Category Archives: Survival tips

A lesson in Phishing and Two Factor Authentication

13 August 2017

The post ‘Hackers Hijack Popular Chrome Extension to Inject Code into Web Developers’ Browsers’ published on August 3, 2017 by Graham CLULEY at the Tripwire blog ‘The State Of Security‘ gives another good reason for the use of Two Factor Authentication.

Since phishing emails become better and better it is not surprising that even professionals can be tricked.

Thus I can fully accept the developer’s answer ‘I stupidly fell for a phishing attack on my Google account.’ to the question ‘Any idea how this could have happened?’.

But I cannot understand why the Google account was not secured with Two Factor Authentication (TFA), in particular because Google’s Push Notification makes life with TFA really easy.

With TFA enabled, this cyber attack could have been prevented.

Have a great week, and activate TFA for your Google account.


Adobe Systems Inc’s Flash will be retired at the end of 2020

30 July 2017

From an IT security point of view, Adobe’s announcement to retire Flash Player at the end of 2020 is excellent news. For details see the report ‘Adobe to pull plug on Flash, ending an era’ published in Reuters Technology News on 25 July 2017.

Flash player was good for a lot of CVSS V2 severity High rated vulnerabilities every year.

Flash Player CVSS Severity High rated vulnerabilities

Flash Player CVSS V2 Severity High rated vulnerabilities

NIST NVD search parameters:  Results Type: Statistics /  Keyword (text search): Adobe flash player /  Publication Start Date: January 2010 / Publication End Date: July 2017 / CVSS Version: 2
CVSS V2 Severity: High (7-10)

The result was an endless stream of patches which kept IT operations groups busy all year.

Thank you, Adobe, for the good news.

Have a great week.

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part II.

16 July 2017

In part one of this post I discussed the impact of the aging IT infrastructure on the industry’s vulnerability against WannaCry and NotPetya style attacks. Part II deals with the OS basics.

Built-in features of the Windows operating system

Windows is the hacker’s paradise. Not because of the endless stream of vulnerabilities. I my opinion, Microsoft does a good job in managing this.

But because Windows is designed to support the efficient administration of networks with thousands of windows workstations, servers, users and applications.

The authorization subsystem (Active Directory) allows the assignment of fine grained permissions to users and groups to whatever resources, and the authorization check before access to resources in near real-time. It is highly scalable to support a single office LAN as well as a segmented global network.

Built-in utilities like Admin Shares, WMI (Windows Management Instrumentation), netsh, ipconfig, and the net command enable administrators to query and to change workstation, server and user settings across the network and to support efficient software distribution and troubleshooting. Windows Server Update Service (WSUS) supports the administrators in keeping the known vulnerabilities patched.

Everything is of course scriptable with the Windows Command Shell, Powershell and VBScript. All utilities can be leveraged up to a certain extent by every user and fully by administrators.

And of course, also by malware or cyber-criminals. Once a cyber-criminal managed to get on your network with e.g. a RAT (Remote Access Toolkit), he can walk across your network and do his malicious work with just the built-in tools. A download of utilities from a C&C (command and Control) server is not necessary. With this, the cyber-criminal is nearly invisible and he will stay nearly invisible for a long time if he makes no errors.

The Principle of least privilege is implemented in Windows at all levels of the OS stack. This is ensured by the Secure Development Lifecycle (SDL), which is the mandatory Microsoft development policy since 2004. Thus, under normal conditions, the Windows built-in security features would limit the impact of a malware.

Unfortunately, software failures cannot be avoided by the SDL because they are systemic errors – we build them during development right into the software. Once a process state triggers such a systemic error and someone finds a method to reproduce the error condition, the error becomes a vulnerability, e.g. MS017-10. This is no problem unless an exploit is published which allows a cyber-criminal to leverage the vulnerability for e.g. privilege escalation. With this, he gets full access to all the built-in tools and to all processes, including the authorization subsystem.

But even if exploiting a vulnerability leads not to a privilege escalation only some patience is needed. Just probe the network until a user is found who works with permanent administrative privileges. If such a session is hijacked, a cyber-criminal gets full access to all tools and the authorization subsystem on the computer.

With administrative privileges the attacker or malware can dump the authorization subsystem on the computer and extract either the password hashes or the clear text passwords. The example below shows an extract created by MIMIKATZ on a Windows 7 Enterprise Editon Workstation.

C:\Program Files (x86)\mimikatz\x64>mimikatz
.#####.   mimikatz 2.1.1 (x64) built on Jun 18 2017 18:46:28
.## ^ ##.  "A La Vie, A L'Amour"
## / \ ##  /* * *
## \ / ##   Benjamin DELPY `gentilkiwi` ( )
'## v ##'             (oe.eo)
'#####'                                     with 21 modules * * */

Authentication Id : 0 ; 315690 (00000000:0004d12a)
Session           : Interactive from 1
User Name         : kjochem
Domain            : WIN-2OLSA000OLM
Logon Server      : WIN-2OLSA000OLM
Logon Time        : 16.07.2017 21:31:24
SID               : S-1-5-21-3248755352-2707638487-1840279341-1000
msv :
[00000003] Primary
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* NTLM     : dd94b116548a739e24ad775193c2d13b <--- Password hash
wdigest :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : #Not very12strange! <--- Clear text password
kerberos :
* Username : kjochem
* Domain   : WIN-2OLSA000OLM
* Password : (null)
ssp :
credman :

The extracted passwords can be used for direct login to further systems, the password hashes in Pass-the-Hash attacks on further nodes. In any case the chance of detection is low since the attacker behaves like a normal user.

This is the way NotPetya works and other malware worked in the past and will work in future.

Windows is highly optimized to allow cost effective operation of networks of thousands of computers. This leads automatically to misconfigurations, e.g. through domain based technical accounts with high privileges on all workstations and servers. In combination with users working with permanent administrative privileges the cyber criminal’s life is simplified.

What are mitigating measures?

The selection below makes no claim to be complete.

Migration to Windows 10.

Drop all old-style transportation and authentication protocols during this process. Migration to Windows 10 is the first choice because baseline security in Windows 10 is higher than in Windows 7. For example, the issue with the plain text passwords in the authorization subsystem is gone. But this is not helpful in industry because we must deal for at least 5 to 10 years with Windows 7 or Windows 2008 server and old-style protocols.

Short and mid-term mitigation measures.

  • Reduce the number of users working with permanent administrative rights to zero. This is a leadership task!
  • Implement priority patching of critical systems, especially for those on the perimeter to the production networks.
  • Review all firewall rules. Focus on required connections, limit the use of the SMB protocol as far as possible.
  • Review all technical users. Limit their functionality to the local systems and lowest possible privileges, if possible.
  • Roll out a security incident detection tool (SIEM) to all clients and servers. For example, dumping of processes in memory of a workstation or server is a clear indicator for a hacking attempt. Immediate action upon such events is required.
  • Implement privileged account and session management, in the best case with one-time passwords which are changed after the session ends.
  • Apply the measures to mitigate Pass-the-Hash attacks to all Windows networks. For details please see

Long-term measures.

  • Microsoft should build a production friendly Windows with limited functionality. This Windows should have a much smaller attack surface than the standard multi-purpose Windows systems of today.
  • The dependency on the SMB protocol for exchange of data between the office and the production networks should be reduced, in the best case to zero.

Have a great week!

Chernobyl hit by Petya/NotPetya

2 July 2017

The short post New Ransomware Crippling Chernobyl Sensors published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.

Picture Credits: Chernobyl NPP Press Center,

ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center,

The following press statement was published at the Power Plants homepage:

As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.

From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.

Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.

Have a good week.

Dvmap: the first Android malware with code injection capabilities

25 June 2017

In the train back from Berlin last week I had the opportunity to go through my reading list. The news about Dvmap, an Android malware which code injection capabilities, caught my attention.

Kaspersky’s Roman Unuchek published a great post in the Kaspersky Lab Securelist blog on 8 June 2017 about Dvmap. Dvmap is hidden in the app colourblock which was downloaded more than 50.000 times from the Google Play Store. Google removed the app from the Play Store by now.

Dvmap injects malicious code into the Android system libraries at runtime and deactivates security features of the OS. It is capable to downloading extensions from a C&C Server. In addition, the attackers used some clever method to bypass the security features of the Play Store.

To inject code in system libraries at runtime on Linux-based operating systems root privileges are required. And this is what Dvmap tries at first. Since the standard user does not work as root, the trojan must use existing, unpatched vulnerabilities to gain root rights.

Support Codename Android Version Linux Kernel Distribution
No Gingerbread 2.3.x 2.6.35 0,80%
No Ice Cream Sandwich 4.0.x 3.0.1 0,80%
No Jelly Bean 4.1.x 3.0.31 3,10%
No Jelly Bean 4.2.x 3.4.0 4,40%
No Jelly Bean 4.3 3.4.39 1,30%
Yes KitKat 4.4 3.10 18,10%
Yes Lollipop 5.0 3.16.1 8,20%
Yes Lollipop 5.1 3.16.1 22,60%
Yes Marshmallow 6.0 3.10 31,20%
Yes Nougat 7.0 4.4.1 8,90%
Yes Nougat 7.1 4.4.1 0,60%

(Data collected during a 7-day period ending on June 5, 2017. Any versions with less than 0.1% distribution are not shown. Source: Android Dashboards at Android

The above table shows that 89.6 percent of the Android devices which downloaded software from the Google Play Store run Android versions which are supported by Google. Sounds good.

Unfortunately, Google delivers patches to their partners for further distribution to the consumers. And this is where the trouble begins.

In post ‘Diverse protections for a diverse ecosystem: Android Security 2016 Year in Review’ published on 22 March 2017 in the Google Security Blog one reads:

We provided monthly security updates for all supported Pixel and Nexus devices throughout 2016, and we’re thrilled to see our partners invest significantly in regular updates as well. There’s still a lot of room for improvement, however. About half of devices in use at the end of 2016 had not received a platform security update in the previous year.

With this, about 55% of the devices which downloaded software from the Google Play Store in June 2017 were vulnerable e.g. against Dirty Cow (CVE-2016-5195), a nine-year-old bug in the Linux kernel that was detected in October 2016. Since all Linux kernel from 2.x through 4.x before 4.8.3 were affected, nearly all Android version are affected as well.

From the Android Security Review 2016 we learn that “More than 735 million devices from 200+ manufacturers received a platform security update in 2016”. With this, about 360 million devices are vulnerable to Dirty Cow and Dvmap today.

Google’s partners “invested significantly in regular security updates in the past years”, but sadly not enough. Enterprise customers with an MDM solution like Airwatch in place can take this risk. The consumers foot the bill. Who cares?

Have a great week!

Some thoughts on “Ransomware a real risk for SCADA networks”

5 June 2017

By now the ‘Air gapping’ myth should be expunged from every ICS/SCADA manager on earth.” I really like this statement from Daniel Cohen-Sason, published on 23 May 2017 in the CYBERBIT blog.

From my point of view, the ‘Air Gap’ era ended with the introduction of portable engineering stations about 30 years ago.

Modern OT networks are often designed on the basis of the ISA 95 Standard with network zones and security devices, e.g. firewalls, to control the communications flow between the process control and SCADA systems across the zones. Modern production requires a lot of Machine-to-Machine (M2M) communication between the production networks zones and between the production network and the business network. Besides this M2M communication Human-to-Machine (H2M) communication is required, e.g. for operator access from the business network and for remote maintenance.

For M2M and H2M interaction communication channels must be opened on the firewalls. With this, there is always a chance that malware can spread across such required connections. Furthermore, cyber attackers can gain access, e.g. through remotely exploitable vulnerabilities, after they hijacked a M2M communications endpoint in the business network. We dealt with this very effectively in the past 20 years.

Many of the required connections use the SMB protocol for exchange of data. That’s no problem per se. The problem is, that we still use Windows 7 and Windows Server 2008 in the manufacturing industry which cannot work with the latest versions of the SMB protocol for data exchange.

Since WannaCry exploited a vulnerability in SMB version 1.0, it was only a matter of time before WannaCry would find its way across a required connection from the business network to the production network.

How to deal with the problem?

  • Priority patching.

The systems at the border between the business network and the production network must me patched with highest priority. Although this is somewhat tricky to achieve in WSUS, it’s worth to deal with this WSUS feature. In addition to the operating system components, all application components must be patched as well. The same applies to Linux based systems.

  • Deactivating SMB.

Is a great means in the case of an emergency, and part of a long-term data exchange strategy.

  • Set up asset and vulnerability management.

At least all systems at the endpoints of required M2M and H2M connections must be included. This enables you to evaluate the scale of the problem in the case of a new vulnerability.

  • Faster innovation cycles.

At least for the systems at the perimeter of the production network we must allow for shorter innovation cycles. With Windows 8, Windows 10, and Windows Server 2012, new versions of the SMB protocol are used which are not affected by WannaCry. Don’t forget to deactivate the SMB V1.0 compatibility in the this versions.

This includes the technology used for data exchange. For example, the widely used Robocopy fosters the spreading of WannaCry because it is based on the SMB protocol.

  • Increase the level of isolation.

Start with challenging the required M2M and H2M connections. Eliminate every connection without a business purpose. For the remaining, check whether the best available security technology is used.

Take care!