RSS

Category Archives: Security Posts

I don’t ‘Wanna Cry’ – And that’s for a fact!

So, there’s been a rant about the Windows vulnerability and un-patched systems being exploited by Wanna Decryptor. Well, while some of that is supposedly the user’s fault (why to click on something you’re not sure of what it is) and some of it is fault of the way the ransomware has been described in the wilderness. Why the latter you may ask? Simply because, there’s been a lot of hoax and noise about what seems to be yet another ransomware attack – only this time it is related to a vulnerability that was supposed to be fixed only if the users updated Windows.

Apart form the noise, here are some facts and finds pertinent to this specific ransomware.

The malware itself: Wanna decryptor (wncry) ransomware is reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code is publicly available and can be found in https://github.com/RiskSense-Ops/MS17-010

Delivery: The malware is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advert on a web page or a Dropbox link.

Activation and exploit: Once wncry is activated, the ransomware spreads through the computer and locks all the files. Once the files have been encrypted wncry deletes the originals and delivers a ransom note in the form of a read me file. Moreover, it changes the victim’s computer’s wallpaper to a message demanding payment to return the files.

The specifics: wncry malware modifies files in the /Windows and /windows/system32 directories and enumerates other users on the network to infect.

Mitigation: Use latest AV definitions, personal / corporate firewalls, and don’t click on anything that doesn’t sound right.

Repercussion: $300 ransom to be paid to un-encrypt your data.

Story from Microsoft: Microsoft has not disclosed how it came to know about the vulnerabilities included in the MS17-010 patch.  Microsoft also has not disclosed any information about “in the wild” exploitation of these vulnerabilities. Either way, here’s the location of the security update https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Summarizing – this is a big outbreak and getting to know the malware well before running into it serves well. Patch your Windows machines and make sure the AV signatures are updated. And above all, don’t click on anything unintended or unaccounted for.

Advertisements
 
Leave a comment

Posted by on May 15, 2017 in Security Posts

 

Tags: , , , ,

Good Friday Just Became Better – With My CCSK Certification!

Holy Moly – The sweet taste of achieving the much coveted certification in the wake of furthering my Cyber Security journey. Aced the certification with a strong 90%. I’m now Certified Cloud Security Knowledge (CCSK) certified. My Good Friday just became a whole lot better!!!

 

It’s been sometime that I’ve been dragging my feet and finally decided to write the CCSK certification. Been busy with authoring and mentoring (cannot really complain as it’s my passion) hence, the delay. Like they say – better late than never!!

CCSK

In the following sections I’ve shared my experiences, my preparation, the insights and details to the certification exam. Hope these get you to your own CCSK summit.
The exam itself – This exam has been there for sometime now and I took the v3.0 (v2.1 is alo available but hey, latest is greatest right!). CCSK is a pretty comprehensive exam. It covers all basis (and more) from cyber security / security from a Cloud Service Provider (CSP) and a Cloud Consumer perspective, and then some. It also addresses domains which are usually blind spotted for example – cloud risk management, vendor management, supply chain management and such.

The insights to the exam – The exam can be daunting if you have little to no security experience and specially – if you come in with minimal (all encompassing security) virtualization, security controls, risk management, physical security and traditional DC experience. The exam consists of 60 questions – multiple choice and true and false type, to be completed in 90 min. It is an open book, take anywhere exam however, that doesn’t demean its importance at all, in fact – it take a lot of time to understand the subjects and topics and then be prepared for the exam itself. It’s the journey in this matter that’s much more valuable than the result itself.

My experience during the exam – I completed the first pass in about 30-35 min (of the allocated 90 min) and marked all questions for second pass (Yes, you can mark questions for review and come back to them). Finally submitted the questions for grading by 45-50 min mark and passed with 90% (80% is the minimal score to pass) and that calls for a jolly moment!

The preparation – For the prep I used the two documents (both available here https://ccsk.cloudsecurityalliance.org/index.html) i.e.

  1. Cloud Security Guidance https://cloudsecurityalliance.org/research/security-guidance/
  2. ENISA Cloud Risk Assessment Report: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport

These two documents cover all basis in terms of questions. Just a thorough read and you should be fine.  One of my dear and old time friend (who happens to be a security geek as well) Sumanta Bhattacharya helped me by brainstorming on the topics and coming out with logical and conclusive derivations.

Summarizing – This is a certification that’s a must to do for security practitioners and professionals who intend to or currently engage with cloud. An excellent certification that pushes a person beyond their scope of thinking in context of Cloud and so much more.

 

 
1 Comment

Posted by on April 15, 2017 in Cyber Security, Security Posts

 

Tags: , , , , , ,

Ransomware as a Service – It’s as real as it gets!

The world of information technology is changing rapidly. So much so that – now you can get your hands on a service that offers creating ransomware to commission based returns on jacked machines. Yes, that’s true.

Here’s an excerpt from an ‘underground’ forum:


Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan only requires a user name and password to create an account, althrough, if you wish, you can set a public key for two-factor authentication.
Satan has a initial fee of 30% over the victim’s payment, however, this fee will get lower as you get more infections and payments. All of the user transactions are covered by the server, you’ll always get what the victim paid, minus the fee of course.

When creating your malware you can specify the ransom value (in bitcoins), a multiplier for the ransom after X days have passed, the number of days after the multiplier takes place, a private note so you can keep track of your victims.
Satan is free. You just have to register on the site.
Satan is very easy to deploy, you can create your ransomware in less than a minute.
Satan uses TOR and Bitcoin for anonymity.
Satan’s executable is only 170kb.

If english is not your first language or you speak a second language you can translate the ransom notes to help your victims understand better what is happening.
In case you’re looking for a way to spread the ransomware, there is a droppers page, where you can generate a crude code for a Microsoft Word macro and CHM file.

If you have any problem with the ransomware, you can report it using the leftmost button on the malwares table. The middle blue button is used to update the malware to a newer version, if available, and the green one is used to edit your malware configuration.


 

All in all – this is a big step forward in luring in and incubating talent pertinent to ‘Anti-Security’ professionals aka. hackers, attackers, and the list goes on.

The the humorous part is that – the way this has been publicized; it’s much much better than any security vendors’ product or service offering in terms of marketing the packaged product.  An its an excellent business model for the provider as it fuels not just their current investment however, also takes it a notch up and adds to the revenue from the exploits to next iteration of R&D.

 
Leave a comment

Posted by on February 7, 2017 in Security Posts