All posts by Michael Buckbee

Is a ransomware attack a data breach?

Is a ransomware attack a data breach?

Ransomware is a loss of control

Most IT people equate exfiltration of data from their network as the point at which control is lost and a data breach has occurred. They think of it like “where are the bits” and if your user database is being passed around the internet via bittorrent and sold off for a .0001 BTC an account you clearly have lost control.

What’s not so obvious is that ransomware (or any form of malware infection) represents a loss of control of the data within your network and that constitutes a data breach.

The proper way to consider it is if a malicious person wandered into your office, walked past the receptionist and security guard, got on the elevator down to the basement, unlocked the door to the server room, logged into your main file server with some stolen admin credentials, encrypted 10,000 random files that your users rely upon for their work and then walked out.

If someone were to perpetrate the above physical attack on your facility it would clearly represent a loss of data control. However, too many sysadmins wrongly consider a ransomware attack as purely internal and not a data breach.

A good conceptual way to think about it as a breach of your control systems, not a breach of the network itself.

Most of the per state data breach response guidelines clearly are modeled after HIPAA regulations which explicitly classify ransomware as a data breach:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

Source: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

A ransomware attack is a data breach and organizations should treat it as such.

[Podcast] Pick Up Music, Pick Up Technology

[Podcast] Pick Up Music, Pick Up Technology

Last week, when the world experienced the largest ransomware outbreak in history, it also reminded me of our cybersecurity workforce shortage. When events like WannaCry happen, we can never have too many security heroes!

There was an idea floating around that suggested individuals with a music background might have a promising future in security. The thinking is: if you can pick up music, you can also pick up technology.

The Inside Out Security panelists – Mike Thompson, Forrest Template and Mike Buckbee – are in agreement. Their sentiments expanded to all artists and added that creative thinking along with attention to detail can go a long way.

Other articles discussed:

  • Intel Warns of Active Management Technology Vulnerability
  • Besides Netflix’s Orange is the New Black threat, hackers also helped ourselves to copies of titles from other companies
  • IoT companies keep building devices with security flaws
  • What nuclear security officers (and infosec pros) can learn from casino managers
  • IBM sends USBs with malware to customers

Tool of the week: Pi hole


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

How to use PowerShell for WannaCry / WannaCrypt cleanup and prevention

How to use PowerShell for WannaCry / WannaCrypt cleanup and prevention

Explosive ransomware infection rates of WannaCrypt/WannaCry have IT groups trying to mass diagnose, update and protect their machines. Thing is, that’s just not practical to do manually – for pretty much any but the smallest of organizations.

While there are a number of different PowerShell scripts that have been open sourced in the last three days to automate this (we link to the best one below), it’s quite likely that they won’t necessarily cover exactly what you need them to do on your network.

Further, it’s guaranteed that there will be multiple variants, mutations and other forms of Wannacrypt that will continue to appear in the coming months. Being able to build your own script or to tweak one to your needs may be essential in keeping your network secure.

To help, we’ve collected all of the different Powershell utilities needed to help with WannaCrypt / WannaCry:

  • Use PowerShell to check if a particular Hotfix is installed
  • How to import TCP/IP functionality into your script to check which ports are open or closed (such as SMBv1’s port 445)
  • How to check if a domain resolves properly with PowerShell (like the Wannacrypt killswitch domain)
  • How to disable SMBv1 functionality with Powershell

First: use the following script from Github User Kiernanwalsh to check for missing patches. The script is a collective effort as multiple members of the community are submitting missing KBs, and offering suggestions.


https://github.com/kieranwalsh/PowerShell/blob/master/Get-WannaCryPatchState/Get-WannaCryPatchState.ps1

How to use PowerShell to check if a hotfix is installed

Get-Hotfix tests the local machine (by default) or a remote workstation or server for the presence of a specified hotfix (referenced by it’s KB designation).

For reference, the KB’s per operating system to patch MS17-010 are:

Windows Server 2008

KB4012212

Windows Server 2012

KB4012217, KB4015551, KB4019216

Windows Server 2012 R2

KB4012216, KB4015550, KB4019215

Windows Server 2016

KB4013429, KB4019472, KB4015217, KB4015438, KB4016635

Example

The examples below check for KB4012212 which is the Windows Server 2008 patch for MS17-010.

Local

get-hotfix -id KB4012212

Remote

get-hotfix -id KB4012212 -computername <remote-computer-name>

PowerShell Port Checking

Use the Test-NetConnection cmdlet to test if a port is open on a remote computer. In the example below, we’re testing if 445 (command and control port for Wannacrypt) is open on the local interface.

Test-NetConnection -ComputerName 127.0.0.1 -Port 445

Several important things to note:

  • The port being closed doesn’t prevent the infection of that machine, just prevents infecting other hosts.
  • Test-NetConnection doesn’t default to the local machine – but to a designated test server run by Microsoft. You MUST specify the `-ComputerName` parameter.

Testing if a domain resolves with PowerShell

The first version of Wannacrypt/WannaCry contained a killswitch which shut it down if the script was able to successfully connect to a previously unregistered domain.

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

A security researcher registered the domain and was able to stop a large number of the infected machines from spreading further.

Even after the domain was registered, however, many networks were unable to connect due to outbound filtering, DNS caching issues, or other network restrictions.

To test if a machine is properly resolving a domain use the Resolve-DnsName cmdlet:

Resolve-DnsName www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

How to disable SMBv1 with PowerShell

As of right now, having SMBv1 enabled is the key exploitable aspect of pre Windows 10 machines. While you should still endeavor to install the appropriate patch to handle MS-17-010, disabling SMBv1 immediately can help prevent infection.

On Windows 8 and Windows Server 2012

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Will take effect immediately, no restart required.

On Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

This will require a restart to take effect.

Conclusion

WannaCrypt is a mess for everyone involved. But! The cleanup is a great place to polish your PowerShell skills and make process and infrastructure investments to prevent issues in the future.

[Podcast] Security Learn-It-Alls

[Podcast] Security Learn-It-Alls


Rather than referring our weekly podcast panelists as security experts, we’re now introducing them as security practitioners. Why? A popular business article on mindset brought to our attention the perils of having self-proclaimed titles, such as experts and gurus. It signals our “thirst for knowledge in a particular subject has been quenched.” That is far from reality! Security is a constantly evolving field, with new threats and vulnerabilities. To have a fighting chance, it would behoove us to start by cultivating a curious learner mindset by asking, “Why?” and “How does this work?”

As reformed security know-it-alls, here are some of the stories we covered:

Tool of the week: Account Lockout Status


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Presenting Cybersecurity Ideas to the Board

[Podcast] Presenting Cybersecurity Ideas to the Board

There’s been a long held stigma amongst our infosec cohort and it’s getting in the way of doing business. What’s the stigma, you ask? “Know-it-all” techies who are unable to communicate. Unfortunately, this shortcoming also puts our jobs at stake.

According to a recent cybersecurity survey, the board of directors polled said that IT and security executives will lose their jobs because of their failure to provide the board with useful, actionable information. It gets worse. More than half of board members say that the data presented is too technical.

In an effort to redeem ourselves and to understand the problem, I suggested role playing with the Inside Out Security panel – Kilian Englert, Mike Buckbee, and Kris Keyser – and to also practice speaking with executives about cybersecurity.

I presented two practical scenarios. The first prompt: explain why you might need UBA, even if you already have a SIEM tool. The other: explain the importance of keeping the health data generated from a wearable, safe and secure.

Articles discussed in our podcast:

  • How to derive a profit from the data deluge
  • Headphones that spy on listeners
  • New phone sign-in feature that skips the password
  • Microchip implanted in between one’s thumb and index finger
  • Microsoft fixed critical vulnerabilities in uncredited update released in March

Tool of the week: Powersploit


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] When Security is a Status Symbol

[Podcast] When Security is a Status Symbol

As sleep and busyness gain prominence as status symbols, I wondered when or if good security would ever achieve the same notoriety. Investing in promising security technology is a good start. We’ve also seen an upsurge in biometrics as a form of authentication. And let’s not forget our high school cybersecurity champs!

However, as we celebrate new technologies, sometimes we remain at a loss for vulnerabilities in existing technologies, such as one’s ability to guess a user’s PIN with the phone’s sensors. I’m also alarmed with how easily you can order an attack!

Tool of the week: CaptureBox


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Evolving Bank Security Threats

[Podcast] Evolving Bank Security Threats


It was only last week that we applauded banks for introducing cardless ATMs in an effort to curb financial fraud. But with the latest bank heists, it may help to turn up the offense and defense. Why? Hackers were able to drill a hole, connect a wire, cover it up with a sticker and the ATM will automatically and obediently dispense thousands. Another group of enterprising hackers changed a bank’s DNS, taking over their website and mobile sites, redirecting customers to phishing sites.

But let’s be honest and realistic. Bank security is no easy feat. They’re complicated systems with a large attack surface to defend. Whereas attackers only need to find one vulnerability, sprinkle it with technical expertise, and gets to decide when and how the attack happens. Moreover, they don’t have to worry about bureaucracy, meeting compliance and following laws. The bottom-line is that attackers have more flexibility and are more agile.

In addition to evolving bank security threats, we also covered the following:

Tool of the week: ngrok, secure introspected tunnels to localhost


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] Americans’ Cyber Hygiene

[Podcast] Americans’ Cyber Hygiene


Recently, the Pew Research Center released a report highlighting what Americans know about cybersecurity. The intent of the survey and quiz was to understand how closely Americans are following best practices recommended by cybersecurity experts.

One question on the quiz reminded us that we’re entitled to one free copy of our credit report every 12 months from each of the three nationwide credit reporting companies. The reason behind this offering is that there is so much financial fraud.

And in an effort to curve banking scams, Wells Fargo introduced cardless ATMs, where customers can log into their app to request an eight-digit code to enter along with their PIN to retrieve cash.

Outside the US, the £1 coin gets a new look and line of defense. It uses an Integrated Secure Identification Systems, which gets authenticated at high speeds. Plus, it’s harder to counterfeit and that’s exactly what we want!

Other themes and ideas we covered that weren’t part of the quiz:

Did the Inside Out Security panel – Mike Thompson, Kilian Englert, and Mike Buckbee – pass Pew’s cybersecurity quiz? Listen to find out!


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

 

 

 

[Podcast] What CISOs are Making, Reading and Sharing

[Podcast] What CISOs are Making, Reading and Sharing


Besides talking to my fav security experts on the podcast, I’ve also been curious with what CISOs have been up to lately. Afterall they have the difficult job of keeping an organization’s network and data safe and secure. Plus, they tend to always be a few steps ahead in their thinking and planning.

After a few clicks on Twitter, I found a CISO at a predictive analytics SaaS platform who published a security manifesto. His goal was to build security awareness into every job, every role, and to give people a reason to choose the more secure path.

Another CSO at a team communication and collaboration tool company stressed the importance of transparency. This means communicating with their customers as much as possible – what he’s working on and how their bug bounty and features work.

As for what CISOs are reading and sharing, here are a few links to keep you on your toes and us talkin’:


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] No Data Left Behind

[Podcast] No Data Left Behind


Over the past few weeks, we’ve been debating a user’s threshold for his personal data seen in the public domain. For instance, did you know that housing information has always been public information? They are gathered from county records and the internet has just made the process of gathering the information less cumbersome. However, if our personal information leaks into the public domain – due a security lapse – it’s still not as serious as, say, a breach of 2 million records. The point is that many security experts will remind us that there is no perfect security as lapses and breaches will happen.

Meanwhile, I bemoan that no data should be left behind (all data should be protected!) and discuss my concerns with this week’s Inside Out Security Show panel – Mike Buckbee, Kilian Englert and Forrest Temple.

Additional articles we discussed:


Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

[Podcast] When Our Reality Becomes What the Data Says

[Podcast] When Our Reality Becomes What the Data Says

In our “always-on” society, it’s important that our conversation on IoT security continues with the question of data ownership.

It’s making its way back into the limelight when Amazon, with the defendant’s permission, handed over user data in a trial.

Or what about that new software that captures all the angles from your face to build your security profile? Your face is such an intimate aspect to who you are, should we reduce that intimacy down to a data point?

I discussed these questions with this week’s Inside Out Security Show panel – Forrest Temple, Kilian Englert and Mike Buckbee.

Additional articles we discussed:

  • Leaked data tranche of 8,700 documents purportedly includes tools that turn smart TVs into covert surveillance devices.
  • Spammers expose their entire operation through bad backups
  • Inside the TalkTalk ‘Indian scam call centre
  • A sysadmin told the courts he was authorized to trash his employer’s network
  • Google accidentally spreads fake news

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app: