Monthly Archives: March 2015

Some thoughts on ‘Dridex Reminds Us: You Can’t Prevent What You Can’t Detect’

28 March 2015

The latest Bromium post is really worth reading. Dridex is a further development of the Cridex Trojan. Dridex’s only goal is to steal your online banking credentials, to allow cyber-criminals to empty your bank accounts.

Dridex is a real beast. The developers hide the payload in Microsoft Office AutoClose macros to lever out the protection through the inbuilt sandboxing technology. If properly configured protected mode is a challenging task, but the bad guys had taken even this into account.

Michael Mimoso writes on threat post: ‘While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document.’

The first line of defense, user awareness, has failed spectacularly! If someone tries to persuade you to disable protected mode for viewing an email attachment, it is very likely that this is a cyber-attack.

Task virtualization would have protected the user in this case. But even the task virtualization has its limitations. From my point of view, well-trained users, who are aware of the dangers of the internet, are the first line of defense today. Technology supports them to stay secure

… unless the users deactivates or the attackers bypasses them.

Have a good weekend.

Windows 2008 R2 Server is a bad choice as successor for Windows 2003 Server

26 March 2015

Windows 8.1 / Server 2012 R2 represent a quantum leap for users and companies in terms of security. Important new security features like

  • Restricted Admin mode for remote desktop connections,
  • LSA Protection,
  • Protected users group and
  • the removal of clear text credentials from the lsass process

make an attacker’s life harder. Compared to Windows 8.1 / Server 2012 R2 the last Windows versions are inherently insecure.

Therefore it’s truely confusing when IT groups give users the advice to migrate from Windows 2003 Server to Windows 2008 Server for operational reasons. In the past weeks I often heard terrifying statements like ‘If you prefer to be the guinea pig, go for version 2012’. From a security point of view this is a catastrophe.

With update KB2871997 Microsoft backported some of the new security features to Windows 7/8/Server 2008 R2. For a very good overview please see Sean Metcalf’s report published on Active Directory Security.

Unfortunately the most important features, Restricted Admin Server mode and LSA protection, were not backported. Protection for Windows 7 is better with the update, but Windows 2008 Server is still relatively simple to attack.

With that, the recommendation is to migrate to Windows 2012 R2 Server, provided that the application vendor gives support for this version.

I strongly recommend to enforce Restricted Admin Server mode to protect the administrator credentials.

Have a good day.

How to Mitigate the Risk of Cyber Attacks? The Principle of Least Privilege shows the Direction!

21 March 2015

Lysa Myers writes in ‘Premera Breach: Healthcare businesses in the crosshairs‘, published on 18 March 2015 in welivesecurity.com about ‘five things businesses should be doing to help decrease risk and mitigate damage in case of a breach.’

I find it most remarkable that one of her recommendations is to enforce the Principle of Least Privilege in daily business. In my opinion this is the right step in the right direction.

Enforce the principle of least privilege across the entire IT infrastructure and application stack and you will gain back control.

For example, access to the company network should be granted only to those people who need this to do their job. In addition, access should only be possible during standard working hours, and, in the best case, from a single computer at a time.

This will prevent attackers from accessing the company network outside the working hours and from using an account during working hours from another computer.

From this example it becomes clear that to enforce the Principle of Least Privilege changes have to be applied to all sides (People, Processes and Technology) of the Golden Triangle of IT security.

In addition, the principle of Separation of Duties should be enforced for access to business critical information. In any case, access to critical information should be approved by the information owner. In the best case, access should only be possible if the information owner and the employee are logged in at the same time in the application system.

Enjoy Lysa’s post, and have a good weekend.

Premera hacked – 11 million financial and medical records stolen

19 March 2014

When news about the Premera hack showed up in my mailbox this afternoon I was really amazed. The second time for this year a health insurance company was hit.

On skim reading the news about the Premera attack I wondered, when the magic word encryption would appear the first time. Finally I found this statement in Warwick Ashford’s post ‘Premera hack exposes 11 million financial and medical records’. Richard Blech, chief executive of security firm Secure Channels, said:

“With advanced and unhackable encryption, the hacker is left with a bunch of useless bits and bytes.”

Richard Blech talks about encryption at the application level. Application level encryption is not as useless as database level transparent encryption in the defense against attackers.

But even application level encryption is almost useless in the case of malicious insiders because, apart from the fact that they use stolen login data, they sign in to the company just like a normal employee. Therefore they are able to access even data which are encrypted on the application level, because they are authorized to do this.

In my opinion, to use advanced encryption as the core process of a protection strategy is as irresponsible as to use no encryption at all. Strict Identity and Access Management, combined with Two Factor Authorization for all employees, and regular security trainings create the first and second line of defense. Encryption is the last line of defense.

Take care!

Some thoughts on Email Filtering and Anti-Spam

14 March 2015

I fully agree with Paul Kubler’s post ‘Here’s Why Email Filtering Needs to be More than Just Anti-Spam’ published last Friday on LIFARS.

In my opinion we have to tackle this problem from at least 3 sides.

First of all it is time for the e-mail providers to take action. In my post about free email providers I showed, that none of the major German providers use properly configured anti-malware systems. I estimate that the number of phishing attacks could decrease by 90% if just the email providers would reject all mails with malicious content or attachments when they are deposited.

Second, it is important to spark the users attention. Awareness campaigns, with well-made but harmless phishing attacks, and direct feedback, will raise the attention and save a lot of hassle. Train the users in identifying the main features of phishing attacks and the proper counter measures to take.

Finally, we can implement some technical measures to support the users to act correctly in the case of malicious email:

  • Configure your email client program to display all mails in plain text.

In this case all links are displayed in plain text. Even an unexperienced user can see that the link is not part of the sender’s domain and most likely part of a cyber-attack.

Sample Phishing Mail displayed in plain text format

Sample Phishing Mail displayed in plain text forma

  • Turn off attachment preview.

A previewer must read an attachment for display. In the worst case malicious code included in an attachment is executed and compromises your system.

  • Turn on SmartScreen filtering.

SmartScreen Filtering will block access to know malicious sites.

That’s it for today. Have a good weekend.

The Good and the Evil of Auto-Updaters

7 March 2015

This week I had a lot of delightful discussions with software developers during some security assessments.

Software development in very dynamic sectors thrives of rapid deployment of new functions and bug fixes. In particular in large IT organizations, the classic software rollout concept based on software packaging and distribution is often too slow to meet the needs of this users.

Often, developers try to solve this deployment challenge with auto-updaters. For the initial rollout classic software packaging and distribution is used. Once a bug fix or new function is regression tested a new version is build and pushed to the update server.

At every program startup the auto-updater checks the update server. If a newer program version is available the auto-updater installs them on the user’s computer and starts the new version.

This is a very charming concept. Users and developers love it, because it is fast and reliable. And help desk staff loves it because it ensures, that all users work with the same version.

Unfortunately auto-updaters are popular targets for attackers. For example, in the Home Depot data breach, which became public in November 2014, cyber criminals attacked the company’s software deployment system and deployed custom-built malware to point-of-sales devices.

It is very important that developers become aware of those attack vectors. Update servers, build servers, source control systems are very valuable targets for attackers. The mass rollout of malicious software is easy if an attacker gets access to a build or update server. And anti-malware or task virtualization software is largely useless because the attack is initiated by the end-user.

Spring is near

Spring is near

In my opinion it is very important that organizations secure their software development infrastructure and development processes, accompanied by regular security awareness trainings for developers. If possible enforce the Separation-of-Duties principle for all critical processes.

This is also true for the very popular PowerShell scripts which simplify the job of administrators. If an attacker injects some code in scripts which are used for administration of a company’s servers … Don’t panic!

That’s it for this week. Have a good weekend.