Monthly Archives: February 2015

Marco viruses on the rise – The Sleeping Beauty slumber is over

28 February 2015

For some month reports about macro viruses are constantly appearing in the IT press. Although the latest report, ‘Macro viruses reemerge in Word, Excel files’, published by Michael Heller on the TechTarget platform SearchSecurity at 24 February 2015, could make us feel somewhat insecure, there is in my opinion no reason to panic.

From the statistics created by security firm Kaspersky, we see that attackers used Microsoft Office in 1% of all cases for the distribution of exploits in 2014. In total Kaspersky products detected and neutralized 6.167,233,068 cyber-attacks in 2014. This means that Word or Excel were used in 61,763,330 cyber-attacks, 2.3 times more than in 2013.

Sounds anything but dangerous. Moreover, we are better prepared than 15 years ago, when macro viruses were most popular. Many protection measures are common sense, but sometimes it’s good to recap.

With that, I suggest:

  1. Please make sure that your anti-malware program is always up-to-date.
  2. Configure Macro Settings in Microsoft Office Trust Center. Choose ‘Disable all macros with notification’ as default:

    Disable Macros With Warnings Settings in Trust Center

    ‘Disable all Macros With Notifications’ in Trust Center

  3. Use Windows Update to keep Microsoft Office and Windows up-to-date with the latest patches.
  4. On 64 bit Windows please activate ‘enhanced Protection Mode’ in Internet Explorer. This will force Windows to run Internet Explorer in Container Mode at low integrity level. In addition, please download all files to the default download location.
  5. Enable SmartScreen Technology in Internet Explorer. Malicious files are downloaded from malicious sites. SmartScreen Technology supports you by blocking downloads from known malicious sites.
  6. Try working with standard user rights. This limits the impact of an attack to the operating system
  7. The last and perhaps the most important rule: Think twice before you click on a word or excel file stored in an untrusted site. As a rule of thumb the entire Internet is an untrusted site, and of course all email attachments.

There’s really no need to panic. Macro viruses are no rocket science. The available protection measures are enough to deal with this old stuff.

Have a good weekend!

Anthem hacked – company says five employee’s credentials phished and used

26 February 2015

In his report ‘Anthem: company says five employee’s credentials phished and used’ posted on IT Security Guru at 12 February 2015, Dan Raywood gives us some background details about how the hack occurred.

The attackers used a phishing attack to steal the credentials of employees. To be honest, I’m relieved to hear that. No rocket science! Phishing is and remains the #1 attack vector.

Awareness training and Two Factor Authentication are the preferred preventive protection measures. Anthem did the right thing. In report ‘Anthem’s IT system had cracks before hack’ we read: ‘Then on Feb. 7 and 8, Anthem reworked all its IT accounts that have privileged access to sensitive information to now require three layers of authentication—a permanent login, a physical token, and a temporary password that changes every few hours.’

If Two Factor Authentication could not be implemented, SmartScreen Filtering in Internet Explorer or the Reported Attack Site Blocker in Firefox could be helpful. The error messages can hardly be ignored:

SmartScreen Warning Phishing Attack

SmartScreen Warning Phishing Attack

Some anti-malware packages, e.g. Trend Micro Maximum security, will also block access to malicious sites. But the above options are of limited use in the case of zero day exploits, although it’s amazing to see how fast the filters are updated.

Have a good day! … And,  don’t forget to activate SmartScreen Filtering as soon as possible.

Free email providers are preferred distribution channels for malware

21 February 2015

Thursday morning I got a very puzzling e-mail. A collection agency informed me of an allegedly not paid invoice and threatened me with defaulted interest and overdue fines.

But, I conduct no business with Pay Bank AG. In addition the mail was sent from a GMX, a Germany based free mail service, address and not from the Pay Bank AG domain.

This was just another spam mail, but, compared to others, well and convincing written. The message was crystal clear: Open the attachment!

In the evening I checked the attachment and found nested zip files. The inner zip file contained a program that appeared to be the data-gathering malware Win32/Zbot.gen!plock (TROJ_DLOADR.JCQ). Fortunately the anti-malware program on my computer removed the malware during download to my hard disk.

Sending malware in nested zip files ensures that the anti-malware systems on the e-mail provider’s mail-in servers become not aware of the malicious attachments. Scanning of archives is very time-consuming because the anti-malware system has to open the archive and to scan all files inside. Therefore nearly all anti-malware systems are configured to ignore nested zip files..

But what amazed me was that apparently no e-mail provider runs an in-depth scan of attachments. From the e-mail header I found that the mail was sent from the attacker’s computer PC14-050 to mail.gmx.com (GMX) and via mailin55.aul.t-online.de (T-Online) to SNT004-MC3F11.hotmail.com (Microsoft).

Since the malicious attachment wasn’t removed on his way to the inbox on my computer, GMX, T-Online and Microsoft use a similar, inadequate anti-malware configuration on their mail-in servers. As always, the last line of defense is the anti-malware system on the end-user’s computer.

In my opinion, this is an enormous waste of resources. Every day millions of malicious attachments clog the internet because of inadequate anti-malware configurations. We could save a lot of bandwidth for really important business, and much hassle, if mail-in servers would just reject any e-mail that has known malicious attachments.

That’s it for today. Please configure the anti-malware program, which is installed on your computer, to perform in-depth scans of attachments. Safety has priority over speed!

Have a good weekend.

Anthem Hacked – The call for ‘More of Everything’ grows louder

19 February 2015

Just some thoughts about the call for more technology, encryption, pen testing, etc.

The big question is: Would database encryption have slowed down or stopped the attackers? From my experience with Transparent Data Encryption (TDE) in the Oracle universe I can only answer: Definitely Not!

If it’s properly set up TDE works very well to prevent unauthorized access to data in rest. Administrators and users are not able to read or copy database files when e.g. the database is shut down.

But as long as the database is started TDE works transparent for all users and the administrators: They can access the data with applications or SQL tools without any restriction.

If you like to keep the administrators away from the data you must set up Oracle Database Vault on top of TDE. Database Vault acts as a firewall between the users and the administrators. Administrators can run their administrative tasks, but they could no longer access the data. In addition, the Separation of Duties principle is enforced for security critical operations like definition of users.

But what’s about malicious insiders? Malicious insiders are responsible for about two-third of all attacks, but neither TDE nor Vault would stop them from accessing all data. With Label Security a fine-grain access control system is available that gives data admins the opportunity to restrict a user to individual data sets in a table.

Sounds like rocket science, doesn’t it? Far from it. Most of this products are for several years in the market, but they are widely unknown, and, the effort for implementation is high.

That’s it for today.

For further reading please see

Anthem Cyber Hack: 5 Fast Facts You Need to Know

Anthem Breach Should Convince Healthcare To Double Down On Security

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

I like STRIDE

14 February 2015

I just finished a week of hard work. Some application owners asked me to run a (short!) security assessment for a single sign-on module they use in their internal database applications.

With the help of an application manager and a copy of the PLSQL code I started developing a threat model. Thanks to the STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) frame developed by Microsoft, I was able to get a good understanding of the system and its weaknesses.

Generally threat modeling does not include a review of the program code. But in this case a closer look at the code was very helpful for understanding of the information flows and for answering the questions posed by STRIDE.

I can only recommend to every system development project: Start threat modeling as early as possible to get the most of it. Software quality and system security will increase dramatically, at no more costs.

Happy Valentine’s Day!

Anthem hacked – 80 Million data sets lost

11 February 2015

This was a really long winter break. The Sony hack is all water under the bridge now. The hackers have gone back to work, with a bang. 80 Million data sets lost. Anthem was hit particularly hard, and Anthem’s customers are hit by a wave of phishing emails.

The main question is always: How could it happen? And, what can be done to prevent such thefts in the future?

I found an interesting statement in a report published 2/4/2015 by Steve Ragan at CSO-Online:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

This makes it clear: The attackers got access to at least the database login information of some database administrators. In addition, they had to steal some at least standard user credentials for access to company computers. This is required to start the database queries. The rest is easy!

Remind: Attackers can read in company networks like in an open book.

Once they got access to some computers, social engineering could be used to find information about the business critical databases. With an e.g. Oracle client and Microsoft Access as front end, they are able to read all data, even if the database is fully encrypted. In the case of an SQL-Server backend you do not even need a database client software installed because the ODBC driver is part of the Office installation.

The big problem is that any company workstation could be used to launch a query. Even if e.g. an Oracle client is not installed, an instant client, which could be installed by the user, is absolutely enough for access to the business critical data.

The attack surface is enormous. But it’s easy to shrink it. Most database providers offer whitelisting technologies to restrict access from computers to the database server. In the best case, only some application servers, backup systems and admin workstations must have access to the database. Include only this systems in the white list, and exclude all other computers in the black list. That’s it.

For Oracle, parameter TCP.INVITED_NODES specifies the white list, TCP.EXCLUDED_NODES the black list in the SQLNET.ora configuration file.

The only question remaining is: How could the attackers get access to the login credentials of the database admins and the standard users? Unfortunately I haven’t found any hints so far…

That’s it for today.

The technology dimension of social engineering

7 February 2015

In his post ‘Weird Security Term of the Week: “Social Engineering”’ Kurt Ellzey talks of ‘Social Engineering’ as the ‘Art of Getting Information’ about a person.

A short query on Google reveals a multitude of information that could be used to create a rough profile of a person. A malicious insider could easily enhance this profile by personal information gathered from e.g. a company intranet or SharePoint MySites.

Besides this ‘personal information’ a rich set of easy to extract ‘technical information’ about an employee is available from a company network.

A Windows workstation is a universal machine. It can be used to run an application as well as to administer a server or network. For example, the built-in ‘net’ command could be used to retrieve detailed employee account data from the Active Directory.

Some colors to fight the winter depression.

Some colors to fight the winter depression.
50°53’28.3″N 4°21’31.9″E

IAM (Identity and Access Management) systems, very often deployed as self-services to improve user satisfaction, could be used to get detailed information about the applications used by employees to get their job done.

But the worst is that this information sources are available for all employees, irrespective of whether they are needed in the job. This is a massive violation of the Principle of Least Privilege.

Attackers can read in company networks like in an open book.

And, when enriched with technical information, a personal profile becomes an invaluable information source for targeted attacks.

Just some suggestions on how to tackle these problems.

As general design principle I would strongly recommend to enforce the principle of least privilege for all information systems. Software restriction policies could be used to reject standard user access to administrative commands. IAM systems should offer only user related information on a user’s request.

I dream of an operating system which provides only those commands and applications which are essential for a user’s job. This could reduce the attack surface of a company dramatically.

Have a nice weekend!