Almost Done!

I would like to say this is my last time every submitting an assignment, but that would be a lie. I still have 10 weeks or two more classes until I will be done and have graduated with my master’s degree. I can say the last ten classes have been challenging and they have helped me to be a rounded cybersecurity professional. This class has been the most challenging out of all the ones I have taken. I wish this class would have been in class and not online, but I guess that option was not available. Seems like a lot of students are taking online classes, so they don’t have to drive to class.

When Coach says to take this course last, he is absolutely correct. I only have two electives left and all the core classes completed before I took this one. I can see why the other classes are needed because without those skills, this class would be near impossible. The other classes help a student build on the Harry and Mae’s case study and this class is the finish of the case study. Current trends helps a student understand threat modeling and how a cybersecurity employee can find threats in an organization.

Since this is a master’s class there is no guidance on how to do the assignments. This is to replicate what it would be like in an actual job. Your manager will ask for a report of vulnerabilities and ask you to send it to the executives for a meeting they will be having. To be honest I have had this happen to me several times and I was not always prepared for it. This class has taught me what executives are looking for in a powerpoint presentation and a report, so I’m a bit more prepared in my job.

The most difficult part of the course was understanding and identify threats with the Microsoft STRIDE model. I had last used this in the risk class over a year ago, so I had to go back and brush up. The good thing is there are plenty of articles out on the internet explaining Microsoft STRIDE and what it does. After spending several hours researching and understanding STRIDE it made the class much easier. Once that core concept is understood the next challenge is writing reports for the executives. When writing reports for the executive there is a style a person needs to follow and it can be hard to do that. When a person is use to writing technical reports then switches to writing executives reports it is a struggle. It took a lot for me to go back and re read my reports and correct wording that was technical and not executive wording.

I would have liked to spend more time reviewing other students work. The reason for this is I like to see how other people handled the assignment and the format of the assignment. I also liked reading and making corrections because it gave more eyes than just the professors. I got great feedback from my classmates on items that I needed to change or add. This feedback allowed me to modify my assignments and make the changes for my later assignments.

Overall this class has been a great experience in understanding threat modeling. Threat modeling is a skill every cybersecurity person should have because without it a person would be chasing their tail. Since threat modeling is a skill, a person needs to keep up that skill with practice. I hope I’m able to keep practicing threat modeling after the class and I also have a good book to keep as a reference. Thanks again Coach see you in the next class White Collar Crime.

Massive Cyber Attack

Introduction

            The blog for week 10 will be dedicated to the massive cyber attack affecting over 150 countries. On May 12, 2017, a massive cyber attack was started because of a leaked NSA exploit. A hacking group called the Shadow Brokers broke into the NSA and stole a trove of exploits. With these exploits, a ransomware called WannaCrypt used two exploits called ETERNALBLUE and DOUBLEPULSAR. Below are more details on how the history of how this massive cyber attack started.

Shadow Brokers

            Who are the Shadow Brokers? The Shadow Brokers are a hacking group that are famous for stealing NSA hacking tools. The Shadow Brokers released a few of the NSA Hacking tools in August of 2016 after they failed to auction off the tools (Gibbs,2017). The Shadow Brokers voted for Donald Trump and were not happy with his policies and actions after he became president (Ghosh,2017). They released the second group of NSA hacking tools in April 2017. The Shadow Brokers have more hacking tools to release and Edward Snowden says the NSA has more hacking tools in their arsenal. The Shadow Brokers have yet to be identified and remain wanted for breaking into the NSA and stealing their tools.  

ETERNALBLUE

            ETERNALBLUE is the name of the exploit stolen from the NSA. ETNERNALBLUE abuses the Server Message Block (SMB), a network file sharing protocol (Fox-Brewster, 2017). SMB v1 is old, dating back to Windows 95 and it is enabled by default on Windows XP, Vista, 7, 8 and on some version of 10. An attacker must use a specially crafted packet that exploits a vulnerability in SMB v1. Once the specially crafted packet has been sent, the attacker can now run code on the victim’s computer.  The code the attacker can run could be ransomware, a Trojan, or any other program the attacker wants to run.

DOUBLEPULSAR

            DOUBLEPULSAR is another exploit that was stolen from the NSA. DOUBLEPULSAR is a remote access Trojan or RAT, which allows attackers to have remote control of the victim’s computer. DOUBLEPULSAR also acts as a malware downloader to install other types of malware such as bots. DOUBLEPULSAR exploits SMB v1 and can hide on a computer system avoiding detection systems (Arghire, 2017).

WannaCrypt

            WannaCrypt is a piece of malware that is part of the ransomware family. Ransomware is a piece of malware that encrypts a person’s files and demands money to decrypt the files. WannaCrypt raises the payment after a set amount of time and it will also delete the files if no payment is received. WannaCrypt uses the ETERNALBLUE exploit to run itself on the victim’s machine. WannaCrypt is a computer worm that uses the ETERNALBLUE exploit to also spread itself across a network in a matter of seconds. Once the victim’s computer is infected with WannaCrypt it will scan random hosts on the internet to try and spread itself further (Kumar, 2017).

http://d3i6fh83elv35t.cloudfront.net/newshour/wp-content/uploads/2017/05/RTX35YNS-1024x765.jpg 

Conclusion

            Microsoft in their new version of Windows needs to stop backwards capability. As seen by ETERNALBLUE, an exploit was found in a 20 plus year old service. If Windows stops backwards capability this massive attack could have been mitigated. People were surprised by the leak of the NSA hacking tools, but how hard was it to find a flaw in a 20-year-old software. WannaCrypt hit systems that were not patched by MS17-010. Legacy systems may still use SMB v1, but old protocols should not be enabled on new operating systems by default. Microsoft has released a patch to fix the SMB v1 exploits, which includes a patch for Windows XP, Vista, 8, Server 2002, and Server 2008. Installing the patch is not a guarantee there is not another backdoor. It is advised to disable old protocols if they are not being used especially since the Shadow Brokers can release more NSA exploits.

References

Gibbs, S. (2017, May 18). Shadow Brokers Threaten To Unleash More Hacking Tools. Retrieved May 21, 2017, from http://www.cio-today.com/article/index.php?story_id=103003JXPSMS

Ghosh, A. (2017, April 09). 'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools. Retrieved May 21, 2017, from http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141

Fox-Brewster, T. (2017, May 15). An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak. Retrieved May 21, 2017, from https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#3dcc7128e599

Arghire, I. (2017, April 24). Hackers Are Using NSA's DoublePulsar Backdoor in Attacks. Retrieved May 21, 2017, from http://www.securityweek.com/hackers-are-using-nsas-doublepulsar-backdoor-attacks

Kumar, M. (2017, May 15). WannaCry Ransomware: Everything You Need To Know Immediately. Retrieved May 21, 2017, from http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

Microsoft Anti-virus and Healthcare Vulnerability

Introduction

In Week 9 there has not been a shortage of security news. A healthcare organization had a vulnerability that allowed people to look at different patient records, which is quite serious. Microsoft had a remote code execution vulnerability that would allow an attacker to remotely control a machine. There were several other stories, but these were the two I chose to write on.

True Health Vulnerability

True Health Diagnostics located here https://truehealthdiag.com/ had a major vulnerability discovered by a patient. The vulnerability was found on their patient portal, which is located at the following link https://my.truehealthdiag.com/customlogin.htm. The patient was Troy Mursch who is an IT consultant that lives in Las Vegas (Krebs, 2107). Mursch found the vulnerability when he was looking at a PDF of this blood test and saw the link True Health Diagnostics created could be edited. Mursch edited the link to the PDF and was able to access other patient’s test and records. Once Mursch found the vulnerability he called and alerted True Health Diagnostics to the flaw. True Health Group shut down their website while they found and fixed the website.

https://my.truehealthdiag.com/customlogin.htm.

At this point, there is no knowledge of how long the vulnerability has existed. This means patients or an attacker could have been stealing data for several years. True Health Diagnostics needs to hire a forensic company to come in and do an investigation. This is the only way to know if there was unauthorized access to patient’s records. If they don’t hire a forensic investigator then I don’t think they are being ethical. I like the way True Health Diagnostics responded to the vulnerability by shutting off their site. This is the first time I have heard of this and it is truly a bold and interesting move. Most companies would say they will investigate an issue and either fix or not fix it while keeping their website up.

Microsoft Remote Code Execution

It has been discovered that Microsoft has a vulnerability in their malware scanner. Google Project Zero found the remote code execution in Windows anti-malware software. Per thehackernews article the following is the affected software Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection (Kumar, 2017). Google’s Project Zero found that if any of the Microsoft anti-virus programs above scanned a specially crafted file, a hacker could have full control of the computer. The file can get to the computer via an email phishing attack or by downloading the malicious file. One of the important details is that the attack can happen over email without reading or even opening the full email (Mix, 2017). Since Microsoft’s anti-virus programs have real time scanning once the file is created, opened, downloaded or moved it will trigger the exploit (Kumar, 2107). Microsoft has released a patch for Windows 7, 8, 10 and RT in only 3 days!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCzqnnLyAg6_SjOQs2CZIvAQIWV0g-plxCJirtP0cv36sqXxAqjyI6q4-RhXURj_Dq52nI5vW5xuIaE6EQnCl5rfsiyI_x9I-0l6UdtuXL7TAt1bdmEKTZyFnjVs7AzwkaEDscxoJJpd7/s1600/windows-defender-remote-code-executiont.png

The remote code execution in this instance needs a special file for the exploit to work, but hackers can get their hands on this file and use it to spread malware. This “loophole” can allow a hacker to install new programs such as a Trojan or change program permission because it basically gives them ROOT access. It was good to see Microsoft patch this vulnerability, so quickly because it usually takes longer than 3 days. The scary part of this remote code execution exploit is the file doesn’t even need to run to infect the computer, only the Microsoft anti-virus program has to scan it. These types of exploits make a hacker’s job easy because it doesn’t really require them to trick a user into installing a file.

References

Krebs, Brian. "Krebs on Security." Brian Krebs. May 8, 2017. Accessed May 14, 2017. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/.

Kumar, Mohit. "Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner." The Hacker News. May 09, 2017. Accessed May 14, 2017. http://thehackernews.com/2017/05/windows-defender-rce-flaw.html.

Mix. "Microsoft issues fix for critical exploit in Windows Defender found by Google." The Next Web. Accessed May 14, 2017. https://thenextweb.com/microsoft/2017/05/09/microsoft-google-windows-vulnerability/?amp=1. 

Google Phishing Attack Plus Data Beach

Introduction

For Week 8 there has been no shortage of news articles to pick from. I will be covering another data breach from a large company and a large phishing attempt. Companies seem to be giving less and less details about data breaches, so I have found I need to write about other topics.

Google Phishing Attack

With all the news about the “Great Google Phishing Email” I figured I would talk about it in my blog. It is a simple phishing attempt that many people fell for even security professionals. The phishing email was simple it said “(Person’s name) has invited you to view the following document” and a button to open the link into Google Docs.  Below is a screenshot of the phishing message.

https://static01.nyt.com/images/2017/05/04/business/04spam1/04spam1-master768.png

If a user clicks on the link “Open in Docs” it opens a screen that says a person must allow access to Google Docs for the purpose of reading, sending, deleting and managing a person’s email along with managing a person’s contacts (Khandelwal, 2017).

http://thehackernews.com/2017/05/google-docs-phishing-email.html

If a user clicks allow, the attackers have full control over the user's email. Once full control is gain over the user’s mailbox the attackers use it to spread the phishing email.  If the user has two-factor authentication enabled, it will not stop the attackers from taking over the user’s email account. Per Google, only 1 percent of Gmail users were affected by this phishing attempt, which is about 1 million people (Khandelwal, 2017). Google has since blocked the fake application and phishing email.

Even Google can be a victim of a phishing attack, so it is best to be on alert when opening documents sent by contacts. With security professionals fooled by this phishing attack, it shows that these types of attacks can be complexed. Phishing attacks are thought to be easily spotted, but that is not always the case. Even simple attacks are missed because people don’t always read the entire email, which can lead to trouble. Google already does an excellent job of blocking most phishing emails, but if you use other email clients be aware and always read the email entirely. Another good tip is to look at the sender’s email address and if it is not recognizable don’t click on any links.

SynXis Data Breach

Sabre Corp has had a breach from their software as a service application called SynXis. The application comes from Sabre’s hospitality company called “Sabre Hospitality”. The SynXis system is a reservation software that hotels used to keep track of inventory and rate information. Per saberhospitality.com over 120 property management. 2 revenue management and 7 CRM organizations use the software (http://www.sabrehospitality.com/solutions/hotel-central-reservation-systems).  The hackers gain access to the SynXis application, but there is no information on what information they got ahold of or how they gained access to the system.  Sabre has said the unauthorized access to the system has been terminated and security firm Mandiant is investigating the breach after notifying law enforcement (Krebs, 2017). This breach is thought to be linked to the recent hotel breaches over the last several months. On Sabre’s SynXis system login only a username and password are required and the breach maybe a result of a credential stuffing attack from recent stolen username and passwords.

http://ef67fc04ce9b132c2b32-8aedd782b7d22cfe0d1146da69a52436.r14.cf1.rackcdn.com/sabre-warns-hotels-card-data-potentially-compromised-showcase_image-1-a-9884.jpg

Sabre is a large organization with an annual revenue of over 3 billion dollars and it seems they have not invested in security. The SynXis system does not have two-factor authentication, which could have prevented the hackers from logging onto the system. Sabre paid for cyber security insurance, but without knowing more details it’s hard to say if the insurance will cover the breach. Cyber security insurance is new, but it is like covering a person’s house or car. For some companies, it may be cheaper to buy cyber security insurance then hire a whole security team. Without more information about how the breach occurred, it is hard to say what could have been done to prevent it. Hotel companies seem to have lax security practices, which seems why hackers target them for credit and debit card information. When more information surfaces about the breach I will write a follow-up entry.

References

Khandelwal, Swati. "Warning! Don't Click that Google Docs Link You Just Received in Your Email." The Hacker News. N.p., 03 May 2017. Web. 06 May 2017. <http://thehackernews.com/2017/05/google-docs-phishing-email.html>.

Krebs, Brian. "Krebs on Security." Brian Krebs. N.p., 2 May 2017. Web. 06 May 2017. <https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/>. 

Bug Bounty plus UK Data Breach

Introduction

For Week 7 there has been interesting news articles. Of course there is another data breach, but this one happened outside of the United States. The Unites States Air Force has been following the other branches of the military and will start their own bug bounty program. 

Bug Bounty

The United States Air Force has started a bug bounty program. The bug bounty program is designed to pay hackers or security researchers to find vulnerabilities on their systems. The pay is based on the vulnerabilities found and how critical they are. Hackers and security researchers are invited from the United States and five other countries. The countries are the United Kingdom, Canada, Australia, and New Zealand (Kumar, 2017). For the “Hack the Air Force” program people must go through a background check and not have a criminal record. The reason for the background check and no criminal record is because people could access top secret materials and exfiltrate data. This will be one of the largest bug bounty programs put on by the United States military.

Allowing hackers inside the military network is a great idea! The best part is that if the hackers don’t find anything the military doesn’t need to pay them. The last event per the article had over 14,000 hackers and they found 138 vulnerabilities, plus 75,000 dollars was paid out in reward money (Kumar, 2017). Giving hackers a chance to use their skills to get paid is awesome! Hackers usually break into systems or steal information because they are bored or they want to make more money. Problems with this are vulnerabilities can be leaked out or information taken if a person is not ethical. In the end, paying individuals instead of a company can result in more vulnerabilities being found depending on the skill of the person.

https://www.hackerone.com/sites/default/files/inline-images/hack-the-air-force.png

Payday Loan Breach

A payday loan provider called Wonga has had its customer’s data stolen. Around 245,000 Wonga customers in the United Kingdom and 25,000 Wonga customers in Poland have been affected by the breach (Lomas, 2017). There is no information about how Wonga was broken into, but there will be more information in the following weeks. Wonga’s site has information about the data breach located at https://www.wonga.com/help/incident-faq. The hackers may have gotten access to people’s names, email addresses, home addresses, phone numbers, the last four numbers of their credit / debit card and or bank account numbers, plus the sort codes (Lomas, 2017). Wonga believes that passwords weren’t taken during the incident, but as a safety precaution, they want everyone to change their passwords.

The data breach happened on April 7, 2017, but there has been no update as to how the hackers got in. They will not release the information because it could be damaging to the company. An educated guess would be Wonga left a security hole in an external facing site. United Kingdom businesses in 2018 are going to want to better protect their customer’s data because of an upcoming law. The new EU law will require companies notify the data protection authorities with 3 days or face a fine up to 10 million euros (Lomas, 2017). Some people have even said that the hackers won’t get much from the company’s customers because they don’t have much money.  Without knowing how the breach occurred it is hard to say if the issue can be fixed.

Summary

If a company can’t hire their own internal security engineers, they need to pay companies to look at their security. The internet is not going away and with customers wanting more convenience, cyber security will only get more important. With the United Kingdom implementing new laws that companies must report data breaches is a new concept. The United States does not have laws like the United Kingdom, but they are coming. Soon there will be a branch of the FBI that will investigate data breaches and fines if people’s personal information is not kept “up to code”.  The other problem is every company wants all types of information and most of it is not stored correctly. The way the information is stored in some industries is not regulated at the current moment in the United States.

References

Lomas, N. (2017, April 10). Payday loan firm Wonga suffers data breach affecting up to 270,000. Retrieved April 29, 2017, from https://techcrunch.com/2017/04/10/pay-day-loan-firm-wonga-suffers-data-breach-affecting-up-to-270000/

Kumar, M. (2017, April 27). Hack'em If You Can - U.S. Air Force launches Bug Bounty Program. Retrieved April 29, 2017, from http://thehackernews.com/2017/04/hack-the-air-force.html

IHG Data Breach and NSA Hacking Tools Week 6

For week 6 I have two items to discuss. The first is the IHG or InterContinental Hotel Group data breach and the second is how the leaked NSA tools are being used to attack Windows PC’s.  IHG had a breach back in December of 2016 and IHG said the data breach only affect a few of its properties. Now in April 2017, IHG has released data showing that more than 1,000 IHG properties were affected by the data breach. IHG properties computer systems were compromised with malicious software designed to siphon customer debit and credit card data just let Target and Home Depot (Krebs, 2017). IHG has been in the process of implementing a secure payment solution that will encrypt customer's data end to end.  Unfortunately, IHG only had a few sites done at the time on the data breach and they were not affected. PCI has a requirement for point-to-point encryption, so it seems IHG is behind on their PCI requirements. At the following site, a person can look up what IHG properties were affected by the data breach and the dates https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing. The site can be used by a person to see if their credit or debit card was affected and if they need to be on the lookout for fraudulent charges. Below is a screenshot of an email sent to franchise hotel’s offering a forensic investigation to be paid by IHG (Krebs, 2017).

https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

The leaked NSA hacking tools are being used in the wild. A hacker group called Shadow Brokers has leaked hacking tools that supposedly belonged to the NSA’s Equation Group (Khandelwal, 2017).  A piece of malware designed by the NSA called DoublePulsar was one of the tools released by Shadow Brokers. DoublePulsar is being used as a spying tool and it is installed because of vulnerable SMB and RDP versions. DoublePulsar does not write any files to the computer to remain stealthy and DoublePulsar acts a remote access Trojan. A person has released a python script to test IP addresses to see if they have the DoublePulsar infection.  The python script is located at https://github.com/countercept/doublepulsar-detection-script. Below is a screenshot of someone who ran the python script and found computer infected with DoublePulsar. 

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJXQ4EXZB3KXGEmzjWCJiAzRrz_u9oyTL7Hyq2KdtJQDgXUMPs_5TaMxTacklYnjOwed41c9vU82CkPVHNbZnDijjoCtR_7AiYxn36X6W247IXXIq4aCxrvoOf9y_rILKljkLlFlCOzfD/s1600/windows-hacking-tools.png

The numbers of how many machines are affected have been varying, but it seems to be at least 30,000 machines are infected. Microsoft has released patches to fix SMB and RDP vulnerabilities. If people are still using an end of life software such as Windows XP and Windows Server 2003 they are vulnerable and will remain vulnerable because they will not receive security patches (Khandelwal, 2017). Script kiddies and other hackers will be able to freely use DoublePulsar to infect machines and make them zombies until the patch from Microsoft has been applied.

With hotels and businesses not encrypting credit card data end to end data breaches will continue to happen. One item that will not show up in the news articles is how the malware got install on the machines. Some organizations do not have a good security and I know for a fact at one hotel computers are not locked down at all. It seems organizations would rather have a data breach then pay for security because it is cheaper. People have the stigma that if a company has a data breach it is bad, but because, so many are happening it is just another day. Look at Target and Home Depot; people still shop there after they have had a massive data breach. People will continue to stay at IHG properties and if they have stock there may be a blip in it, but it will come back. At the end of the day, security needs to be a priority for businesses that store or transport customers data.

References

Krebs, B. (2017, April 18). Krebs on Security. Retrieved April 23, 2017, from https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

Khandelwal, S. (2017, April 22). Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. Retrieved April 23, 2017, from http://thehackernews.com/2017/04/windows-hacking-tools.html

IRS Data Breach + Zero Day Week 5

During week 5 of CYBR 650 there has been plenty of security news. The blog this week will touch on a Microsoft zero day vulnerability and a data breach that happened at the IRS.  This Microsoft zero day vulnerability is in Microsoft Office and allows remote code execution to take place. This vulnerability affects all current versions of Microsoft Office, which includes Office 2016. The vulnerability was first found by Ryan Hanson in July of 2016. McAfee reported the zero day on Friday, but said Microsoft has known about it since January (Goodin, 2017). Hackers are now using this vulnerability to spread banking malware called Dridex. A word document that has been specially crafted can be executed on a computer, which allows an attacker to run code. The word document containing a malicious OLE2link object is how the attack starts. This specific attack runs the exploit code then makes a connection out to a remote server, where a malicious HTML application file or HTA gets downloaded (Khandelwal, 2017). Once the HTA file gets downloaded it runs and downloads different pieces of malware designed to gain control of the computer or steal credentials.  Below is a screenshot of a phishing email that contains a malicious word document.

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

            Microsoft has released a patch yesterday to fix the vulnerability. This will stop the code from running if an email of the word document gets through the security controls. The worst part about this zero day is Microsoft has known about this and did not fix it. The fix only came out after hackers were using it to spread malware via emailing a word document. ProofPoint saw the new malware campaign and was able to block the malicious word document.

            The Internal Revenue Service or IRS has had a data breach that may affect up to 100,000 people. The IRS has a tool for FAFSA or Free Application Federal Student Aid that hackers have exploited. The tool for FAFSA helped family and students complete the form because it is lengthy. Since I’m I have gotten my associates, bachelors and currently getting my masters I have had to fill out the FASFA forums. The FASFA forums are long and are a pain to fill out.  According to Krebs on Security fraudsters may have been using the tool to get AGI or adjusted gross income (Krebs, 2017). The IRS has disabled the tool because people were starting to use it for fraud. The tool is called the IRS Data Retrieval Tool or DRT. John Koshinen went before the Senate Finance Committee to testify that less than 8,000 fraudulent returns were processed by the IRS (Cohn, 2017).

            The good thing is the tool is expected to be back online, but not till October. Does the IRS run any penetration tests or security testing? It seems like their tools are put into production without any testing and it is causing people to lose their personal information. The IRS needs to provide protection to the users that were affected from the breach. Companies that have had a data breach have provided identity theft protection, but the government does not provide these protections.

References

Goodin, D (2017, April 11). Microsoft Word 0-day used to push dangerous Dridex malware on millions. Retrieved April 13, 2017, from https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Cohn, M. (2017, April 10). Data breach of IRS student financial aid tool may have affected 100,000 taxpayers. Retrieved April 13, 2017, from https://www.accountingtoday.com/news/data-breach-of-irs-student-financial-aid-tool-could-have-affected-100-000-taxpayers

Krebs, B. (2017, March 21). Krebs on Security. Retrieved April 13, 2017, from https://krebsonsecurity.com/2017/03/student-aid-tool-held-key-for-tax-fraudsters/

Khandelwal, S. (2017, April 11). Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan. Retrieved April 13, 2017, from http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html

GameStop Breach + Ransomware

This week blog comes fresh off the press because a data breach happened yesterday. Gamestop.com is looking into a possible data breach of their websites. A third party notified GameStop that its customer’s credit card data was being sold on a website. Krebs’s financial sources say they have received alerts of fraud coming from gamestop.com. This does not affect in store purchases only purchases made from GameStop’s website Gamestop.com. According to Krebs’s customer card number, expiration date, name, address and card verification value (CVV2) were compromised (Krebs, 2017). The CVV2 is the three digit number on the back of credit and debit cards, which is used for security. Merchants are not supposed to store the CVV2 numbers, but that does not mean hackers can use software to get the number before it is encrypted (Petite, 2017).  GameStop has hired a security firm to investigate the data breach that happened between September 2016 and February 2017.

GameStop told customers to basically watch credit card and bank statements for authorized charges. The problem with looking at paper credit card and bank statements is they are monthly, which would give the bad guy plenty of time to buy items. If a person’s bank or credit card has a way to check purchases from an online interface (Online Banking) that would be a better way to check instead of paper statements. If the breach does turn out to be from GameStop I would hope GameStop offers to replace all the credit and debit cards affected from the breach.

Without knowing more about the breach (I’m sure more will come out in a couple weeks) it’s hard to say how the attackers were able to get the information. Most likely GameStop did not have security as part of building the website and there was a vulnerability, which allowed the attackers access to the data. I will update the blog once more information has been shared. Lately it has been quiet, but there will be more data breaches for the year of 2017.

Another subject I want to touch on is Ransomware. A project call No More Ransom (NMR) started collecting decryption tools and keys for Ransomware. The project was started by Europol, the Dutch National Police, Intel Security and Kaspersky Lab (Kumar, 2017). The project allows teaching users about ransomware and provides decryption tools, so that users can get their files back. According to the article the platform is available in 14 languages and it has over 40 free decryption tools (Kumar, 2017).  The website is located at https://www.nomoreransom.org/.

http://core0.staticworld.net/images/article/2014/01/cryptolocker-100222101-orig.png

With ransomware being the new way for attackers to make money there have been several variants. I have only heard of CryptoLocker , CryptoWall, and Locky, but some other names are Cerber, Crysis, CTB-Locker, Jigsaw, KeRanger, LeChiffre, TelsaCrypt, TorrentLocker, and ZCryptor (Brunau , 2017). I found the Jigsaw ransomware name interesting and decided to do more research. Jigsaw is a nasty type of ransomware that gives a user three days to pay the 150 dollars in bitcoin, but there is more. Jigsaw will start deleting files every hour until the payment is received. If no payment is received Jigsaw will delete all the encrypted files. If a person attempts to change registry settings or attempts to shut off the computer, Jigsaw will make the time jump 24 hours ahead. A person is only given three chances before all the files are deleted.  

A youtube video seen upload can be found at the founding link https://www.youtube.com/watch?v=cbHcDgMtA0k and it shows how to decrypt Cerber ransomware. I’m glad the project No More Ransom was setup to help people decrypt their files. For a default computer user they have no safe guards to protect their computer against ransomware. With these tools users can get away without paying the attackers, which is why ransomware is still around.  Tips for home users to protect themselves from ransomware:

1.    Ransomware mostly comes from emails, so be careful and look for spam emails

2.    Have two accounts one for regular use and another made to install applications

3.     Create backups using either backup software or online backups

References

Krebs, B. (2017, April 07). Krebs on Security. Retrieved April 08, 2017, from https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/#more-38927).

Petite, S. (2017, April 07). GameStop.com customers' credit card information may have been compromised. Retrieved April 08, 2017, from http://www.digitaltrends.com/gaming/gamestop-online-security-breach

Kumar, M. (2017, April 05). No More Ransom - 15 New Ransomware Decryption Tools Available for Free. Retrieved April 08, 2017, from http://thehackernews.com/2017/04/decrypt-ransomware-files-tool.html

Brunau, C. (2017, March 01). Common Types of Ransomware. Retrieved April 08, 2017, from https://www.datto.com/blog/common-types-of-ransomware

Data Breach plus an Exciting Microsoft Exploit

            This week’s blog will address two items: one is a data breach and the second is an exploit. The data breach happened at Daytona State College in Daytona Beach, Florida. There is a twist to this story though. While investigating the first data breach investigators found a second data breach had occurred. There is no knowledge yet of how many people were affected by the data breach. The information taken was employee W-2 forms, students’ social security numbers, names, dates of birth, driver’s license number and how much the student makes (Abel, 2017). It is too early to find out how the breach occurred, but they believe it was because of a third-party vendor. The college did send out letters giving the affected students one year of identity protection if they want it.

            Again, a data breach has occurred because of a third-party vendor. It is important companies do their due diligent and audit their third-party vendors. JP Morgan and Chase has a great information / cyber security group and they were breached because of a third-party vendor. Just because a vendor says it’s secure does not mean it is true. Trust, but verify. It would be good for a company to put in the contract they sign, if they get breached because of the third-party vendor they can be held liable.

            The second item is about Microsoft’s zero-day exploit called DoubleAgent. DoubleAgent is a code injection vulnerability and it allows an attacker to maliciously take over anti-virus programs and other software via the Microsoft Windows Application Verifier debugging tool (Barth, 2017). The exploit was discovered by Cybellum, which is a company that specialized in zero-day attacks. This exploit can only be used is the system has been affected. If the system is affected by the DoubleAgent exploit it will remain on the system even after a reboot. This vulnerability affects Microsoft Windows versions XP thru 10. Anti-virus vendors have started issuing patches to fix issues with their software related to the Microsoft Windows Application Verifier debugging tool exploit. Per Sophos their anti-virus is protected from the DoubleAgent exploit because it is using Intercept X and the Intercept X it will protect any application on the system against DoubleAgent (Brenner, 2017). Intercept X is an endpoint protection technology that used behavior based screening to detect malicious behavior (Greene, 2015).  Here is a video showing what the DoubleAgent attacking Avira Anti-virus.

            This exploit affects all version of Windows because Microsoft allows backwards capability. The exploit also affects other applications installed on the operating system. Anti-virus was chosen because it can be used against the operating systems, such as turning the anti-virus into ransomware. The Microsoft Application Verifier is old and at this point cannot be patched. Vendors are urged to switch to Protected Processes, which is the new “Application Verifier”. Microsoft on their new operating system after Windows 10 needs to stop backwards capability and write fresh code for Windows 11. The Xbox one can’t play the first-generation Xbox games unless they are purchased from the live store. Microsoft did this because it would be too much work to add backwards capability to the Xbox. If Microsoft stop backwards capability this would stop these old exploits and vulnerabilities from working on new systems. Until that happens most Windows operating systems will be affected by the same vulnerability because they can run old software.

References

Abel, R. (2017, March 28). Two Daytona State College breaches affect students and staff. Retrieved March 31, 2017, from https://www.scmagazine.com/daytona-state-college-hit-with-double-breach-affecting-staff-and-students/article/646957/

Barth, B. (2017, March 24). Microsoft tool exploit DoubleAgent can turn antivirus software into your worst enemy. Retrieved March 31, 2017, from https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/

Brenner, B. (2017, March 27). DoubleAgent 'vulnerability' – just how bad is it? Retrieved March 31, 2017, from https://nakedsecurity.sophos.com/2017/03/27/doubleagent-vulnerability-just-how-bad-is-it/

Greene, T. (2016, September 15). Sophos rolls out Intercept X for endpoint protection. Retrieved March 31, 2017, from http://www.networkworld.com/article/3120322/security/sophos-rolls-out-intercept-x-for-endpoint-protection.html

CYBR 650 Week 1-2 Part 2

Week 1-2 Part 2

After going thru many of the masters classes in the cybersecurity program I have come across several good resources for security news and threats. The first credible source is the Internet Storm Center from sans https://isc.sans.edu/. Sans provides cybersecurity training and offers a master’s degree in cybersecurity. The internet storm center has the latest security news, podcasts and diaries. Since sans is a school and provides training there is no reason for them to provide false information. The writers for the internet storm center are teachers and other security experts talking about current events. I consider this website to be a credible source because they have been around for 25 plus years and they provide great educational material.

The second credible source is Krebs on security https://krebsonsecurity.com/.  Brian Krebs wrote for the Washington Post for 14 years and now runs his blog krebsonsecurity. Krebs focuses on cybersecurity and he likes to report on skimmers. Krebs has been a trusted source in the security community and has reported on several breaches such as Target and the Ashley Madison hack. I think Krebs is a credible source because other websites use information off his blog to write their stories. Krebs has been writing about cybersecurity for many years and his articles are accurate plus they are backed up with creditable sources. Since Krebs wrote articles for the Washington Post before starting his blog, he has the experience and contacts to provide great information. Krebs is known in the security circle as a great reporter and if he calls an organization up then there is a problem.

The third credible source is the CVE or common vulnerabilities and exposures is a site that stores security vulnerabilities. https://cve.mitre.org/ is not really a news site; it is more of a database that stores information. If a person needs to know about a CVE from the year 2006 on Windows XP it can be looked up in the database. The CVE site provides the description and references for the CVE. The reason I think this is a credible source is because it is a central repository for cybersecurity vulnerabilities. The site is also nonprofit and provides information on several operating systems. The CVE identifiers are used by OWSAP and are mentioned in the NIST standard. Since it is recognized by NIST and OWSAP organizations that is a good sign of reliable and accurate information.

The fourth credible source Dark Reading is a news site that contains information on several information technology topics.  Some of the interesting topics are internet of things, cloud, risk, attacks / breaches and threats / vulnerabilities. Our professor Coach got me hooked on the website http://www.darkreading.com/ and I haven’t looked back. Some of the article writers have spoken at black hat and they even have a black hat news section. Dark reading has been recommended to me by several security professionals and I find there articles well written.

The last credible source is www.csoonline.com a website that provides security and risk news. Our professor Coach has written articles for csoonline and so have other top cybersecurity talent. Having talented authors and well known people in the cybersecurity community write articles is good sign for a credible source. Csoonline focuses on cybersecurity news and other topics such as management. I think they are a credible source because many of their articles have great information. They only allow a person to see a part of the article and a person must sign up to read them, but I figure this is so they can track people.

After doing research for papers, discussion boards and other assignments in my master’s classes I have found some news sites have conflicting information. What I have found is if websites that are not on my list, sometimes have different information then the sites on my list. I would trust the five websites on my list over other sources because the websites on my list usually have more details about the event. The five sites on my list sometimes have the same story depending on how big it is, but they usually provide the same information and there are no conflicts. If there were conflicts between the sites I listed it would depend on the conflicts and which sites they were on. I have never seen a conflict between the sites listed below. Overall I trust the five sites listed for my cybersecurity news and other security information.

Here is a list of the sites from above.

https://isc.sans.edu/

https://krebsonsecurity.com/

https://cve.mitre.org/

http://www.darkreading.com/

http://www.csoonline.com/

Reboot of Blog and Verifone Breach Week 1

My name is Scott Athey and I will be restarting my blog called Scott Athey’s Cyber Security Blog for the CYBR 650 class. When I first started my blog I focused in on data breaches that occurred every week. The data breaches ranged from large to small organizations and anything in between. The reason I chose data breaches is because they are a hot topic and data breaches are happening every day. I also want to find out how attackers are getting into company networks and what can be done to protect those networks. I will be keeping the topic the same and focus on recent data breaches.

A recent data breach that happened on March 7, 2017 was Verifone. Many people may not know what Verifone does, but I can guarantee people have used their products before. Verifone is one of the largest point of sale manufactures and payment processors. Verifone provides self-service payment devices or point of sale systems, which include countertop and mobile (About Verifone). Verifone’s products are used a gas stations, hotels and other businesses that accept credit and debt payments. Verifone is also a payment processor like first data, which allows them to see people’s credit and debit card information.

The attack seems to be related to the MIRCOS data breach that occurred in January 2017. MICROS were hit when the attackers used phishing emails to install malware on a computer that targeted a ticketing portal. Without knowing the details of the Verifone breach, Krebs on Security was able to possibly link the attack to a Russian crime group and the attackers may have been inside of the network since the middle of 2016 (Krebs, 2017). The attack appears to be limited to 24 United States gas stations convenience stores (Schwartz, 2017). Verifone would not confirm other details related to the breach as it seems they are still investigating. Verifone did hire a forensic company to come in and do an investigation. 

Here is a sample of a phishing email that a person received from “Apple” regarding ITunes.

http://macgroup.org/blog/2014/05/12/5-easy-ways-detect-phishing-scam/

This data breach is scary and people should not forget about it. If the attackers were inside of the company for more than six months think of the damage they could do. Verifone’s systems run their own operating system, which means the attackers could have gotten the source code. Of course this is all hypothetical right now, but if the attackers got their hands on the source code they could do more damage than the Target hack. One example of having the source code is it allows attackers to write vulnerabilities or malware for that specific operating system. The operating system is on POS machines, which could lead to attackers stealing credit and debit card information. Then the company would have to fix the vulnerabilities, but that would require them to reverse engineer the malware or do a forensic investigation to find the vulnerability or vulnerabilities in their operating system.

Could this data breach been prevented? At this time it’s too early to say whether this breach could have been prevented. If it was because of the phishing email, then yes it could have been prevented. According to Krebs, users are no longer allowed to install software on their computer unless it is through there help desk (Krebs, 2017).Could a malicious program an employee installed be the cause of the breach? Users should not be allowed to install software because most users don’t check the MD5 or SHA1 hash of the file that was downloaded. Having the help desk or a different team within the company install software that has been approved will reduce the risk of malware on a network. Malicious word documents have macros enabled that allow malicious code to run and install malware. Having macros disabled by default can help protect users from installing malware. It is also a good idea to train users to not open word documents from emails they do not know. Hopefully within a few weeks there will be more information on the data breach. At that time I will update my blog with the new information.

References

Krebs, B. (2017, March 07). Krebs on Security. Retrieved March 19, 2017, from https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach

About Verifone | Company | Verifone. (n.d.). Retrieved March 19, 2017, from http://global.verifone.com/company/about-verifone/

Schwartz, M. (2017, March 8). Verifone Investigates Gas Station Hack Attacks. Retrieved March 19, 2017, from http://www.bankinfosecurity.com/verifone-investigates-gas-station-hack-attacks-a-9759