Monthly Archives: May 2017

SambaCry – Keep Calm and Carry on

28 May 2017

Actually, it was only a matter of time until Samba, the popular implementation of the Windows SMB services on Linux and Unix, was hit by a WannyCry akin malware. All version of Samba from 3.5.0 onwards are vulnerable to CVE-2017-7494 or SambaCry.

The good news is that this vulnerability is complex to exploit: An attacker must upload a shared library with the malicious code to a writable samba share and then cause the server to load and execute it. Patches are available for the major Linux distributions.

How large is the problem? Shodan finds 471,578 systems which are exposed to the Internet.

SambaCry Shodan Map

SambaCry Shodan Map. Click to enlarge.

90% of the systems are operated in 3 countries, United Arab Emirates, Argentina, and Italy by the major telecommunication providers in these countries. Since an older version of Samba is used on this internet routers they are not vulnerable against SambaCry.

Most of the work has to be done in the United States and Germany. Although only 2 % of the affected systems are operated there, many organizations are affected.

Don’t panic! Even though many systems are affected by SambaCry this does not mean, that they are vulnerable against the exploit. Remember, you have to upload the malicious code to a writable Samba share on a server first. Under normal conditions, Linux admins don’t open Samba shares writable to everyone on servers exposed to the internet.

Thus, the best approach to reduce the risk is to check the Linux systems at the network perimeter with publicly available Samba shares and to close the writable, if any. As always, it is good to have an up-to-date system inventory in place. This will reduce the amount of work dramatically.

Take care! And don’t forget to check the network perimeter to your production networks.

WannaCry, Rumsfeld and Production Firewalls

21 May 2017

Today, Firewalls are the preferred means to separate a production network from a company’s intranet. Firewall configuration is performed by the Rumsfeld Conundrum: Block everything you don’t know!

Rumsfeld Conundrum for firewall configuration

Rumsfeld Conundrum for firewall configuration

For production management and IT and OT operations, we need some communication between systems in the company intranet and the production network. These required (known) connections are defined in the firewall rule base. The firewall allows communication between these known systems, and blocks any other connection attempts.

As long as the SMB V1.0 protocol is not used for communication across the firewall, the Rumsfeld Conundrum works pretty well.

Unfortunately, the SMB protocol is frequently used to implement required connections between Windows-based computers in the company intranet and the production network, e.g. for the exchange of manufacturing orders. With this, production systems become vulnerable to WannaCry although a firewall is in place because the firewall does not block communication across required connections. In the worst case, if WannaCry spreads across required connections to systems in the production network, this may result in loss of production.

Immediate action is required. The firewall rule base is a good starting point to determine how big the problem is, and to identify the systems that must be immediately patched or otherwise secured, if patching is not possible due to technical or regulatory restrictions.

Firewalls are an indispensable part of a defense in depth concept, but plain packet filtering is no effective means against attacks like WannaCry.

Have a good week, and take care of you production networks.

You may Wanna Cry on Monday morning if your Anti-Phishing Training was no success

14 May 2017

In the past days WannaCry was making the headlines. I found a really well written post on Binary Defense which explains the basics of the initial infection as well as the propagation method.

WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.

Packaged this way anti-malware solutions cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body. Even APT (Advanced Persistent Threat) solutions may fail if they are not properly configured.

If your Anti-Phishing Awareness Training was successful, the chance of an infection is small.

In addition, it makes sense to block incoming mails with zip files, which cannot be inspected by the anti-malware solution. Don’t deliver them to the users junk mail folder, block them on the mail gateway.

This gives you the time to implement patch MS17-010, if you have not yet done so. Or isolate the affected systems from the network, if patching is not possible, e.g. in GxP controlled environments.

Take care!

A key finding from the Verizon 2017 DBIR: There is no one-size-fits all strategy to IT Secutity.

7 May 2017

As always, the Verizon 2017 Data Breach Investigations Report conveys a plentiful of details about the security incidents and data breaches of the past year. A more detailed analysis of the attack patterns shows, that different industries must implement different defense in-depth strategies for effective protection against cyber-attacks.

Verizon 2017 Data Breach Investigations Report Attack Pattern Analysis

Verizon 2017 Data Breach Investigations Report Attack Pattern Analysis. Click to enlarge.

There is no one-size-fits all strategy to IT security!

Have a good week!

Prevention before Detection in Industrial IT

1 May 2017

Currently, I’m working on a paper for safety engineers about cyber security requirements for Safety Instrumented Systems (SIS). For preparation I examined some of the existing publications from other European countries, e.g. the paper ‘Cyber Security for Industrial Automation and Control Systems (IACS)‘ from the British Health and Safety Executive (HSE).

In the chapter ‘Note 5 – Define and Implement Countermeasures’ one reads:

A hierarchical approach should be adopted, for example prioritising implementation of measures such as inherent resilience, and prevention (e.g. physical security controls, authorisation and authentication) over other measures for detection.

That is diametrically opposed the Gartner’s advice ‘Shift Cybersecurity Investment to Detection and Response’. Gartner’s Sid Deshpande said in an interview:

Gartner is now recommending to companies that they shift their security spending to have at least 60 percent of their security budget to be spent on detection and response, up from 10- to-15 percent today.

I think Gartner’s advice needs to be seen in the context of the industry where one works. IT security deals with Confidentiality, Integrity, and Availability (the CIA) issues. Every industry has specific requirements regarding CIA issues. For example, integrity of product and production plays a higher role in pharmaceutical production than in the process industry. This is be shown very well with a spider diagram:

CIA-Diamond

CIA-Diamond. Click to enlarge.

In general, Gartner’s advice is useful where we have a high demand for addressing confidentiality issues. In industries, where integrity plays a major role, the Gartner advice is less useful because you cannot wait until a customer or the FDA detects that a drug has a wrong composition.

CIAS-Diamond

CIAS-Diamond. Click to enlarge.

Safety is a game changer. As soon as we face medium or high safety requirements, Gartner’s advice is counterproductive.

Have a great week.