WannaCrypt / WannaCry: What you need to know

By now, most of the world is aware of the major cyberattack in the form of ransomware that hit and rapidly spread Friday known as “WannaCrypt” or “WannaCry”.  Though initially concentrated in Russia and Eastern Europe, the ransomware infection quickly spread around the world, including significant infections in Great Britain’s medical and hospital communities.  This attack was and is particularly nasty and potent because it has incorporated a worm that lands on the initially infected host and then spreads to all other servers and PC’s on the network by leveraging a known Microsoft vulnerability.  The initial infection mechanism appears to be in the form of email phishing, but after that point, the spread of the worm is automated and ruthlessly effective.  Infected systems experience the encryption of critical data and receive a ransom notice demanding $300 in bitcoin for access to decryption keys.  Encrypted files on infected systems use the extension “.wncry”.

Microsoft addressed the exploit leveraged by the worm (EternalBlue) on all supported platforms in a patch released in March 2017 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx – though unsupported legacy platforms (Windows XP, Windows Server 2003, Windows 8, etc.) remained susceptible to infection.  Due to the rapid spread of the WannaCrypt worm around the world on Friday, Microsoft developed and released a special legacy patch for unsupported platforms as well – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ .

Major security firms have worked diligently to develop and deploy signature updates to anti-malware and IPS solutions to limit the spread of this strain of ransomware.  The ransomware appears to attempt to communicate via an SMB flaw over specific UDP and TCP ports – UDP ports 137 / 138 and TCP ports 139 / 445.  Fortinet released an IPS signature in March to address these types of SMB vulnerabilities and has since updated the IPS signature to enhance detection.  Over the weekend, Fortinet also released a specific AV signature capable of detecting and stopping the attack.  See the following link for more details – https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware .

What should you do to protect your organization from “WannaCrypt”?  Make sure you have done the following:

  • Verify that all Microsoft platforms have been patched with the March 2017 release – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Identify and manually patch any unsupported, legacy Microsoft systems (Windows Server 2003, Windows XP, etc.) with the Friday release – https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • Verify all IPS and Anti-Malware/Anti-Virus signatures are up to date on all systems including servers, desktops, firewalls and other security appliances.
  • Isolate any vulnerable systems and specifically isolate communication to UDP ports 137 / 138 and TCP ports 139 / 445.
  • Educate your end users. Explain the nature of the threat.  Make them aware that they should be cautious when dealing with unexpected or unknown email messages.

The following are additional links to good information and guidance concerning this ransomware outbreak:

https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/

https://www.infosecurity-magazine.com/news/wannacry-ransomware-orgs-patch/

The Shadow Brokers, Microsoft, and the NSA – What you need to know

Shadow_NSAOver the Easter Holiday weekend, the Shadow Brokers, a hacking group that came to light over the summer of 2016, released a list of exploits and zero-day attacks targeting Microsoft Windows operating systems and applications among other technologies.  These exploits and zero-day vulnerabilities are purported to be part of a leaked list of NSA tools used for covert surveillance.  This is the fifth release of information by the Shadow Brokers since August 2016.  Speculation as to the motives behind this group of hackers ranges from the possibility of an internal NSA whistle blower to potential Russian hacking and propaganda.  Regardless of the motivation, these exploits and vulnerabilities pose a significant threat to many organizations and should be addressed immediately.

On Friday, April 14, 2017, Microsoft’s Security Response Center (MSRC) published a response to the list of exploits detailed in the Shadow Brokers release (MSRC Response can be found here).  Fortunately, most of the exploits listed have been addressed and patched by Microsoft prior to April 2017.  Three remaining exploits are not actionable on currently supported Microsoft platforms (Windows 7 / Exchange 2010 and forward), but are threats to unsupported, legacy Microsoft operating systems and applications.  Microsoft is actively encouraging all users to upgrade to a supporting platform or offering as soon as possible.

As a Microsoft user or admin, what should you do to address these threats in your environment?  The following are several important steps to consider:

  • Make sure that all your systems are properly patched with the most current Microsoft critical and security related updates. Use Microsoft’s WSUS (Windows Server Update Services) or other third party tools in your patching process to ensure you have a reporting mechanism in place so that no systems are missed.
  • Have a process in place to monitor the existence of legacy, unsupported operating systems and applications and have a plan to upgrade these systems to supported platforms before they become a risk. If you have Windows XP, Windows Vista, Windows 2003 Server, or Exchange 2003 in your environment, you are at risk.
  • Strengthen your perimeter defenses by using mature firewalls and content filtering solutions to limit the amount of malicious traffic entering your network. Consider DNS-based content filtering and advanced malware protection as layers to protect against intrusions, viruses and malware that can leverage these released exploits and harm your network/computer environments.
  • Do not ignore third party applications in your patching process. Patching Windows updates alone is not enough.  There are many other exploits and zero-day vulnerabilities in the wild for third party applications that can threaten your network.  There are strong 3rd party tools that can address other applications like Adobe Flash, Adobe Acrobat Reader, Java and web browsers along with your Microsoft operating systems and applications to ensure all your systems are fully patched and monitored.
  • Train your users and share threat information as it becomes available. Do not shy away from making users aware of the threats they face.  Decent, focused training and timely awareness emails can make a difference.  An aware user will hesitate before clicking on a suspicious link or opening an email from an unknown source, and that hesitation can and will keep malicious content off your network.

MFA in the USA

defenseindepthCastleWhat prevents a democratic republic like the United States of America from devolving into a dictatorship?  What stops the President from seizing control of the country?  What limits the power of Congress and stems the possibility of corrupt and unjust laws?  The answer to these questions is a simple one and known by every child in every social studies class across America – a system of checks and balances.  All the power and all the responsibility is not invested in any single branch of government.  Responsibility is divided and power is shared.  This simple, yet ingenious approach to government has preserved the sanctity and security of our nation for more than 240 years.  This concept of checks and balances has also proven its value in other segments of life and business including the principles of IT security.

Checks and balances permeate almost every aspect of a sound IT security program.  The practice of this concept is known by many different names – separation of duties, layered perimeter defenses, 3rd part auditing, and most recently multi-factor authentication.  The latter (Multi-factor authentication or MFA) has become particularly relevant in the last several months and has spurred many debates over the how’s and why’s of identity and access management.  As such, there is tremendous value in exploring its significance as a check in the computer authentication process and understanding what it does and does not do to protect a user’s identity and system access.

At its core, MFA is built on the principle of “something you know” and “something you have”.  The “something you know” is fairly straight-forward.  You know your username and your password.  The “something you have” can be a little trickier.  Sometimes it is a physical token you use, such as a key card or a USB drive you insert into your computer.  Other times it is a piece of software generating a code on your smartphone or a text message you receive from an authenticating system.  The end goal of this authentication process is to separate the two items.  The “something you have” is separate from the “something you know”.  It is out-of-band and not easily intercepted by someone or something attempting to compromise the authentication process.  In a modern world filled with cyber criminals lurking around every corner armed with phishing attacks and social engineering tricks and treats, protecting user identities has become a full time job and the most trusted tool in the trade has become multi-factor authentication.

The title of “most trusted tool” for MFA is frankly quite accurate and far from a literary exaggeration.  What was once an optional security feature left to IT security aficionados and the truly paranoid, MFA has, over the last year, become a standard authentication mechanism for numerous businesses, online retailers and service providers.  This tremendous growth in use has been fueled by the fear of identity theft and financial loss associated with email phishing schemes and online hacking.  Multi-factor authentication has provided some much needed peace of mind as a second layer of protection for users fearing compromise because it prevents access to systems and websites even if a user’s password has been successfully stolen or intercepted by a cybercriminal.  Just because “something you know” has been stolen, the “something you have” still protects your account.

As users have become more comfortable with and accustomed to MFA, a new question has arisen that deserves our attention.  Users are now asking, “If my password is now protected by multi-factor authentication, then why do I need to worry about following all of these strong password requirements?”  Those requirements typically include longer, randomized passphrases comprised of case-sensitive letters, numbers and symbols.  The answer to this question is also quite simple.  Multi-factor authentication is not perfect.  As a process, it can be broken, sidestepped, or even experience outages.  In just the last week, PayPal announced that it had corrected a flaw in its two-factor authentication mechanism that allowed for the bypassing of the secondary security layer altogether.  Apple in the last 72 hours announced an emergency security update that addressed among other issues a flaw in its authentication process that would allow for remote access to and jailbreaking of iOS devices.  These are only 2 examples among many others because, at the end of the day, we are dealing with technology written and maintained by humans, and humans make mistakes.

Remember that at its core, MFA is an extra layer of protection for the authentication process.  It is not a replacement for strong passwords, but instead should be viewed as in addition to strong passwords.  It is part of a checks and balances system that has evolved in the world of strong authentication, and in this system, just as we discussed in the introduction of this article, power and responsibility is both divided and shared, but never exclusive.  IT security defenses, like the defenses used throughout the history of humanity, are most effective when they are layered.

This article began with the example of a historically validated and somewhat aloof core principle of democratic society.  Allow me to end it with some of the sage advice I received from my grandmother over and over throughout my formative years.  Don’t put all of your eggs in one basket.  Do not assume that just because one of your layers of defense is strong, the others are suddenly less important.   You need both checks and balances.  The responsibility for secure authentication is both divided among and shared by the multiple factors in use.  Every factor needs to be strong and reliable to ensure the safety of the user involved and the system being accessed.  Given the prolific growth of cybercrime in the world, now is not the time to cut corners and to sacrifice security for expediency.  Now is the time to strengthen your walls, to deepen your moats, and to raise your drawbridges.  The cyber criminals are coming, but you don’t have to let them in.

Lions and Tigers and Passwords and Hoaxes, oh my!

Many of you may have seen a great deal of bluster in the main stream media and general interest IT circles over the last few days concerning the possible breach and release of tens of millions of Google, Yahoo, and Microsoft credentials.  This breach was attributed to a Russian hacker after a huge, low cost dump of credentials flooded the black market.  I have personally seen multiple emails and alerts floating around the Internet from “experts” spreading large quantities of FUD (Fear, Uncertainty and Doubt), claiming that passwords should be rotated immediately, not only for Google, Yahoo, and Microsoft, but also any other systems that might have the same or similar credentials.  Fortunately, professionals in the IT Security community saw through this hoax fairly quickly and never raised the red flag.  The data dump in question proved quickly to be more than 98% dummy data.  Even on the black market, too good to be true usually means it is not what it appears to be.

So what should be the takeaways and lessons learned from this type of event?  We can certainly learn a great deal from these types of false alarms.  Here are a few of my thoughts and suggestions:

  • Don’t overreact – Wait for the IT Security professionals and the vendors in question to weigh in before assuming that all is lost. Google, Yahoo and Microsoft were quick to verify the data was false and confirm that a breach had not occurred.  Though I am never against periodically rotating passwords, sometimes these hoaxes are designed to fuel a mass password change panic which is then exploited by phishing attacks and other credential harvesting techniques by the bad guys.
  • Don’t focus only on passwords – Consider utilizing multi-factor authentication for web mail and social media accounts. Twitter, Linkedin, Google, Yahoo, Microsoft and others all support free, multi-factor authentication mechanisms as a protection against the theft of usernames and passwords.  Multi-factor authentication basically means that in order to sign into a service, either via your PC or your mobile device, you must have something you know (your username and password) and something you have (your smartphone text message or token).  This type of protection can buy you the time you need to investigate alerts while knowing your credentials are safe from misuse.
  • Lessen the impact of lost credentials – Always use separate passwords for different services and accounts. In the event a credential is lost or compromised, you are only exposed for that one service or resource.  I fully realize this strategy creates some overhead in managing lots of usernames and passwords, but fortunately there are many great password management tools on the market today to help remedy this problem.  I am personally a fan of tools like 1Password and LastPass.
  • Have good resources on stand-by to help – IT Security is an ever-evolving, specialized field. Make sure your IT services team has expertise on staff and is ready to help.  Consider finding trusted sources you can follow via an RSS feed or Twitter to know what is really going on in the world of IT security so that you can better differentiate between the hoaxes and the real threats.

SkyNet is born? – Microsoft Windows 10 and Data Privacy

Skynet_LogoThe time has come to have the Microsoft / Windows 10 discussion.  For those of you that follow one or several of the myriad of tech news sources available online, I don’t need to say anything else.  You know exactly where this article is going.  For anyone else who hasn’t stumbled across any of the headlines of the last several months, the discussion in question is about data collection, forced upgrades, and control.  Microsoft has chosen a path with their implementation of Windows 10 that crosses a line, or frankly several lines, in terms of user privacy and user choice, and I believe it is time for me to weigh in and help move this conversation forward.

I readily admit that nothing I am about to share or discuss is particularly new or innovative.  These Windows 10 concerns have existed since the beta releases and have been thoroughly covered in the tech and IT security media.  My motivation is simply the fact that I have finally reached my personal boiling point.  I was asked this week by colleagues in my office why I have not written about these issues or raised an electronic red flag.  Sadly, the most honest answer I could give then and share now is that I was avoiding the conversation because: A) it hasn’t really affected me personally as an OS X user, and B) I don’t honestly know what the solution would or could be to this problem.  That said, I do not think this conversation can be avoided any longer and it is time to speak up.

Before we get into examining why I felt the need to avoid this conversation, let’s take a moment to frame the issues with Microsoft and Windows 10, and the best starting point is Microsoft’s new approach to user data collection.  With the release of Windows 10, Microsoft has defined certain data collection points that they believe are important, if not necessary, to providing the best user experience possible.  In a blog post from September 2015, Terry Myerson, Microsoft’s Windows Chief, attempted to justify the data being collected by Microsoft by defining the 3 core areas where data collection was beneficial if not necessary: data used for safety and reliability, user personalization data, and advertising data.  According to Myerson, this data greatly enhances the user experience and is transmitted, collected and stored in a safe and responsible manner by the team at Microsoft.  Many in the world of tech and IT security are openly questioning these claims and are quick to point out the difficulties experienced when attempting to stop or block these data collection processes.

To provide a little perspective, a colleague of mine has the following statement taped to his office door:

Microsoft’s service agreement for Windows 10 is 12,000 words in length.  Here’s one excerpt from Microsoft’s Terms of Use that you may not have read:

“We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.”

To better understand the pervasiveness of Microsoft’s data collection strategy, you only need to look at the Windows 10 achievement milestones Microsoft is bragging about and sharing with the world.  The Hacker News, an IT security news and blogging site, deftly outlined the following stats shared by Microsoft to start the new year:

  • People spent over 11 Billion hours on Windows 10 in December 2015.
  • More than 44.5 Billion minutes were spent in Microsoft Edge across Windows 10 devices in December alone.
  • Windows 10 users asked Cortana over 2.5 Billion questions since launch.
  • About 30 percent more Bing search queries per Windows 10 device compared to prior versions of Windows.
  • Over 82 Billion photographs were viewed in the Windows 10 Photo application.
  • Gamers spent more than 4 Billion hours playing PC games on Windows 10 OS.
  • Gamers streamed more than 6.6 Million hours of Xbox One games to Windows 10 PCs.

Microsoft is clearly sharing these statistics to tout how successful the Windows 10 rollout has been and how well received the product is with end users, but these statistics are also a brazen admission of how deeply Microsoft is monitoring its user base and exactly how much data they are collecting about the Windows 10 population.  Just break these statistics down.  Microsoft is cataloging overall usage hours by end users, specific application usage hours, Cortana requests, Bing queries, photo and video content usage, and cross platform communications.  As a potential end user, you should be both afraid and appalled by these statistics.

Another frightening data collection area that should be considered is Microsoft’s new approach to whole disk or device encryption.  Device encryption is a new, free service available for all Microsoft devices with the necessary supporting chipsets and hardware.  For those of you in the corporate world familiar with Microsoft’s professional Bitlocker offering, the underlying technology is the same across all platforms.  However, unlike Pro and Enterprise users, the Home/free device encryption solution Microsoft is now providing across the board lacks the options available to Bitlocker deployments when it comes to how the encryption key is handled.  To make a long story short, if you are using the free or Home solution, Microsoft is collecting and storing your encryption key on their servers and associating it with your Microsoft account.  They did not ask.  They simply did this because they determined it was best for the end user and his/her overall experience.  If you have Bitlocker in an enterprise environment, you do have other options for storing and managing encryption keys, but even with that process, if the wrong boxes are checked, the result can be keys being submitted to a Microsoft repository.  Ponder that fact for just a moment.  If/when Microsoft’s server resources get compromised, then a huge portion of the world’s end users will have their private encryption keys published and available for public consumption.

So how did Microsoft, and as an extension, we as the end user public get to this point?  The answer is system updates.  Microsoft writes them.  End users need them to fix OS and application problems.  IT security professionals, myself included, harp that critical and security-related patching is vital to stay ahead of the cyber crime curve.  So Microsoft leveraged this delivery mechanism to start sending out “critical” updates to users to prompt, then highly encourage, then all but force an upgrade to Windows 10.  Microsoft used similar updates to open communications paths and allow for new data collection points.  Filtering these updates is very difficult for the average, non-technical Windows user, and the more technical user has started seeing features break and options unavailable if patches were not applied.  Microsoft basically took advantage of a captive audience and began to build their “OS utopia” one update at a time.

As we speak about a captive audience and the Microsoft update process, let’s take a moment to look at the announcement this week surrounding support for Internet Explorer.  Microsoft has announced that as of January 12, 2016, all versions of Internet Explorer prior to IE 11 or Microsoft Edge will cease to be supported and will no longer receive security updates.  Though there are some exceptions for embedded versions of Windows, this basically means that IE 7, 8, 9, and 10 will no longer be patched.  Along with these versions of IE, Microsoft also quietly indicated that Windows 8 as an operating system will also no longer be supported.  On its face, this announcement is not an evil act.  It is important for organizations and individuals to update and upgrade software to the latest version, especially an application as vulnerable to attack as a web browser.  But let us be clear.  This was not an altruistic act by Microsoft to move users to a safer and more secure platform.  It was a targeted act that moves users to the most current and most pervasively monitored version of an application, and it also encourages an upgrade path to Windows 10.  There are very practical implications to this move by Microsoft.  Many organizations and individuals rely upon legacy web applications that simply do not support new versions of IE.  Others simply do not have the time and resources to update and retrain.  There is the real potential for a security vacuum with the lack of patches for legacy versions of Internet Explorer.

I began this article with an admission that I have honestly been avoiding this conversation for a couple of reasons.  First of all, I am primarily an OS X user and these problems don’t directly affect me.  OK.  I admit that is a bit of a cop out.  I still own several Windows devices, as do my children, and of course, many of my customers.  But in truth, as I sit and type here on my Macbook Air, I do not personally fear many of the intrusions I have outlined to this point, and at some level, that fact kept my boiling point in check.  That said, I have experienced some of the pains I have detailed in this article, especially in the support and configuration of devices for my teenage boys.  These issues do exist in the real world and need to be addressed, but that fact also leads to the second reason why I have avoided this conversation.  How do we solve or begin to solve this problem?

At the heart of this problem is the most commonly used operating system on the planet – Windows.  Though far, far from perfect, Apple OS X and the many flavors of Linux available throughout the world do not generally have the same number of privacy concerns that Windows 10 enjoys.  In all honesty, there are many ways you can share your private information with the good people of Apple, but those options can be fairly easily controlled and disabled by the end user.  So, is the solution to press the world to go out and buy Macs?  I don’t think so.  For many, this is a cost prohibited scenario.  There is a sunk cost to hardware already purchased.  There is a learning curve.  So is the solution a custom distribution of Linux that can run on already purchased hardware?  Maybe, but even that option is difficult and unlikely to gain any traction.  Once again, there is a learning curve and a populous that simply lacks the skills and resources to transition away from Windows.  Sadly, at the end of the day, we are discussing a market that Microsoft has dominated for more than 20 years.  We are navigating on a boat that simply turns too slowly.

So what is the answer and is there a solution?  I freely admit that I do not know for sure.  But I do have hope.  I have hope for the simple reason that we still have a voice.  We can still complain about the level of intrusion Microsoft is making into the lives and actions of its end users.  We can share these concerns with the masses, with the press, and with the legislators that have such a keen desire to tout the need for both security and privacy.  We can choose to save our money and invest in better software and hardware whenever possible.  We can collaborate as a community on tweaks and fixes and filters for Windows 10 that can curb the loss of data.  Frankly, we can become the community of IT users and professionals that we have always pined for – a group of people concerned for the common good and willing to work together and share information to make the cyber ecosystem a safer and more reliable place to work and play.  It is not easy and it will not quick, but the effort is well worth it.