Why We Need a Data-Driven Cybersecurity Market

As soon as I read the title of this article, I knew I would agree and I do.  Consistent, comparable metrics are a tremendous motivator.  They can help raise baseline expectations and start productive conversations about creative solutions to difficult problems.  I hope our industry, the world of IT security / compliance / risk management, can move in this direction sooner rather than later.

http://www.darkreading.com/threat-intelligence/why-we-need-a-data-driven-cybersecurity-market/a/d-id/1328879

Zomato Hacked! Database of 17 Million Users Stolen

As this article states, the biggest challenge in a breach like this is the fact that so many users reuse the same usernames and passwords across a large portion of their online accounts.  If you are a user of this service, you have already been forced to change your password.  Take this breach as a warning to not replicate the same credentials all over the internet.  Use a password manager.  Use unique passwords.

https://www.tripwire.com/state-of-security/featured/zomato-hacked-database-of-17-million-users-stolen/

WannaCrypt / WannaCry: What you need to know

By now, most of the world is aware of the major cyberattack in the form of ransomware that hit and rapidly spread Friday known as “WannaCrypt” or “WannaCry”.  Though initially concentrated in Russia and Eastern Europe, the ransomware infection quickly spread around the world, including significant infections in Great Britain’s medical and hospital communities.  This attack was and is particularly nasty and potent because it has incorporated a worm that lands on the initially infected host and then spreads to all other servers and PC’s on the network by leveraging a known Microsoft vulnerability.  The initial infection mechanism appears to be in the form of email phishing, but after that point, the spread of the worm is automated and ruthlessly effective.  Infected systems experience the encryption of critical data and receive a ransom notice demanding $300 in bitcoin for access to decryption keys.  Encrypted files on infected systems use the extension “.wncry”.

Microsoft addressed the exploit leveraged by the worm (EternalBlue) on all supported platforms in a patch released in March 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – though unsupported legacy platforms (Windows XP, Windows Server 2003, Windows 8, etc.) remained susceptible to infection.  Due to the rapid spread of the WannaCrypt worm around the world on Friday, Microsoft developed and released a special legacy patch for unsupported platforms as well – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ .

Major security firms have worked diligently to develop and deploy signature updates to anti-malware and IPS solutions to limit the spread of this strain of ransomware.  The ransomware appears to attempt to communicate via an SMB flaw over specific UDP and TCP ports – UDP ports 137 / 138 and TCP ports 139 / 445.  Fortinet released an IPS signature in March to address these types of SMB vulnerabilities and has since updated the IPS signature to enhance detection.  Over the weekend, Fortinet also released a specific AV signature capable of detecting and stopping the attack.  See the following link for more details – https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware .

What should you do to protect your organization from “WannaCrypt”?  Make sure you have done the following:

  • Verify that all Microsoft platforms have been patched with the March 2017 release – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Identify and manually patch any unsupported, legacy Microsoft systems (Windows Server 2003, Windows XP, etc.) with the Friday release – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • Verify all IPS and Anti-Malware/Anti-Virus signatures are up to date on all systems including servers, desktops, firewalls and other security appliances.
  • Isolate any vulnerable systems and specifically isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
  • Educate your end users. Explain the nature of the threat.  Make them aware that they should be cautious when dealing with unexpected or unknown email messages.

The following are additional links to good information and guidance concerning this ransomware outbreak:

https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

https://www.infosecurity-magazine.com/news/wannacry-ransomware-orgs-patch/

Keylogger Found in Audio Drivers on Some HP Machines

Take a moment and review any HP laptops at your house or running in your organization.  Those devices may have a functional keylogger running on them and you never knew it.

I am linking two articles.  The second indicates that HP has provided a patch / driver update that addresses this problem.

https://threatpost.com/keylogger-found-in-audio-drivers-on-some-hp-machines/125600/

http://www.zdnet.com/article/keylogger-found-on-several-hp-laptops/

Microsoft Makes it Official, Cuts off SHA-1 Support in IE, Edge

Publicly signed SHA-1 certificates are now officially dead to Microsoft Internet Explorer 11 and Edge as of yesterday’s released security updates.  Internally self signed legacy certificates should continue to work, but Microsoft strongly urges a migration to SHA-2 or greater as soon as possible.  Take due notice.

https://threatpost.com/microsoft-makes-it-official-cuts-off-sha-1-support-in-ie-edge/125579/

Officials fear Russia could try to target US through popular software firm under FBI scrutiny

This is a curious development, though one is forced to wonder if this is a credible threat or simply a general concern that finds itself elevated in the public eye because it became part of a classified memo.  Kaspersky Labs is not a government owned entity, but its back channel ties to Russian Government officials is unclear.  Lenovo has faced similar criticism in the past, but unlike Kaspersky, and to the best of my knowledge, it is funded and partially owned and managed by the government of the People’s Republic of China.

This is certainly an interesting twist on the “Buy American” craze of my early childhood.

http://abcnews.go.com/US/officials-fear-russia-target-us-popular-software-firm/story?id=47295729