of high-value patients.
Sources
https://www.bleepingcomputer.com/news/security/hackers-can-falsify-patientvitals/ https://www.theregister.co.uk/2018/08/14/patient_monitor_hack/
https://venturebeat.com/2018/08/11/mcafee-researchers-falsify-a-patientsvital-signs-in-real-time/
visual

What Else is your Fax Machine Doing?

Researchers Eyal Itkin and Yaniv Balmas revealed a new type of vulnerability at Defcon 2018 – one which attacks your fax machine. They call this new exploit ‘Faxploit’ and demonstrated how a victim’s network could be infiltrated by sending a malicious fax to a certain model of networked fax machines over a normal phone line connection. By utilizing vulnerabilities, they discovered they could take over the machine and use it as a jump point into the internal network. After an impressive amount of reverse engineering utilizing existing exploits to load a debugger onto the target fax machine, the two researchers discovered additional vulnerabilities which could be used for a device takeover attack.
The vulnerability used in their demonstration relates to the embedded JPEG image parser on the device, normally used when receiving or sending colored faxes. By sending specially crafted JPEG headers to the machine they could trigger a stack based buffer overflow in the header parser and run arbitrary code on the device. Once they discovered the vulnerability in the fax handling mechanism of the device it was time to write an exploit to take advantage of it. They discovered that when the device received a JPEG it simply dumped the contents to a file with no validation. Due to this flaw they were able to store the exploit entirely inside of a specially crafted JPEG, achieving persistence due to it being written to the disk. When they wanted to perform tasks that needed additional input they could simply read from the file sitting on disk.
Their finished exploit implemented 3 main features. First it would take over the LCD display on the printer as a demonstration that they had full control of the device. Next it would check if the printer had an ethernet cable attached. If the cable is attached the third feature is activated – it attempts to attack and take control of other computers attached to the same network using previously leaked NSA tools Eternal Blue and Double Pulsar. While the demonstration exploit shown by the researchers changed the LCD on the printer, a real attacker’s exploit may instead opt to stay quiet to increase the time it goes undetected.
The fax machine attacked in their demonstration was an HP Officejet Pro 6830. HP was coordinated with after the vulnerabilities were discovered and patched firmware has been available on HP’s website since August 1st. While only one specific model was attacked in their demonstration it is possible that other models from other manufacturers may suffer from similar flaws due to the nature of parsing complex file formats from unknown origins.
The researchers coordinated with HP to rectify the vulnerability;  patched firmware has been available from HP since August 1st. This means special care should be taken similar to other riskier devices on the network, such as ensuring that the devices are firewalled off appropriately or on different network segments. While these precautions would prevent the device from being used as a door into the network, they wouldn’t protect against other types of local attacks. 

Sources: • https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-andexploits/faxploit-vulnerabilities-in-hp-officejet-printers-can-let-hackersinfiltrate-networks

Adware Doctor App Turns Out To Be Adware Itself


The Apple App Store is considered and recommended to be the best way to get programs for your Mac. After all, Apple states that “The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store...”. But what if one of the apps claiming to clean your computer of adware and malware turns out to be malicious itself? That seems to be the case with Adware Doctor.

Adware Doctor has risen to become one of the most popular paid apps in the Apple App Store. It is the top paid utility app, and the fourth paid app overall, giving it a spot on the app store main site. However, there has been some controversy in its history. When the app was first released, it was called Adware Medic. However, it was removed when Malwarebytes complained due to their app Adware Medic which was released first. A few days later the app reappeared as Adware Doctor. Many of the high rated reviews are suspected to be fake to boost the app’s popularity as well.

Adware Doctor has been revealed to secretly collect a user’s internet browsing history from multiple browsers, as well as active processes running on the computer, and then sending that information to a server located in China. A security researcher with the Twitter handle @privacyis1st discovered the behavior and teamed up with another researcher Patrick Wardle to delve deeper into the app. Adware Doctor requests access to the user’s files, which would be a legitimate need for a malware scanner. However, it abuses that access by finding browsing history from Chrome, Firefox, and Safari as well as search history within the app store and a list of running processes on the machine. That by itself violates Apple rules by breaking out of the sandbox to enumerate the processes.
The app then archives this information into a zip file, history.zip, and sends it off to a web server located in China, adscan.yelabapp.com.
The researchers revealed their findings to Apple over a month ago, but Apple seemed to not do anything about it.
The app remained on the store. However, when the researchers finally went public with their findings, the app was quickly removed. Along with Adware Doctor and another app by the same developer called AdBlock master, Apple removed 3 other related apps that were accused of exfiltrating browsing and search histories: Open Any Files, Dr. Antivirus, and Dr. Cleaner. Apple has yet to comment on why it took so long to remove the malicious apps that flagrantly violated the rules or how it got past the app store review in the first place.
Sources:
        https://thehackernews.com/2 018/09/mac­adware­removal­ tool.html#comment­box
        https://threatpost.com/apple­ finally­boots­sneaky­adware­ doctor­app­from­mac­app­ store/137319/ https://objective­ see.com/blog/blog_0x37.html



Internet exposed 3D printers Pose Fire Risk

In the last few years the price of 3D printers fit for home use has fallen substantially. They have become cheap enough for people without advanced technical skills, especially security skills to venture into this market area. By default, most of the current 3D printers require being tethered to a PC full time via USB to configure and run print jobs.

 Octoprint, a 3D printing application, makes life easier for non-technical users by removing this requirement. It can be installed on a device such as a Raspberry Pi and connected to your home network where it exposes a HTTP interface for interaction with the printer which greatly improves usability. During the Octoprint installation process, the user is prompted to enable authentication on the web interface although many people choose to disable the authentication for ease of use. This is not ideal but usually fine if the printer is exposed on the local network only.

As 3D prints can take upwards of 24 hours to complete many people don’t wait long before thinking ‘it would be great to monitor the progress remotely’.  Therein lies the issues. In order to accomplish this, they must open a HTTP port in their network via port forwarding to access Octoprint from anywhere and typically forget to enable authentication first. This is how thousands of unsecured Octoprint instances ended up accessible from the internet.
There are MANY risks associated with having these web interfaces publicly exposed. The first is that Octoprint isn’t really designed as a secure web application. It was designed with advanced users in mind and as such can be tweaked and modified endlessly. In it’s default configuration, it is essentially an unauthenticated portal to your network as you can run arbitrary system commands from the web interface. By leveraging this feature an attacker could easily move to more sensitive machines in the network. The second major risk is that 3D printers are essentially simple robots with attached heaters. These heaters can reach extremely high temperatures very quickly. Most modern 3D printers have temperature limits enabled in the firmware to prevent thermal runaways from causing a fire. However, by modifying the firmware and flashing the printer from the Octoprint interface these limits can be removed. This could allow an attacker to start a fire with the printer in just a few clicks. While not as dangerous, an attacker could also possibly damage the machine by commanding the motors to move past their defined areas. 

Octoprint has always stated to its customers that making the application available to the internet even with authentication enabled is a terrible idea. Many software applications designed for advanced users, and or experimentation don’t go through rigorous security assessments and aren’t meant to be exposed on the internet. Similar to a cheap lock, the authentication mechanisms are meant to keep the honest out. It is important to review the software’s security posture before opening a port in your network to access it remotely. Even better although not as convenient, using a VPN to access network services running in your home network is the best idea to reduce risk of exposure.
Sources: • https://www.csoonline.com/article/3303562/security/over-3700-exposed3d-printers-open-to-remote-attackers.htmlhttps://octoprint.org/blog/2018/09/03/safe-remote-access/