Category Archives: Survival tips

What can we learn from the latest hack on an U.S. Navy contractor?

17 June 2018

Report “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare” (1) published on 8 June 2018 in the Washington Post is really worth reading.

Attacks on the supply chain have become more common in recent years. Contractors are e.g. used as gateways to the customer network or customer information is exfiltrated from the contractors network.

The latter is the case here. The product development is outsourced. The information required for product development is available only in the contractors network and, in the worst case, remains there after handover to the customer.

Under normal conditions this is not critical. But when it comes to national security matters, e.g. in product development for defense agencies or for critical infrastructures, this may end in a catastrophe.

Picture credits: Wikimedia

In such cases proper classification of the information handed over to and created by the contractor is of crucial need. Since many contractors run an information security management system, the selection of protective measures is based upon the proper classification.

At least 614 GB of data were obviously not properly classified since “highly sensitive data related to undersea warfare” was stolen from the contractor’s unclassified network.

It is always good to remember Aristotle’s proverb “The whole is greater than the sum of its parts” when it comes to classification of information.

Have a great week.


1. Nakashima E, Sonne P. China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare. Washington Post [Internet]. 2018 Jun 8 [cited 2018 Jun 16]; Available from: https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

Advertisements

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.


  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Two-factor authentication hackable?

13 May 2018

Report “Two-factor authentication hackable” (1) published by Doug Olenick’ on May 10, 2018 at SC Media US is really frightening.

Two-factor authentication (TFA) is a great means to secure users of web services against phishing attacks. I’m aware that TFA with SMS or authenticator apps is not 100% secure because the login is not bound to the service, which means that TFA is prone to Man-in-the-Middle attacks. But the title of the report suggests that TFA is no longer secure at all.

A closer look at the report shows that Doug Olenick describes a Man-in-the-Middle attack initiated by a fake URL in an e-mail. The URL points to a web services which acts as a proxy for LinkedIn in this case. The proxy collects the users account details and the session cookie. Since the session cookie contains all details required to login to LinkedIn the attacker can hijack the users account without being requested of the password and the second factor.

For details about the attack see Kuba Gretzky’s post “Evilginx – Advanced Phishing with Two-factor Authentication Bypass” (2).

What can we learn from these reports?

TFA is vulnerable against phishing and Man-in-the-Middle attacks. User awareness and anti-phishing training become not obsolete once TFA with authenticator app or SMS is rolled out in an organization.

Although TFA is vulnerable this should not stop you from implementing TFA.

FIDO U2F Key (6)

FIDO U2F Key (6)

If you want to get it right the first time implement TFA with hardware keys, e.g. FIDO U2F keys. With hardware keys the user login is bound to the original service, which means that only the real site can authenticate with the service. For details see the FIDO alliance (3) homepage or the Yubico (4) homepage. For a great user story see report “Google Eliminates Account Takeover with the YubiKey” (5).

Have a great week.


  1. Olenick D. Two-factor authentication hackable [Internet]. SC Media US. 2018 [cited 2018 May 13]. Available from: https://www.scmagazine.com/network-security/two-factor-authentication-hackable/article/765135/

  2. Gretzky K. Evilginx – Advanced Phishing with Two-factor Authentication Bypass [Internet]. BREAKDEV. 2017 [cited 2018 May 13]. Available from: http://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass

  3. FIDO Alliance. https://fidoalliance.org/ [Internet]. FIDO Alliance. [cited 2018 May 13]. Available from: https://fidoalliance.org/

  4. U2F – FIDO Universal 2nd Factor Authentication [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/solutions/fido-u2f/

  5. Yubico.com. Google Eliminates Account Takeover with the YubiKey [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/about/reference-customers/google/

  6. Picture Credits: Amazon.de. [cited 2018 May 13]. Available from: https://www.amazon.de/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8

 

US Gas Pipelines Hit by Cyber-Attack

15 April 2018

The report “US Gas Pipelines Hit by Cyber-Attack” (1), published on April 13, 2018 in Infosecurity Magazine, sounds more dramatic than it actually is. The attackers compromised a system for “electronic data interchange” (EDI) to some of the largest US energy providers. No impact on critical infrastructures, at least until now.

Bloomberg Technology (2) reports that at least four US pipeline companies were affected by the attack.

What surprised me was that Jim Guinn, managing director and global cyber security leader for energy, utilities, chemicals and mining at Accenture Plc, said (2):

 

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious. All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

I cannot support this. The EDI system contains the access details to the systems used in the customer networks for data exchange. These details are the free admission ticket to the customer networks for the cyber-criminals.

Thus, it is very important that at least the access data to customer systems are changed directly after an attack is detected. In addition, the customers should check their networks for suspicious data transfers and indicators for lateral movement.

Have a good weekend.


1. Muncaster P. US Gas Pipelines Targeted in Cyber-Attack [Internet]. Infosecurity Magazine. 2018 [cited 2018 Apr 13]. Available from: https://www.infosecurity-magazine.com:443/news/us-gas-pipelines-hit-by-cyberattack/

2. Malik NS, Collins R, Vamburkar M. Cyberattack Pings Data Systems of At Least Four Gas Networks. Bloomberg.com [Internet]. 2018 Apr 3 [cited 2018 Apr 15]; Available from: https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts

RYZENFALL, MASTERKEY, FALLOUT, CHIMERA – Don’t Panic!

3 April 2018

CTS-Labs publication (1) of new branded security flaws in AMD’s latest Ryzen and EPYC processors attracted much media attention.

Much Ado About Nothing

Much Ado About Nothing. Made with WortArt.com.

Two facts on RYZENFALL, MASTERKEY, FALLOUT and CHIMERA:

  • In all cases the attacker requires administrative access to exploit the processor flaws.
  • For exploitation of MASTERKEY the attacker needs to re-flash the bios.

For a good overview see post ‘AMD Flaws’ (2) in the Trail of Bits blog.

To put it succinctly:: An attacker managed to fully compromise a system based on an AMD Ryzen or EPYC processor and to stay undetected. Then he starts exploiting Masterkey, flashes the BIOS and reboots the system. As a result he gets directly detected.

That makes no sense. Once I fully compromised a system I have plenty opportunities to run a deep dive into the victim’s network and, to stay undetected. The risk of getting detected when exploiting e.g. MASTERKEY is just too high.

The world of threat actors can be divided in two classes: Non-Nation State Actors and Nation State Actors. In particular MASTERKEY fits perfectly in the cyber weapon arsenal of the latter because only they have the resources to compromise the processors where it is most convenient, in the supply chain.

I don’t like branded vulnerabilities because they keep us from dealing with really important security issues.

Have a great week!


  1. CTS-Labs. Severe Security Advisory on AMD Processors [Internet]. AMDFLAWS. 2018 [cited 2018 Apr 3]. Available from: https://safefirmware.com/amdflaws_whitepaper.pdf

  2. Guido D. “AMD Flaws” Technical Summary [Internet]. Trail of Bits Blog. 2018 [cited 2018 Apr 3]. Available from: https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Triton: Dangerous and Puzzling – Part III

18 March 2018

The reports published on Triton so far give no hint on how the attack was started. With Occam’s razor in mind I concluded in part II of this post series that it is very likely, that the attacker compromised the Engineering Service Providers (ESP) network and the systems used for developing the SIS software. Since the next software update is sure to come, it is only a matter of time until the SIS installation in the production network gets compromised.

In this part I will talk about how to prevent and protect against such attacks.

Part III: Prevention and Protection

To protect against such kind of attacks data integrity must be ensured across the entire supply chain.

Ensure Integrity Across the Supply Chain

Ensure Integrity Across the Supply Chain

Engineering Service Provider’s responsibilities

Build: The ESP must make sure that the project data and software cannot be compromised in his facilities during software design and build.

Transfer: The ESP must secure the data against manipulation during transport.

Plant Operator’s responsibilities

Validate: After handover, the operator must check that the software and project data fulfil only the intended functions, before the SIS or DCS is updated. This must be governed by a Standard Operating Procedures (SOP) with formal approvals.

Install: The operator must follow a SOP for secure update of SIS and DCS software.

In the following section I will give some best practice to achieve data integrity across the supply chain. Anti-malware solutions are not listed because they are industry standard. Nevertheless, it is important to note that in Triton like cases pattern based anti-malware solutions will not prevent or protect against the attack. Pattern based anti-malware solutions protect only against malware “in the wild”. That’s not the case here, thus we have to apply other means to ensure integrity.


Development network

  • Perform all project work in an isolated Development Network (D-NET) with a Development DMZ (D-DMZ).
  • Control remote access to the D-DMZ through a user proxy to allow access for authorized staff only. Two Factor Authentication is mandatory for access to the D-DMZ.
  • For remote user access to the D-NET use a jump station in the D-DMZ.
  • Terminate all connections from the Office Network to the D-NET in the D-DMZ.
  • Terminate all connections from the D-NET in the D-DMZ.
  • If an SIS or DCS is operated in the D-NET, it should be placed in an isolated in a network  zone (D-SIS) in the D-NET. Allow only incoming connections from the engineering station to the SIS or DCS. Terminate all outgoing connections from the D-SIS in the D-NET.

Data exchange

  • For data exchange with the Office network allow only outgoing connections from the D-DMZ to dedicated systems/ports in the Office network.
  • Don’t use the SMB protocol for exchange of data between the office network and the D-DMZ and D-NET.
  • Implement Network Access Control (NAC) in the D-DMZ and D-NET to block connections of untrusted devices.
  • Never connect mobile workstations used in the D-NET or D-DMZ to other networks and vice versa. Once such a workstation was connected to a network outside the D-NET or D-DMZ it is potentially compromised.

System hardening

  • Block all USB disk devices in the D-NET.
  • Block all internet access and e-mail in the D-DMZ and D-NET.
  • Lock down all workstations and servers in the D-NET and D-DMZ.
  • Perform regular integrity checks on all systems in the D-NET and D-DMZ.

Software development best practice

  • Set up software version control for all development work.
  • If contractually possible, handover only sources, makefiles and checksums to the operator.

  • Secure network transfer is the method of choice. Bundle all sources in an encrypted archive. Send the encryption key in a secure e-mail to the operator.
  • If transfer by USB devices is required use only USB devices with AES hardware encryption and key pad. Run a secure before the new software is copied.

  • Extract the software to a trusted development system in an isolated network zone of the operators network.
  • Validate the checksums of the sources and makefiles against the supplied checksum details.
  • Build the software.
  • Install the software on a test system and verify that only the intended functions are implemented.

  • Use a secure transfer method to move the new software and project data to the SIS or DCS  network.
  • Install the software with regards to the corresponding SOP.

Have a great week.

How to defeat antivirus evasion and privilege escalation techniques

4 February 2018

Last weekend I read two very informative posts on Antivirus Evasion by Mattia Campagnano. But part 2 [1] puzzled me somewhat.

“Following up to my previous post Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt. 1), we’re going now to perform the same attack on a genuine Windows 10 machine, where all latest updates have been installed.”

For a moment I thought ‘a security professional mistakes compliance for security’ because ‘fully patched’ means not that the system is resilient against cyber-attacks. But both posts show that even the most secure Windows ever is vulnerable against privilege escalation and AV evasion if the basic configuration is not changed and fundamental elements of cyber hygiene are missing.

Why are such attacks successful?

First, the user was logged in with permanent administrative privileges. This makes life easy for attackers and fosters lateral movement.

Revoking permanent administrative privileges on workstations and servers must be a basic element of any cyber security program. Under normal conditions, standard users should not have any administrative privileges for their devices at all. If needed, they can be temporarily granted through User Account Control (UAC).

Second, UAC was not set to the highest level “Always notify me”. Unfortunately this is the standard setting after a fresh installation of Windows. With this, privilege escalation is possible without user notification. If configured properly, UAC will notify the user even if he works with administrative privileges.

The BypassUAC method in the meterpreter attack framework will fail, if UAC is set to the highest level. The following excerpt of the code [2] makes this clear

case get_uac_level
 when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
 fail_with(Failure::NotVulnerable,
  "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..."
 )
 when UAC_DEFAULT
    print_good('UAC is set to Default')
    print_good('BypassUAC can bypass this setting, continuing...')
 when UAC_NO_PROMPT
    print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
    shell_execute_exe
  return
end

Standards like the DISA STIG for Windows 10 [3] activate all UAC features to make life for the attackers as difficult as possible. From my point of view, the STIGs should be considered also in industry to create workplaces resilient against cyber-attacks. And Microsoft should raise the Windows default for UAC to “Always notify me” for all versions. If a user wants to reduce the security level, he should do this on his own responsibility.

Besides the secure configuration of IT systems and cyber hygiene is user awareness training the third essential pillar of a security program. Users and help desk staff must take proper actions if their system unexpectedly enters the secure desktop and asks for permissions of an action they never asked.

Have a good weekend.


  1. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 44: AV Evasion (pt 2). The S@vvy_Geek Tips Tech Blog
  2. Rapid7 bypassuac_vbs.rb  Metasploit Framework. (Accessed: 3rd February 2018)
  3. Windows 10 Security Technical Implementation Guide. STIG Viewer | Unified Compliance Framework® Available at: https://www.stigviewer.com/stig/windows_10/. (Accessed: 3rd February 2018)
  4. Campagnano, M. Tips for an Information Security Analyst/Pentester career – Ep. 43: AV Evasion (pt.1). The S@vvy_Geek Tips Tech Blog