Patch Lady – 31 days of Paranoia – Day 18

Today we’re taking a break from our normal paranoia to discuss a recent vulnerability.  The headlines imply that a guest user can gain admin rights via this attack.  But that’s not how I’m reading this.  The Windows RID hijacking as per the blog “Assign the privileges of the hijacked account to the hijacker account, even if the hijacked account is disabled.”.  That is the account you attacked can then assign the rights to another account.  IF the account you hijacked is the administrator account you can then assign those admin rights to a lower level account.  So it does hide the fact that one has a back door in the system.  But… here’s the thing… you already had to have been hacked by something or someone before the RID hijacking could occur in the first place.

Castro, with help from CSL CEO Pedro García, discovered that by tinkering with registry keys that store information about each Windows account, he could modify the RID associated with a specific account and grant it a different RID, for another account group.
The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.
But in cases where a hacker has a foothold on a system –via either malware or by brute-forcing an account with a weak password– the hacker can give admin permissions to a compromised low-level account, and gain a permanent backdoor with full SYSTEM access on a Windows PC.

So the real issue is that you were hacked by something else first… and then this obfuscation can occur.

Sometimes in security it’s hard to get a real sense of the true risk.  We spend hours in TSA lines but aren’t really any more secure than we think.

Bottom line don’t be quite so paranoid about this vulnerability.  Be more concerned about something you probably have absolutely no control over.  The bigger vulnerability we all should be freaking out over is the Libssh authentication vulnerability.  This vulnerability “it allows anyone to authenticate to a server without any credentials, simply by telling the system that they’re a legitimate user.”  As is written on the Threatpost post, it’s the equivalent of the Jedi mind trick… the attacker can just say “these aren’t the droids you are looking for” and gain access.  Do you know what applications you currently use rely on Libssh?  No, we don’t.

That my friend is true paranoia.  When we know we probably are at risk, but don’t know what software might be at risk.

Patch Lady – 31 days of Paranoia – Day 17

So you know you’ve been hacked.  Now what?  You can tell your passwords have been reset and you can’t get into your accounts.  You have evidence that a bank account has had funds transferred without your permission.  What can you do?

Well it honestly depends on exactly the level and damage of the attack.  Financial crimes have a higher impact and thus will often get action.  Low impact crimes, for example where someone is spoofing you online and pretending to be you in Facebook and asking for “friend” requests won’t get police action.

But what can you do to at least make authorities aware of the problem?  Obviously with any hacking or cyber activity that has a financial impact, immediately call your financial institution.  They can change bank account numbers, put in place positive pay processes to ensure that no authorized transactions get made without your explicit permission.   For high impact intrusions you can contact the FBI or the Secret Service or the Internet Crime Complaint Center.  For lesser impactful attacks you have much less options.

Think the cyber attack is originating from Azure, or Amazon Web Services?  You can contact them.  And that’s often the best place to start.  See if you can determine where the attack originated from and contact the hoster or ISP that  the attack came from.  Often you can narrow this down by reviewing email header files.

Tomorrow I’ll talk about the ways you can recover from an attack and some of the investigation tools you can use on machines.

Patch Lady – 31 days of Paranoia – Day 16

Today we live in a world where recording devices are ubiquitous.  There are recording devices on public streets, recording devices in the door bells of houses, and in general, there is often a video recording that Authorities can obtain to gain more information.  California has a law that states….

California’s wiretapping law is a “two-party consent” law. California makes it a crime to record or eavesdrop on any confidential communication, including a private conversation or telephone call, without the consent of all parties to the conversation. See Cal. Penal Code § 632. The statute applies to “confidential communications” — i.e., conversations in which one of the parties has an objectively reasonable expectation that no one is listening in or overhearing the conversation. See Flanagan v. Flanagan, 41 P.3d 575, 576-77, 578-82 (Cal. 2002).  A California appellate court has ruled that this statute applies to the use of hidden video cameras to record conversations as well. See California v. Gibbons, 215 Cal. App. 3d 1204 (Cal Ct. App. 1989).

If you are recording someone without their knowledge in a public or semi-public place like a street or restaurant, the person whom you’re recording may or may not have “an objectively reasonable expectation that no one is listening in or overhearing the conversation,” and the reasonableness of the expectation would depend on the particular factual circumstances.  Therefore, you cannot necessarily assume that you are in the clear simply because you are in a public place.

If you are operating in California, you should always get the consent of all parties before recording any conversation that common sense tells you might be “private” or “confidential.” In addition to subjecting you to criminal prosecution, violating the California wiretapping law can expose you to a civil lawsuit for damages by an injured party.

If you have security cameras in a location where there is no expectation of privacy – out in the street in front of your house – you would not be under a wiretapping law.  However if your security cameras are inside your house, there is an expectation of privacy and thus wiretapping laws would come into play.  Now let’s layer on how some of these video cameras have less than stellar security and now layer on the ability to search for such internet of things devices through a specially crafted search browser, it’s no wonder that we’re all a bit paranoid these days.  Make no mistake, video cameras often help law enforcement put evidence together.  Case in point a local homicide in my City was able to spot an assailant’s truck in several videos captured by surrounding homes and businesses and was able to use the video as additional evidence of proof that the assailant was in the area where the homicide occurred.  So video capturing helps a great deal.  BUT… as with all technology – it can be abused both in terms of privacy and as well as being used by attackers.

If you set up a home video camera consider the vendor security features:  Make sure it doesn’t have embedded passwords, demands complex passwords, can be updated relatively easily among other things.

Cameras can help make you safer, but they can also introduce security risks as well.

Phone scam: Win7 license is “about to expire”

Fascinating story/question from JW:

I’m writing in reference to what my wife & I believe to be a phone scam related to the upcoming termination of Microsoft support for Windows 7. We have now received two phone calls (several weeks apart), from someone claiming to represent Microsoft, informing us that our Win7 license is about to expire, and that we must pay a fee by phone (credit card) in order to continue to use the software beyond a certain date (which has changed with each call). This strikes us as being illegitimate and a scam to get money and our credit card info. Have you heard of this previously and do you agree this is likely an illegitimate request? Is there some useful action we might take other than sharing this with you.

No question it’s illegitimate.

It’s also the first time I’ve heard this one.

As Win7 approaches end of life (14 months to go!) I expect we’ll hear more variations on this theme.

Patch Lady – 31 days of Paranoia – Day 15

We’re on the 15th day of our travels through paranoia and on the day that Paul Allen, one of the founders of Microsoft passed away, I’m touching on the next big disruptor that the Microsoft company is increasingly implementing:  That of cloud services.

Paul Allen and Bill Gates took mainframe computers from locked away in a freezing room only accessible by the few to where nearly everyone has more power in their desktop and laptop than the old mainframes used to have.  The next disruptor is cloud services.  Especially for small firms, my biggest fear for small businesses that rely on cloud computing is that we won’t get solid guidance on how best to secure and deploy cloud services.

Too often people see cloud services as easy to set up, and they are, but they don’t take the time to think about security.  I have personally seen where users of cloud services will often share credentials to another person without thinking of the risk of sharing credentials.  I’ve seen where consultants can misconfigure settings or – as often seen in big cloud breaches – leave files in cloud locations and not set the file security properly.

There’s a lot of good things about cloud services.  And then there’s a lot of risks to cloud services.  Always ask and check on how easy it is move FROM a cloud provider, check on the encryption status, check on the backup status.  And these days I’m seeing more and more vendors providing cloud backup solutions to give users more granular options in restoring files saved in the cloud.

So read those end user license agreements, and ask questions of your vendors before you sign up.

Patch Lady – 31 days of Paranoia – Day 14

If you have a bit of time on your hands, take a stroll through the FBI’s most wanted for Cyber security attacks.  You’ll find Russian hackers targeting our elections as well as one gentleman who

is allegedly a North Korean computer programmer who is part of a state-sponsored hacking organization responsible for some of the costliest computer intrusions in history, including the cyber attack on Sony Pictures Entertainment, a series of attacks targeting banks across the world that collectively attempted to steal more than one billion dollars, and the WannaCry ransomware attack that affected tens of thousands of computer systems across the globe.

 

Park was alleged to be a participant in a wide-ranging criminal conspiracy undertaken by a group of hackers employed by a company that was operated by the North Korean government.  The front company – Chosun Expo Joint Venture, also known as Korea Expo Joint Venture – was affiliated with Lab 110, one of the North Korean government’s hacking organizations.  That hacking group is what some private cybersecurity researchers have labeled the “Lazarus Group.”  On June 8, 2018, a federal arrest warrant was issued for Park Jin Hyok in the United States District Court, Central District of California, after he was charged with one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer-related fraud (computer intrusion).

The NHS was impacted to an estimated 92 million pounds (assuming I have my monetary naming correct).  The disturbing concern of WannaCry was that most were impacted by the ransomware attack due to the fact that they had not installed updates to protect from the Eternal Blue exploit.  The patch was available but many had not yet installed it for various reasons.

Yet today we are in a position where many are concerned to patch as well.  Vendor drivers were inadvertently pushed out this week causing some to lose audio (1) and blaming patching as the root cause.  This is now the second such driver related issues with this month’s patching (Woody already posted about the first).  This still gets back to a root cause of loss of trust.  If we cannot trust our vendors, we will place ourselves in a position where cyber villains can get to us.

(1)https://answers.microsoft.com/en-us/windows/forum/all/windows-10-audio-stops-working-after-installing/5a541c88-89e1-4bf3-b356-2837d564b109
Earlier this week, Intel unintentionally released version 9.21.00.3755 of the Intel Smart Sound Technology (ISST) Driver through Windows Update, and inadvertently offered it to a range of devices running Window 10 version 1803 or 1809. If your device contained a compatible audio driver, the new driver overrode it and caused audio to stop working.

Patch Lady – 31 days of Paranoia – Day 13

Today I want to review browsers and application safety.  On the heels of Woody’s post about the Microsoft Store offering it’s wise to add a healthy dose of paranoia when surfing and picking software to install on your system.

The FBI put together a video to warn those running for office to not be tricked into running or installing malicious code on your system.  As noted in the video when you install your browser, you want to check it’s settings:

Disable autofill, remembering passwords, and browsing histories.

Do not accept cookies from third parties.

Clear all forms of browser history when closing the browser.

Block ad tracking.

Enable ‘do not track’ requests to be sent to websites.

Disable browser data collection.

When certificates are requested, ensure the browser requests your permission to provide them.

Disable cache (or storing) of web pages or other content, or set the cache size to zero.

Enable browser capabilities to block malicious, deceptive or dangerous content.

And while you are checking out your browser, there are a couple of new kids on the block that you might want to check out.  Both have a musical name…. Opera is one…. Vivaldi is the other.

Check them out!

Patch Lady – 31 days of paranoia – day 12

We are at day 12 of our month long trip through paranoia.  Today our topic is about routers and specifically router hardening.  No matter if your router is provided by your Internet Service Provider or you purchased it, there are a few steps to take to ensure that you are as secure as you could be.  Many of these steps are covered in this FBI video.

First if the router is provided by your ISP, often they enable guest access.  I make a rule to find the section of the router that Comcast enables their allowed access and disable it.  Next I reset all default passwords of the router and ensure that the router can not be accessed externally.

Then I ask myself… how long have I had this router?  If you can’t remember when your ISP provided it to you, or when you purchased it, it’s time to contact your ISP and inquire about a hardware upgrade.  Often you need a hardware upgrade, but they forgot to tell you that you need a replacement.

Review your wifi security settings and ensure that they are as secure as they could be.  Ensure they are set to be at least WPA2.

Routers can be used by attackers in all sorts of ways.  As noted in the video:

Bad actors could watch your Internet traffic and see or steal your sensitive data.

Bad actors could send a simple command to your router and permanently disable it.

Bad actors could use your router to launch a network attack on another device.

Time to review how your router is setup and how secure it is.

How well is yours set up?