As an educated and well travelled swine, I have to say that life on the road is not always easy. In fact, although it looks like glitz and glam, there are some rough times as well and I can tell you that spending a lot of time in airports is not what it’s cracked up to be. At times I miss my mud pit and eating airport food is missing the… ‘je ne sais quoi’… something, of home prepped slop. Add to that the fact that I rarely see others of my kind, and it can be a lonely life, even with my human along to do my bidding for me.
I bring a human along mostly because a lack of vocal cords makes it tough for me to speak, so I have to drag him around to be my voice to the other human servants. Sometimes you would swear they think THEY own the planet, but I don’t mind letting them have their little delusion as long as they do my bidding in the end. I control them with my mind, so they always do.
A recent trip outlined the dangers and difficulty of life on the road. I took my human to Washington DC to attend a conference and speak at another one (I’m good a multitasking the human). I wore red that day as it is a power color and when you are in the nation’s capitol, you never know who you will run in to, and have to boss around. In any case, although I’ve been to DC before, I have never been to the Museum of Natural History and wanted to check it out.
To understand how this works, years ago I had my human purchase a first class traveling home for me called the ‘Oakley Kitchen Sink‘. Think of it as a human-powered RV. It’s incredibly spacious inside, comfortable and has lasted me several years of heavy travel. Since I spend a lot of time in here controlling the humans thoughts, making the human spend that much money on a backpack was something I have never regretted.
During this trip to DC, I loaded myself up in the pack and had the human go to the train station. This ended up being an interesting time, but I’m not going to repeat myself as I had the human talk about it already in this thread. I was finally able to get him to the museum safely, although it was apparently very hot outside of the RV as he was sweating profusely. The museum itself was wonderful. I was able to interact with many of the exhibits (sometimes with help from my human) and spotted some folks that I am pretty sure are a close relative to myself.
I have a cousin with tusks like that, only these are upside down
I wasn’t scared at all. Honest. I just stared him down
I am reasonably sure we are related. Both of us are pretty hardcore!
From here it was work, work, work as I took my human to the Gartner event and spoke at the International Legal Technical Association (ILTA) event. I mostly stayed in my RV for the time, but had my human take me to some pretty good sessions and spoke with some great people.
Tomorrow I leave for Chicago for BSides Chicago where I am speaking (through my human again). This time I’m going whole-hog and wearing my derby in hopes of attracting some tickets to DerbyCon. The resident bee doesn’t agree with my blatant attempt to score DerbyCon tickets, however I told him to buzz of about it. He has shifty eyes anyways. Not someone who’s opinion you can trust.
Perhaps I will do a “Day in the life of…” post tomorrow so you can see what it’s like to be on the road. Time will tell.
It’s July, how do you still have machines vulnerable to this? It’s not like this hasn’t been publicized. Yeah, I get it, patching can be a pain, but really? They should have had mitigations in place.
FTA: “Norville says most of the affected data is not retrievable, and it is unclear if any significant files have been lost. Two file servers and 19 computers within the police department’s system were breached.”
Before I even start, I have to admit that I’m every bit as guilty of this as anyone else. I love tech and gadgets and have been dazzled, then disappointed before. As I was thinking about this, I was picturing stones flying around my own glass house, so don’t take this personally if you find yourself looking back in the mirror as well. After all, GI Joe flooded my childhood with messages of, “knowing is half the battle.” It’s what we do with the knowledge that will let us prevail in the other half of the battle. Hopefully my experiences and bad decisions can help some of you.
Now that I have that off my chest, I can go ahead and tell you that if you are investing time and money in high-tech “solutions” without addressing non-technical or low-tech solutions, you are really screwing up. Yep, 100% screwing the pooch, making a mess of it, etc., etc., etc., so stop it!
If you haven’t noticed already, those signs you see at the airport, the ads in magazines, the internet, or anywhere else are put together by a special type of person called a “Marketer”. These people aren’t evil on purpose, but I see a lot of them going to the “dark side” (I hear they have cookies). It could be the pressures of lead generation or competition, but whatever it is, some fall in the dark well of snake oil sales. They start making ridiculous claims like, “With our WAF, data breaches are a thing of the past” or “The ‘cloud’ will fix all of your ailments”. When you see these people at trade shows, they even begin to believe their own rhetoric and will pitch it to you with a confident smile on their face. What’s worse is, you may start to believe it yourself. Your executives may start to believe it, your boss may start to believe it. Best case, big $ goes out the door and your security situation still hasn’t improved dramatically. Worst case, big $ goes out the door and you are in worse shape than when you started.
Avoiding the Gut Punch
How do you avoid this unpleasant experience? It will take a conscious effort of will to step back and see through the smoke.
First, if something says it’s a “solution”, put on your skeptical hat and hold on to it. In security there is reduction of risk, but I have never seen a professed “solution” be an actual end to something meaningful. Many times I have seen a “solution” open up a whole other can of worms that was unexpected.
Second, compare to other similar devices/platforms and see if the fancy new feature is just different wording for something already being done by someone else. If there is a key feature that gets you all spun up, don’t assume you know what it actually is doing. I have convinced myself that things are going to do one thing, when in fact they do something altogether different, simply because I really WANTED them to do what I thought they meant. Make sure you take a deep breath and understand the limitations of the feature you are so hot for. It can save many tears down the road.
Third, understand how things are going to work together. There are few things worse than getting a new device only to find out that managing it takes a lot of time and effort because nothing integrates with your current infrastructure.
Finally, and most importantly, consider if you are trying to throw a high-tech fix at a low-tech or no-tech problem. In many cases, risk can be decreased dramatically through policy, procedure or easy architecture changes. Sometimes you are using the tool wrong and can’t even see it.
Examples of Your Hair-Brained Scheme?
Let’s use ransomware attacks as an example. Not only has WannaCry and Petya/NotPetya caused issues, but Cerber and others have been doing it for a long time. Let’s look at some easy things that would have made these attacks less of an issue, maybe even trivial, had they been done.
Patching – MS17-010 was exploited in a couple of these, but other patched vulnerabilities have been exploited time and time again. Most of the time, 0-days are not what is used, it’s old exploits on vulnerable machines. Sure patches are a pain to keep up with, but time spent here can pay of greatly. Imagine if MS17-010 was applied globally before WannCry, it would have been a minor nuisance rather than a global event. Review your patching process and give it the attention it deserves. If you can’t patch, using mitigating controls or isolate the device from anything it doesn’t NEED to communicate with.
Network Segmentation – It still boggles my mind how many “flat” networks are out there. These days, the cost of segmenting networks is nearly trivial and the implementation is well understood. What is segmentation, simply put it’s the practice of limiting communication between devices or groups of devices. Consider this, does your receptionist need to be able to get to a login screen for your SQL server? Does finance need to get to the Development environment? Does Dev even need a direct connection to Production? Anywhere you can limit this communication, you provide a mechanism of containment. Now if your receptionist launches malware, it can’t ever reach important resources. Clean up is now easier and real damage avoided. With a little planning and work you can significantly limit how far malicious programs or hackers can get within your network for little or no cost. WannaCry spread by being able to get to servers on port 445. Had they been segmented damage would have been much more contained.
Backups – Sure you get the email every day/week that says your backups ran, but do you really read the email and have you ever tested your backups by restoring them? Maybe the backup successfully backed up 40kb worth of data, but nothing else. If the job is whacked and it only thinks it’s supposed to backup 40kb, it’s going to tell you it was successful. Make sure you know what’s going on. I suggest restoring some random critical data at least once a month and ensuring you can get it. This will help you understand the time it takes and the process so you aren’t doing it when the world is on fire and the pressure is on. Also, do a full restore at least twice a year. Make sure it all works. Backups are a great way to fight ransomware and the ability to quickly restore would have made WannaCry just a nuisance.
Have An Incident Response Plan – Figuring out how to respond sucks when you are in the middle of it all. Put some effort in to having a plan that at least covers the basics for common scenarios. Having things like contact information for execs, law enforcement and online resources can really help take some pressure off when responding to an event. Know where your software and licensing is in case you need to reload things. Know how to reach your vendors or cloud providers and have that documented. Something will eventually go wrong, so be ready when it does.
Get Visibility In One Place – If at all possible, get your logs, alerts and events feeding in to some sort of a SIEM or central spot. Easy stuff like firewall logs or endpoint protection alerts going to one place can make a huge difference in your ability to notice and identify potential attacks or events. For example, if a bunch of your endpoint protection agents start throwing alerts, you can spot it quickly and take action. This is one of the more technical things I do think needs to be done, however the cost does not have to be significant. Look in to ELK Stack (aka Elastic Stack) or AlienVault OSSIMfor free ways to get some visibility in to your network. A quick reaction can significantly reduce damage in an attack.
Work On Your Organizations Security Culture – Teach your users how to spot phishing attacks and avoid falling for scams. Changing the security culture of your users is one of the best ways to avoid attacks. People need to know that they are targets so then can protect themselves. They need to know what to look for in order to spot attacks and have a way to report them quickly. Understand that you may not be the best person to put training together. We tend to be technical people and that does not always resonate with the users. Employ other departments, such as marketing if you are going to do it on your own, or better yet use a 3rd party like my company KnowBe4to do it for you. It’s not expensive and it works well. Reminding users that attacks like ransomware impact them at home as well can really help them pay attention in the training. Fostering an attitude of helpfulness from the security/IT team will go a long way to getting the users to want to engage. Don’t shame folks when they screw up, and they will. Instead, reward them for doing the right thing. Kudos at a company meeting or in a company-wide email or even a pizza party for the department that does the best, can really impact the culture. Have fun with it and remember that it’s a scary topic for some folks, so they may need a little reassurance before they start to play well with others. Be patient and the reward can be great.
If you put some effort in to the things I have listed above, you can significantly improve your security posture with very little cost. When looking for ways to solve problems, try to separate yourself from the marketing hype and focus on the task at hand. See if there is another way to accomplish your goal and keep your mind open to all options, not just the shiny ones.
If you bought stuff at Buckle between October 28, 2016 and April 14, 2017 with a credit card, you may want to check your statements. It seems they found some POS malware infecting the system. Not a lot of data is out, but it looks like swipe transactions are the target.
A public radio station in San Fran had streaming and email taken offline by ransomware last Thursday, June 15th. They had to set up a temporary email account to deal with live questions during the “Forum” radio show. Only the streaming and email was taken down, but in this day and age, that can be a significant percentage of listeners.
Yesterday I travelled to Washington DC to attend the Gartner Security Summit. This is not my first time in DC but I had never been to the Smithsonian Museum of Natural History and since I had some to time to myself on this Sunday I decided to head over. I was going to Uber over, but the hotel receptionist mentioned that it was a quick trip on the Yellow Line Metro to L’Enfant Plaza and a short walk to the National Mall. I decided to take the Metro. I like new experiences.
First, I found a wallet on a bench at the Metro stop. It had $83 in cash and a bunch of credit cards and such. I turned it in the lady in the booth. It took a while, but we inventoried the contents and she logged the find, etc. I missed a couple of trains during this, but that was OK, I did the right thing.
I caught the next train there at the Eisenhower station and headed along the path of the beam to downtown DC (Blaine is a pain*). About 15 minutes later I arrived at L’Enfant station where I happily disembarked, looking forward to my trip to the museum. At this point, it was about 1:00pm and since I had not had lunch after arriving, I decided to find something to eat on my way. Now, L’Enfant station is huge. It’s a transfer point for several other lines and is not easy to navigate. It’s also underground at this point. I managed to find the exit after a few minutes and headed out the gates. There was not much in the way of foot traffic actually leaving the station, so I was alone.
Just about the time I exited the little podium gates, I was approached by guy. He was about 6’1″, tall and skinny, had short dreadlocks, and was black. I wouldn’t normally mention his race, but it plays in to things a little later. His approach was aggressive and unexpected, however I do keep an eye on my surroundings (*cough* *cough* *paranoid* *cough*).
He said something to me, but I had my earbuds in, so I pulled one out while continuing to walk. I said, “huh?” and he repeated himself. He said he wanted me to give him a dollar for the bus. Mind you, he told me he wanted me to give him a dollar, he did not ask. I told him I didn’t have any cash (true) and he get even closer asking me for the dollar. I told him again that I had no cash. At this point he called me some pretty rude things and walked ahead of me quickly. There are some long escalators heading to the plaza, 2 of the 3 were going up, one going down. He got on the right escalator going up about 10 yards ahead of me, and I got on the left. He glared at me the entire way up the escalator, then at the top, he proceeded to block the escalator he was on pestering the next 2 people trying to get off the escalator.
The folks just walked by and ignored him and he repeated his action of talking smack to them as they walked away. I kept going and found a place for lunch where I got in the line. There were only a couple of people ahead of me at this time, and the same guy walks up to the older people who were at the register, gets in their face and demands a dollar from them. One of the 2 people told him no, and they guy reached over and pointed at his wallet and said, “You have it there!”. The 2nd guy at the register gave him a dollar, probably hoping he would go away, but the guy turned around and started cussing at them all the same. As he was leaving, I told the older folks that he had been demanding money and cussing people out from the exit booth.
He heard me, turned around and got about 2 inches from my face and started talking a lot of smack, cussing me out and asking me if I had a problem. At this point something sort of odd happened, I found myself very detached and calm. That surprised me. I just looked him straight in the eyes and said, “You have some issues man.” and continued to stare back. He broke eye contact and turned around like he was going to walk away, then turned around quickly and got in my face again. He started calling me names again, pretty much everything was about being white. I’ve never really experienced a racial tirade like that before, but I just stared him down and started to smile. I couldn’t help it, it reminded me of Full Metal Jacket and I could just feel that he was just blustering a bunch of hot air. I can’t say how I knew he was all show, maybe it was because his eyes showed some confusion and actually looked a bit scared. I don’t think he expected me to stand my ground and start smiling, because he backed away quickly, then walked away quickly while continuing to hurl racial insults. He really didn’t like the fact that I was white.
It was easily one of the more interesting experiences I have had. Fact is, he would have been easy to put down as he was trying to make himself look big by holding his arms out at shoulder height, looking like a chicken while exposing his whole midsection. He was open for a knee to the groin, the gut or a headbutt before he could have done anything to prevent it.
I don’t know if he was on drugs, but I don’t feel like he was. His eyes were focused and appeared to be aware. I could actually see the change in them when I wouldn’t back down. Honestly, I think he is just a punk that uses extreme aggression to try to bully things out of people. I wonder if this works better in places like DC where the general population is almost guaranteed to be unarmed.
One thing is for sure, I won’t be doing much more walking around without some sort of defense available. I usually take my camera monopod, a large aluminum tube that could double as a seal club, along when I walk strange cities alone. This time I did not. I can tell you that I won’t be caught off guard like that again.
Stay safe out there.
*Obligatory Dark Tower reference when I ride a train.
If you have anything of value, the bad guys are targeting it. We saw this with the latest Pirates of the Caribbean movie and here it is again targeting the company behind “The Witcher” games as they develop a new game called “Cyberpunk 2077” which was first announced in 2013. Imagine the cost associated with that much development time and the value of it to the company.
While this isn’t ransomware, it poses the same basic issue. You are going to lose something of value if you don’t pay up. In this case, the IP (Intellectual Property) of the developer could quickly find itself in the wild and any competitive advantages they may have had could be lost. It could be even worse if something like the source code were dumped.
Because nobody really seems to know that tossing medical forms with things like names, dates of birth, provider numbers, Medicaid ID number, dates of service, diagnoses codes, and other sensitive information is bad, the North Dakota Department of Human Services (NDDHS) is in a bit of a pickle. Fortunately, somebody spotted the papers in a dumpster and said something about it.
All told, 2,452 folks had their PHI potentially exposed, but hey, they get a free year of credit monitoring out of the deal. Isn’t that nice?
592 child support client cards issued by the Delaware Division of Child Support Services (DCSS) appear to be caught up in the Kmart breach. Some clients may find that cards don’t work, but they should be replaced by this weekend.
These cards are related to child support payments and are being replaced due to the risk of compromise, although none of the DCSS cards have shown unauthorized activity.
Over the last month or so I have been on a whirlwind tour of events and webinars. It’s been a bit crazy, but never so much as the day I was in Detroit for the Converge conference. I was there to speak about ransomware. My talk started at 3pm, the date was May 12th. May 12th was the day the world caught on fire (OK, maybe just a tiny bit dramatic there…). This was the day Wanna Cry (a.k.a. WCry) shook the security world.
I first heard about this while in the speaker room checking emails and such. It started with trickles and quickly turned in to a torrent of stories, warnings and opinions on what was happening. Whenever something like this happens in the world, the first few hours are always full of a mix of facts, opinions, facts presented as opinions, misreported facts and complete fabrications. I try very hard not to repeat misinformation even if it means not being the first to make a post or tweet about it. In this case, knowing that I had a ransomware presentation happening a few hours after the most widespread/well-known ransomware attack in recent history, I had to have the facts right.
A very cool thing happened then. A few of us were in the speaker room and started sharing information we each had with each other. Some folks were on the phone and some were online, but we just organically started sharing info with each other. It’s hard to describe how good this feels to folks that aren’t a part of a culture like this. In this case, perfect strangers just started helping each other as everyone was trying to make heads or tails of the facts and information being presented. This is why I love infosec professionals so much. We essentially fell in to our incident response roles without prodding, without reservation and without ego.
We quickly sorted the wheat from the chaff and determined the most reliable or likely facts and were able to present those to others that were dealing with the issue. It was nothing short of fantastic.
I put as much relevant information in to my presentation, knowing that incident responders would be in the audience and be closely monitoring the situation. Something I noticed as I was doing this was that most of the things I have been preaching for the last year or so were more relevant than ever. Defense against this latest threat was essentially nothing new, so I didn’t have to change a thing on this slide. These are my key bullets on preparing for a ransomware attack from any number of presentations over the last year:
Train Your Users – This is our number one suggestion because it works. An untrained staff is an incident waiting to happen. Most technical solutions are reactive and respond after an attack. It is important to have them to minimize the damage, but we prefer to prevent the attack
Have Weapons-Grade Backups – Backups do no good if they are encrypted by the ransomware, so they have to be isolated from the network
Segment the Network – Marketing computers rarely need to have network access to the SQL servers or accounting systems
Principle of Least Privilege – Not everyone should be an administrator. The less access users have, the less malware can spread
Monitor the Network – Use a system like a SIEM or IDS to alert on malicious network behavior
Keep Up With Patches – OS and applications need to be kept patched
In this case, we have discovered that the attacks were not necessarily spread via phishing, but let’s be perfectly clear, this was a significant exception to the rule so the first bullet still stands strong. We know that the patch was available for months prior to the attack. I can forgive a few weeks or maybe a month after a patch for an OS vulnerability labeled, “Critical” is released. I have a much harder time with 2+ months. Yes, I know some folks run an older OS that did not have a patch (e.g. XP), but in all honesty, those machines should not be on the network any more and if they are, they should have a ton of security controls in place to essentially isolate if from the rest of the network. This is 2017 folks, having a vulnerable OS available on the production network is just inexcusable.
Did we learn nothing about the importance of network segmentation from the Target breach? No, it’s not the same type of attack, but we should have learned that if a group of devices don’t NEED to talk to each other, they shouldn’t! Same theory here. Had more folks had their networks better segmented, the damage would have been much more contained. In the Army, when a new system went online, we had to define the ports that needed to be open in order to operate that system. Rules were pretty simple, list the ports and protocols, don’t even try to sneak in an any-to-any rule. We could have one-to-many or many-to-one, but each line had to have some specific ports on it. This was non-negotiable. This was a pain in the butt. This was a great thing.
I hope this was a wake up call for organizations and security professionals across the globe. We need to do a better job remediating or mitigating the risks. Yes, it’s more work than just accepting it, but how many risk acceptances for outdated operating systems or patch deferrals do you think were in place in NHS as they buckled under the load of WCry? Remember, accepting the risk is not the same as correcting it. With that, I leave you with this fantastic video by Host Unknown.
If you disagree or have something to add, post the comments below