RSS

Author Archives: akhilbehl10

I don’t ‘Wanna Cry’ – And that’s for a fact!

So, there’s been a rant about the Windows vulnerability and un-patched systems being exploited by Wanna Decryptor. Well, while some of that is supposedly the user’s fault (why to click on something you’re not sure of what it is) and some of it is fault of the way the ransomware has been described in the wilderness. Why the latter you may ask? Simply because, there’s been a lot of hoax and noise about what seems to be yet another ransomware attack – only this time it is related to a vulnerability that was supposed to be fixed only if the users updated Windows.

Apart form the noise, here are some facts and finds pertinent to this specific ransomware.

The malware itself: Wanna decryptor (wncry) ransomware is reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code is publicly available and can be found in https://github.com/RiskSense-Ops/MS17-010

Delivery: The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link.

Activation and exploit: Once wncry is activated, the ransomware spreads through the computer and locks all the files. Once the files have been encrypted wncry deletes the originals and delivers a ransom note in the form of a read me file. Moreover, it changes the victim’s computer’s wallpaper to a message demanding payment to return the files.

The specifics: wncry malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.

Mitigation: Use latest AV definitions, personal / corporate firewalls, and don’t click on anything that doesn’t sound right.

Repercussion: $300 ransom to be paid to un-encrypt your data.

Story from Microsoft: Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch.  Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Either way, here’s the location of the security update https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Summarizing – this is a big outbreak and getting to know the malware well before running into it serves well. Patch your Windows machines and make sure the AV signatures are updated. And above all, don’t click on anything unintended or unaccounted for.

 
Leave a comment

Posted by on May 15, 2017 in Security Posts

 

Tags: , , , ,

CHFI All The Way! My Cyber Security Journey’s Milestone.

 

It has been a lot of fact, learning and fun filled weeks that I’ve been trying to get a handle on the art of cyber forensics. And like the idiom goes – All is well that ends well. I’ve been able to achieve a milestone to my learning and jousting with computer/network forensics by attaining my Computer Hacking Forensic investigator or CHFI. After CEH this is my second ECC certification (after almost 4 years since I achieved CEH)

So, why forensics or digital/cyber investigation related study and certification? I decided to change gears the forensics way because, it’s one of the least understood and discussed about cyber security stream. Any certification or on the job experience would not normally involve doing forensics or understanding and deploying your inner Sherlock Holmes. This side of cyber security is often unseen, unheard and blindsided in wake of daily operations and business as usual. And that’s what caught my attention – the things which allure the most however, are not very well understood or discussed amongst security professionals.

It’s been a lot of learning and head scratching (well sometimes almost banging my head in the wall over some rather intricate topics), playing around with some tools (like EnCase, Mobiledit) and most importantly understanding how the end-to-end cyber forensics process pans out. I learned a lot and came to know things above and beyond the nature of job that a security professional such as myself may be usually engaged with.

As usual, I’ll share my experience with this certification and my journey to achieve the same. I hope that my experiences are useful and that you can achieve this certification.

 

The exam itself – This exam has been there since last 7+ years and has evolved a lot from its predecessors. I took the v8.0 as I have been preparing for a while for it although, v9.0 is very muc available since last year. CHFI is a pretty draining exam in that it addresses many areas of cyber forensics from – PC forensics to Mobile forensics to application forensics and finally network forensics. It covers all basics and covers the know how required from a forensics to investigation to conclusion. Which is great as this is something not taught in security 101. What we traditionally learn and practice is network, application and information security; not their underbellies in terms of conducting a forensic investigation, tracing the evidence(s) back to the perpetrator and going through chain of evidence/custody. And this goes on and on; you’ll have to use your imagination to guess where. A lot of uncommon topics are more than enough to throw off and it’s not unusual to be lost in the depths of legal obligations or standards and even the way an envidence must be handled from discovery to its presentation to convict the cyber criminals. See the topics covered and other requirements here – https://www.eccouncil.org/programs/computer-hacking-forensic-investigator-chfi/
The insights to the exam – The exam is a killer in that it is a 180 degree twist and covers subjects much apart from what we as security professionals are used to do vs. what this certification demands. This is certainly for the folks who have been in the ICT industry for a while and have a good grasp of security – both from network and information security backdrop. The exam is 4 hours long (not that you have to sit for all 4 hours unless it takes that much time to answer all questions) and consists of 150 questions – multiple choice (single and multiple options) as well as true and false type. This is a closed book and proctored certification exam. Now, it is important to note that this exam is only delivered online via https://eccexam.com and you get an online proctor from http://go.proctoru.com. Oh yes, before I forget to mention – you need to undergo an eligibility and verification process (and pay a fee for this and other ECC certifications) with EC-Council. You have to go through an application where they verfiy your security experience and only upon successful application you can you sit for the exam. A minimum of 2 years of security experience is required. I was exempted from the eligibility process and application as I already have CEH and more than 10 years of security experience.

My experience during the exam – The questions were very varied and not so much so expected. Saw a lot about basics being tested such as HDD geometry and OSI stack pertinent to forensics and traffic analysis. As expected, there were questions on PC, mobile and network forensics and best practices to lead an investigation. I did enjoy the time during the test and instead of being stressed I maintained my clam to ensure that I don’t get fatigued (both click wise and mental) as well as to ensure that the right choice was indeed the right choice; the first time. 4 hours is more than enough from a time perspective and it takes grits to hold up the security persona during the exam coming from a non-forensic background.

I marked quite a few questions on my way to completion of first pass, as I wold call it. Managed to complete the firt pass in about 2 hours. I completed the second pass in another 15 min or so looking over the marked questions. The worst thing would have been to second guess myself and hence, I changed just a couple of answers where it made absolute and concrete sense. And then submitted for grading. I passed with 93% (70% is the minimal score to pass). And that calls for a happier weekend knowing that I would have achieved another milestone in my quest for knowledge!

The preparation – For the prep I used a number of resources:

1. CHFI official slides. These are very helpful and that’s where most of my preparation would come from
2. CHFI all-in-one guide. This was also helpful specially with exam practice questions
3. I read through a few other forensics books and articles. To name a few – Computer Forensics a Pocket Guide, Computer Forensics for Dummies, Computer Incident Response, Digital Forensics for Network, Internet, and Cloud Computing, and so on. I skimmed the content where I knew it and read where I knew I had holes from an information and understanding of subject point of view
4. Practiced a few more questions from Skillset.com

Summarizing – This is hands down one of the most alluring and comprehensive certification pertinent to computer and network forensics. Security practitioners and professionals who intend to further their understanding on this subject matter (which is quite interesting and uncommon) should go for it. For me, it was the journey that was more rewarding than the certification.

 

 
1 Comment

Posted by on April 29, 2017 in Cyber Security

 

Tags: , , , , , ,

IoT Hack = Security Lapse. And its just the beginning

Dallas, Texas – On Apr 8 2017, around 11:42 PM for no apparent reason, 156 tornado sirens went off (all together) and woke up what can be best described as – scared and baffled residents. When the sirens repeated in 90-second cycles, the locals thought they were being (or about to be) bombed.

Dallas Mayor – Mike Rawlings posted an update for citizens on his Facebook page (https://www.facebook.com/MayorMikeRawlings/posts/1030736253694199) where he described the incident as the hack i.e. an attack on emergency notification system. He also wrote, “This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure.”

The news was posted on many major news channels and websites – including CNN http://edition.cnn.com/2017/04/08/us/dallas-alarm-hack/

The most comprehensive coverage is fro Washingtonpost.com https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/?utm_term=.0b1ec2649790

Now, while news channels/websites and reporters talk about the situation and have provided updates on how the issue was handled and finally resolved – lets consider some facts and try to derive some inference from the incident from cyber security perspective.

First – it is more than assured that this was an intentional hack and not a ‘mistake’ by someone in the emergency service grid. Hence, this infers that; the security controls deployed were either not enough or not tested properly during the planning and deployment cycles. At first there were speculations of the system not being controlled at all by a back-end software however, that was ruled out and this proves the point enough – integrating security (controls) in every system (offline or online) from planning, deployment and testing point of view should be an absolute zero tolerance exercise.

Second, the hacker(s) were motivated and determined to make it happen – at the most awkward hour. This hacker or hacking group made it look easy enough without leaving much of an evidence that the trail could be picked up and the perpetrator of the cyber crime is apprehended.

Third, connected systems expose the attack surface – and yes while this is a known fact, who would imagine that an emergency system grid could be hacked? That too – whole of it!! It is supposed to be a closed and monitored system – isn’t it? This brings us to the discussion where we can either discuss about standards not being in place from IoT / grid computing security point of view or we can simply say – it is about time someone did something about cyber security pertinent to public and government deployment. While this was clearly an issue with implementation of security for the sensors; this could go well beyond just the alarms as more often than not, one emergency system is connected to another e.g. 911 has taps into fire, police etc.

Last but nevertheless most importantly – while security analysts analyze and wonder how this could have been pulled off, for the people who experienced this ‘it was very real and scary’. This serves well to remind us all that how helpless we feel when technology is abused.

Note: The intent of this article was not to give the information that is widely available in terms of this incident however, to further deep dive and see the causalities of ill-fated security systems/controls. And, to extrapolate the kind of damage that can be done at large – anywhere in the world by that someone nasty – who knows how to get pass the security  (if at all there was some). 

 
Leave a comment

Posted by on April 20, 2017 in Cyber Security

 

Tags: , , , ,

Good Friday Just Became Better – With My CCSK Certification!

Holy Moly – The sweet taste of achieving the much coveted certification in the wake of furthering my Cyber Security journey. Aced the certification with a strong 90%. I’m now Certified Cloud Security Knowledge (CCSK) certified. My Good Friday just became a whole lot better!!!

 

It’s been sometime that I’ve been dragging my feet and finally decided to write the CCSK certification. Been busy with authoring and mentoring (cannot really complain as it’s my passion) hence, the delay. Like they say – better late than never!!

CCSK

In the following sections I’ve shared my experiences, my preparation, the insights and details to the certification exam. Hope these get you to your own CCSK summit.
The exam itself – This exam has been there for sometime now and I took the v3.0 (v2.1 is alo available but hey, latest is greatest right!). CCSK is a pretty comprehensive exam. It covers all basis (and more) from cyber security / security from a Cloud Service Provider (CSP) and a Cloud Consumer perspective, and then some. It also addresses domains which are usually blind spotted for example – cloud risk management, vendor management, supply chain management and such.

The insights to the exam – The exam can be daunting if you have little to no security experience and specially – if you come in with minimal (all encompassing security) virtualization, security controls, risk management, physical security and traditional DC experience. The exam consists of 60 questions – multiple choice and true and false type, to be completed in 90 min. It is an open book, take anywhere exam however, that doesn’t demean its importance at all, in fact – it take a lot of time to understand the subjects and topics and then be prepared for the exam itself. It’s the journey in this matter that’s much more valuable than the result itself.

My experience during the exam – I completed the first pass in about 30-35 min (of the allocated 90 min) and marked all questions for second pass (Yes, you can mark questions for review and come back to them). Finally submitted the questions for grading by 45-50 min mark and passed with 90% (80% is the minimal score to pass) and that calls for a jolly moment!

The preparation – For the prep I used the two documents (both available here https://ccsk.cloudsecurityalliance.org/index.html) i.e.

  1. Cloud Security Guidance https://cloudsecurityalliance.org/research/security-guidance/
  2. ENISA Cloud Risk Assessment Report: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport

These two documents cover all basis in terms of questions. Just a thorough read and you should be fine.  One of my dear and old time friend (who happens to be a security geek as well) Sumanta Bhattacharya helped me by brainstorming on the topics and coming out with logical and conclusive derivations.

Summarizing – This is a certification that’s a must to do for security practitioners and professionals who intend to or currently engage with cloud. An excellent certification that pushes a person beyond their scope of thinking in context of Cloud and so much more.

 

 
1 Comment

Posted by on April 15, 2017 in Cyber Security, Security Posts

 

Tags: , , , , , ,

Cyber Ops – Up Up and Away!!!

I’ll be spending a good amount of time doing something that I’m passionate about and which I think brings me the satisfaction of knowing that it will be a career catalyst for many professionals (especially security professionals).

To be precise, I’ll be spending most of my time from late Mar till May writing on Cyber Security. Now, it matters how this time I spend and the material I author helps the larger community gain from it – and that’s been my motto since I stepped up as an author and an evangelist.

Demystifying: I’ll be authoring Cisco’s latest Cyber Security / Cyber Ops on two fronts – writing the practice tests / question banks (to go with the premium content):

  • Cyber Ops – SecFnd
  • Cyber Ops – SecOps

I’ll be writing practice question banks which will help the CCNA Cyber Ops aspirants to attain these world-class cyber security certifications. These practice tests will be available as part of the premium package with the following books written by Omar Santos and Joseph Muniz.

CCNA SECFND: http://www.ciscopress.com/store/ccna-cyber-ops-secfnd-210-250-official-cert-guide-premium-9780134609010

CCNA SECOPS: http://www.ciscopress.com/store/ccna-cyber-ops-secops-210-255-official-cert-guide-premium-9780134609027

I have to admit that Cisco has come a long way and now with these certifications, the gaps from InfoSec and CyberSec would be more than addressed. These certifications are bench-marking in terms that they will help bridge the gap between the old and new security paradigms – network and cyber.

All in all – I’m enjoying my time writing these questions and hope that they will help the aspirants succeed in their attempts to grab these two really cool certifications.

Happy learning and reading!

 

 
Leave a comment

Posted by on April 11, 2017 in Cyber Security

 

Tags: , , , , , ,

Terminator and SkyNet might be here before you think!

Terminator movies have taught us a couple of important lessons – Whatever you do you cannot control the destiny. And, don’t let all the control to the machines.

That said – with IoT beginning to connect ‘Things’ and with no security standards (well not much of them anyway) established during the IoT wars; don’t you wonder if that ‘smart’ machine in your home or office is secure enough and will absolutely do what it’s supposed to do?

Time to think again! A recent publication by SCMagazine clearly articulates the fact that it’s about time that security was made paramount before going live with anything that is ‘smart’ enough to take decisions.

An excerpt follows:

As many of these “smart” machines are self – propelled, it is important that they’re secure, well protected, and not easy to hack. If not, instead of helpful resources they could quickly  become dangerous tools capable of wreaking havoc and caus ing substantive harm to  their surroundings and the humans they’re designed to serve. We’re already experiencing some of the consequences of substantial cybersecurity  problems with Internet of Things (IoT) devices that are impacting the Internet,  companies and commerce, and individual consumers alike. Cybersecurity problems in  robots could have a much greater impact. When you think of robots as computers with  arms, legs, or wheels, they become kinetic IoT devices that, if hacked, can pose new  serious threat s we have never encountered before.  As human – robot interactions improve and evolve, new attack vectors emerge and threat  scenarios expand. Mechanical extremities, peripheral devices, and human trust expand  the area where cybersecurity issues could be  exploited to cause harm, destroy property,  or even kill.

Reference: https://media.scmagazine.com/documents/287/hacking-robots-before-skynet_71714.pdf

There are references of incidents where life threatening situations occurred because security was at loss for example:

  • A robot security guard at the Stanford Shopping Center in Silicon Valley knocked  down a toddler; fortunately, the child was not seriously hurt
  • A Chinese – made robot had an accident at a Shenzhen tech trade  fair, smashing a  glass window and injuring someone standing nearby
  • In 2007 a robot cannon killed 9 soldiers and seriously injured 14 others during a  shooting exercise due to a malfunction
  • Robotic surgery has been linked to 144 deaths in the US by a recent study

Time to wake up to reality that (cyber) security controls are more than desired with robotics let apart IoT; the mother ship of connectivity (and increases the attack and exploit surface manifold).

Bottom line: Trying to let control go to leverage automation may not be a good idea unless there are strict security norms and cyber security controls in place.

Watch out – that smart machine may be just too smart for your liking!!!

 
Leave a comment

Posted by on March 15, 2017 in IoT Security

 

Ransomware as a Service – It’s as real as it gets!

The world of information technology is changing rapidly. So much so that – now you can get your hands on a service that offers creating ransomware to commission based returns on jacked machines. Yes, that’s true.

Here’s an excerpt from an ‘underground’ forum:


Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan only requires a user name and password to create an account, althrough, if you wish, you can set a public key for two-factor authentication.
Satan has a initial fee of 30% over the victim’s payment, however, this fee will get lower as you get more infections and payments. All of the user transactions are covered by the server, you’ll always get what the victim paid, minus the fee of course.

When creating your malware you can specify the ransom value (in bitcoins), a multiplier for the ransom after X days have passed, the number of days after the multiplier takes place, a private note so you can keep track of your victims.
Satan is free. You just have to register on the site.
Satan is very easy to deploy, you can create your ransomware in less than a minute.
Satan uses TOR and Bitcoin for anonymity.
Satan’s executable is only 170kb.

If english is not your first language or you speak a second language you can translate the ransom notes to help your victims understand better what is happening.
In case you’re looking for a way to spread the ransomware, there is a droppers page, where you can generate a crude code for a Microsoft Word macro and CHM file.

If you have any problem with the ransomware, you can report it using the leftmost button on the malwares table. The middle blue button is used to update the malware to a newer version, if available, and the green one is used to edit your malware configuration.


 

All in all – this is a big step forward in luring in and incubating talent pertinent to ‘Anti-Security’ professionals aka. hackers, attackers, and the list goes on.

The the humorous part is that – the way this has been publicized; it’s much much better than any security vendors’ product or service offering in terms of marketing the packaged product.  An its an excellent business model for the provider as it fuels not just their current investment however, also takes it a notch up and adds to the revenue from the exploits to next iteration of R&D.

 
Leave a comment

Posted by on February 7, 2017 in Security Posts