The most important cybercrime law availabile to Law Enforcement right now is the Electronic Communications Privacy Act (ECPA) of 1986. This statute, along with amendments to it from the USA PATRIOT Act, provide law enforcement their modern wiretap powers. (OJP, 2013) Law enforcement would have been lost such access as communications moved off of the Plain Old Telephone Service, POTS, wires to digital Internet networks. (Frontier, n.d.) Due to changes in how data storage is used in the modern Internet compared to the expectations of the late 80s, the Department of Justice uses the ECPA to carry out warrantless retrieval of "abandoned" emails left on a server. (Reitman, 2012) Modern web-based email, starting with Google's GMail, provides storage capabilities measured in Gigabytes, which means a user can archive a lifetime of text email right in their mailboxes on the server without it ever being abandoned. (McCracken, 2014) Argued by some to be violating the protections of the 4th Amendment, accessing 180+ day old data without a warrant provides law enforcement a powerful tool for collecting stored data during investigations. (Reitman, 2012)
Frontier. (n.d.). What is POTS? The Connection. http://internet.frontier.com/resources/home-phone-information/what-is-pots/
McCracken, H. (2014, April 1). How Gmail Happened: The Inside Story of Its Launch 10 Years Ago. Time. http://time.com/43263/gmail-10th-anniversary/
OJP. (2013). Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22. Office of Justice Programs. https://it.ojp.gov/privacyliberty/authorities/statutes/1285
Reitman, R. (2012, December 6). Deep Dive: Updating the Electronic Communications Privacy Act. EFF. https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act
Saturday, October 22, 2016
Dangerous and getting worse: Ransomware Corporate Crime
Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)
Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)
Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer. http://www.bleepingcomputer.com/news/security/stampado-taking-ransomware-scumbaggery-to-the-next-level/
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ. http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP. http://bigstory.ap.org/article/cf41601903fd4cc492718c12b01d9d1c/fbi-probing-virus-behind-outage-medstar-health-facilities
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET. http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security. http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware
TALOS. (2016). Ransomware: Past, Present, and Future. http://blog.talosintel.com/2016/04/ransomware.html
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost. https://threatpost.com/cerber-ransomware-on-the-rise-fueled-by-dridex-botnets/118090/
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.
Monday, September 12, 2016
Lower cost education, not cheaper
This is really cool!
At UMUC, we are committed to saving students time and money by reducing or eliminating the need to purchase textbooks and other course materials. Starting in fall 2016, most graduate textbooks will be replaced with no-cost electronic resources, also referred to as Open Educational Resourses (OERs). With the exception of some courses that require the use of specific software or content that cannot be accessed for free, students will not need to purchase any course materials. The Cybersecurity Programs NO longer use textbooks. None of the courses require them.
Sunday, September 11, 2016
Join me for another Semester
COURSE OUTCOMES
At the end of this course, students should be able to:- Identify the basic principles and tools used in computer forensics.
- Understand the main techniques used in data acquisition and analysis and in recovering image files.
- Critically evaluate the procedures in processing crime and incident scenes, especially on digital evidence controls, and in presenting digital evidence in court.
- Analyze the specific forensic techniques for Windows, Mac, Unix, and cell phone operating systems.
- Discuss the main issues and techniques associated with network forensics and malware investigation.
- Explain the issues, procedures and techniques used in contingency planning, cyber attack recovery, and business continuity planning and execution.
Interesting:
There are no textbooks in this course. Only Open Educational Resources (OERs) are being used.Class starts tomorrow, so my posts here should start around the following Wednesday.
Time to learn Cyber Crime Investigation and Digital Forensics
Monday, August 29, 2016
One of these is not like the other one
A few weeks ago I was scrolling through Twitter and tossing out the occasional pointless comment, as is my wont, when I saw a comment that struck me as familiar with coding problems I've run into before...
Well, this seemed like a big deal at the time.
Wow. I wish I'd had that kind of visibility when I was doing less time-wastey things like running for United States Congress.
I have had to try and work with Authenticode in the past. It is a bear! Things like security catalogs instead of just embedding the signature makes an already difficult thing to implement even harder. The APIs don't even work right on Windows XP... Microsoft invented the damn thing, if they can't implement it how can I be expected to? Anyway, since I was familiar with the problem, it was a good time to toss out a comment.Our antivirus apparently can't understand security catalogs and just flagged a Windows system file as suspicious because no authenticode.— SwiftOnSecurity (@SwiftOnSecurity) August 12, 2016
After tossing out that line I just continued reading Twitter until...@SwiftOnSecurity As a past developer: security catalogs make validating authenticode signing a pain. But such a problem shouldn't go AV live— Cyber Pathologist (@SecsAndCyber) August 12, 2016
Well, this seemed like a big deal at the time.
— Cyber Pathologist (@SecsAndCyber) August 12, 2016It wasn't until the next day I noticed what the SwiftOnSecurity bump had done to my post views.
 |
| Something changed. Guess which day had the retweet |
Sunday, May 1, 2016
Badware is short for Blocked Adware
Last week an article that I collaborated on was published. So far this has been the crowning achievement of my short time with Cisco, a short but amazing time. Malware analysis is my absolute passion and being able to turn software analysis into globally deployed protection in days is the best.
When I was presented with a strange piece of software I knew it would be another excellent chance to tear into the inner workings of a tool. I didn't know yet it would be the basis of an article to a professional Threat Intelligence blog. I really didn't know the splash it would make across digital media.
In no particular order I will list all of the references that I can find to that article (these links are not endorsement, nor disparagement, of the linked article!):
When I was presented with a strange piece of software I knew it would be another excellent chance to tear into the inner workings of a tool. I didn't know yet it would be the basis of an article to a professional Threat Intelligence blog. I really didn't know the splash it would make across digital media.
In no particular order I will list all of the references that I can find to that article (these links are not endorsement, nor disparagement, of the linked article!):
- Cisco accuses Tuto4PC of deliberately spreading malware to 12 million PCs
- Tuto4PC Slams Cisco’s Claim The Company Infected 12 Million Computers
- Cisco: 12 Million Computers Infected By Tuto4PC Malware
- French outift installs back-doors in 12 million PCs
- TUTO4PC UTILITIES SILENTLY INSTALL 12M BACKDOORS, CISCO
- Cisco Accuses French Software Maker of Installing Backdoors on 12M Computers
- 'Wizz' kids: Talos researchers pinpoint French firm as source of spyware-adware threat
- Adware from French runs away and hides on 12M machines
- Top Story: 12 million duped into downloading malware that steals your information
- Cisco researchers find backdoor installed on 12 million PCs
- Malware menace with 'scary' backdoor strikes 12 million machines
- Cisco Finds Backdoor Installed on 12 Million PCs
Non-English:
- Cisco accuse le français Tuto4PC de diffuser un malware
- Sécurité : Cisco tacle les méthodes agressives du Français Tuto4PC (MAJ)
- Tuto4PC, Cisco accuse la firme française d’installer des backdoors sur des millions d’ordinateurs
- Компания из Франции спрятала бэкдор в 12 миллионах компьютеров
- Un desarrollador de software francés acusado de instalar backdoors en 12 millones de ordenadores
- Cisco: Frans bedrijf plaatst backdoor op 12 miljoen computers
- Ερευνητές της Cisco βρήκαν κερκόπορτες σε 12 εκατομμύρια υπολογιστές
The discussion of it has not only been limited to news sites:
- A slashdot discussion:
- A malware analysts personal blog:
I was most touched by the brief shout out on the blog of Mary Ellen, @icanhaspii. Media is great, but recognition from a practitioner means far more to me than a big pile of media comment.
This being a personal blog nothing contained in this article should be construed as anything except my personal opinions. I do not speak for, nor represent, Cisco.
Updated Links:
This being a personal blog nothing contained in this article should be construed as anything except my personal opinions. I do not speak for, nor represent, Cisco.
Updated Links:
A Post that sat as a draft for a very long time
A vulnerability that I have interacted with in the wild and have had to intentionally avoid myself is the venerable SQL injection. In a sentence, SQL injections are vulnerabilities where input is improperly combined with commands in a way where the input can be interpreted as SQL statements (Vacca, 2009). The obvious exploit for passing arbitrary commands to a database is to read additional data, which is available to attackers targeting a SQL injection. Additionally, if the running account has write access, it can also be used to corrupt the integrity of the database, even going so far as to erase data, as was captured in the classic XKCD comic about Little Bobby Tables (Munroe, 2007).
The danger from exposing a SQL injection goes far beyond letting users read extra data or destroy some, though. Halfond, Viegas, and Orso enumerate a whole set of possible attacker intentions that can be realized through SQL injections: database finger-printing, learning the database schema, extracting data, changing or inserting data, causing denial of service, avoiding detection, skipping traditional authentication, elevating privileges, and command execution (2006). Some of these can be really easy, such as finger-printing the database in use: when first stumbling on the injection an error may be dumped to output containing the database version, query ran, software name, operating system, and more. (Halfond et al., 2006)
In a Black Hat Briefing, Guimarães describes some of the really nasty and unexpected things that attackers can accomplish through SQL queries. MySQL can use the LOAD_FILE function to read an arbitrary file on disk, allowing the extraction of sensitive data that isn’t even in the targeted database (Guimarães, 2009). MS SQL Server and PostgresSQL also have commands that can be used to extract arbitrary files. MySQL allows for the INTO DUMPFILE clause to write to arbitrary files, as can the PostgresSQL lo_export() function (Guimarães, 2009).
Even though arbitrary read/write to the remote system is nearly enough to fully own the target, SQL injections can provide even more access. MS SQL Server allows the importing of user defined functions from DLLs with CREATE ASSEMBLY (Patel, 2010). Being able to load an executable into the remote database process, combined with the previously mentioned ability to write the desired executable to the system, is total access to the level of the database account. It literally allows you to run anything you can write. Finally taking the cake, MS SQL Server even provides an xp_cmdshell() stored procedure to provide raw shell command execution (Guimarães, 2009). Game over.
Guimarães, B. D. A. (2009). Advanced SQL injection to operating system full control. Black Hat Europe, white paper.
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.
Munroe, R. (2007, October 10). Exploits of a Mom. XKCD. Retrieved from https://xkcd.com/327/
Patel, V. (2010, September 27). Creating User-Defined Functions in Microsoft SQL Server . Database Journal. Retrieved from http://www.databasejournal.com/features/mssql/article.php/3904491/Creating-User-Defined-Functions-in-Microsoft-SQL-Server.htm
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman
The danger from exposing a SQL injection goes far beyond letting users read extra data or destroy some, though. Halfond, Viegas, and Orso enumerate a whole set of possible attacker intentions that can be realized through SQL injections: database finger-printing, learning the database schema, extracting data, changing or inserting data, causing denial of service, avoiding detection, skipping traditional authentication, elevating privileges, and command execution (2006). Some of these can be really easy, such as finger-printing the database in use: when first stumbling on the injection an error may be dumped to output containing the database version, query ran, software name, operating system, and more. (Halfond et al., 2006)
In a Black Hat Briefing, Guimarães describes some of the really nasty and unexpected things that attackers can accomplish through SQL queries. MySQL can use the LOAD_FILE function to read an arbitrary file on disk, allowing the extraction of sensitive data that isn’t even in the targeted database (Guimarães, 2009). MS SQL Server and PostgresSQL also have commands that can be used to extract arbitrary files. MySQL allows for the INTO DUMPFILE clause to write to arbitrary files, as can the PostgresSQL lo_export() function (Guimarães, 2009).
Even though arbitrary read/write to the remote system is nearly enough to fully own the target, SQL injections can provide even more access. MS SQL Server allows the importing of user defined functions from DLLs with CREATE ASSEMBLY (Patel, 2010). Being able to load an executable into the remote database process, combined with the previously mentioned ability to write the desired executable to the system, is total access to the level of the database account. It literally allows you to run anything you can write. Finally taking the cake, MS SQL Server even provides an xp_cmdshell() stored procedure to provide raw shell command execution (Guimarães, 2009). Game over.
Guimarães, B. D. A. (2009). Advanced SQL injection to operating system full control. Black Hat Europe, white paper.
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.
Munroe, R. (2007, October 10). Exploits of a Mom. XKCD. Retrieved from https://xkcd.com/327/
Patel, V. (2010, September 27). Creating User-Defined Functions in Microsoft SQL Server . Database Journal. Retrieved from http://www.databasejournal.com/features/mssql/article.php/3904491/Creating-User-Defined-Functions-in-Microsoft-SQL-Server.htm
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman
Subscribe to:
Posts (Atom)