Tuesday, May 16, 2017

WannaCry ransomware

I was going to do a writeup on WannaCry but then I found these excellent links.

"This blog post is split up in two parts: 1 for users, 1 for companies/businesses. Most tips however are interchangeable and can be applied on most environments"
https://bartblaze.blogspot.be/p/ransomware-prevention.html

Some official Microsoft guidance
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

"Stop blaming the customers who drown in the endless torrent of repairs needed to plug the holes in your shoddy products"
http://www.zdnet.com/article/hey-cyber-techbros-smugly-yelling-patch-and-back-up-wont-fix-ransomware/

"Simply put, specialized devices, and a critical need to maintain stability in healthcare environments can sometimes mean that patches are forgone or postponed for lengthy testing."
http://www.actualtech.io/ransomware-liability-future-security/

In-depth analysis of WannaCry
http://baesystemsai.blogspot.be/2017/05/wanacrypt0r-ransomworm.html

Keep it safe and remember... never pay the ransom!

Saturday, November 12, 2016

US Elections 2016

I refrained from reacting too soon after the results of the elections.  The US people have spoken and given all power to the Republican party.  This is an internal issue so why am I writing this stuff as an EU citizen?

As father of two daughters, I am deeply concerned about the environment and absolutely convinced we have to act now to preserve what we still have for the sake of our children.

Donald Trump doesn't believe in human caused climate change and one of his incentives is to stimulate fossil fuel and withdraw from the Paris agreement. Yet 2011–2015 was the hottest five year period ever recorded.  

I hope US citizens realize this is a global problem. We need the second largest emitter of greenhouse gasses to stay on board.

Donald Trump has said that he is "totally flexible on very, very many issues", so it's on you, US citizen  to convince you president this problem should be addressed immediately.

Sincerely
Guy 

Sunday, July 24, 2016

Veeam upgrade to 9

I have been putting this forward for a very long time. Unnecessary:  the upgrade went flawlessly. Kudos to Veeam to make something as complex as this very easy for the end user. Too bad I couldn't celebrate this at Tomorrowland, hopelessly sold out.

I'm really curious how the new transport mode via direct NFS will affect backup times.
Update:  still uses the virtual appliance ...

Next big thingie probably will be the new Linux backup.

Wednesday, January 13, 2016

Spear phishing and whaling

Spear phishing is an attempt to target a specific organisation with phishing.

Ordinary phishing is bulk-spread and usually quite easily recognized as a phishing attempt, it's obviously aimed at the "more naïve" internet user ...

Spear phishers on the other hand e.g. will trick employees to install trojans by pretending they are from the ICT department.

Whaling is a more specific type of spear phishing, where members of the upper management are targeted.  The attacker spends some time on social media to find out more about his victim (colleagues, business partners, ...) to make the phishing attempt more convincing.

It's probably a good idea (as Linkedin already suggests) to only add known persons to your contacts/friends/...

Spear phishing success rates are quite high but often aren't publicly disclosed for obvious reasons.

SSH backdoor in older versions of FortiOS

This backdoor (or rather a "management authentication issue" as Fortinet calls it)  was discovered.
As the issue was patched in July 2014,  a decent maintained Fortinet firewall should be OK.


Tuesday, December 22, 2015

Juniper backdoor discovered

When you buy a firewall you're expecting it to provide some kind of protection, not to give people the keys to your network.

But this is exactly what Juniper pulled off.  'Somebody' put a backdoor in their ScreenOS software in 2012.  ScreenOS was acquired by Juniper when it took over competitor Netscreen in 2004.  

At this moment there are no indications JunOS is affected.  JunOS is another operating system Juniper uses in its devices.

Read the official statement here. 

The backdoor is built into two distinct functionalities: the VPN implementation and the SSH and Telnet daemons.

Juniper has new updates for ScreenOS.  If you are a customer I would really check this out.




Wednesday, December 9, 2015

Current APT threat

This is the harvest of a month of APT detection on our firewall.
Guess it was worth our money, but not entirely...


As you can see in the far right column,  most threats are directed at me (Guy Schellens), which actually makes sense.  An administrator is more likely to have elevated privileges so the damage an infection (eg. cryptolocker) causes is much bigger.  Keep using locked down accounts,  avoid working as an administrator on your computer.
For network admins,  limit the rights of your users to what they really need, so a user who opens one of the files in this list will cause minimal damage.

All the documents contain malicious macrocode which contains an executable. Don't want to find out what Joe or Valerie had in store for me...

Even scarier is the next table.



It contains zero day APTs again targeted at me.  Zero day means this threat was unknown at the moment it was sent to me.  The APT detection sends these files to a service in the cloud, which runs some tests on the suspicious file in a virtual machine.  Note there are APTs which can detect they run in a virtual environment and will not do their evil actions because they suspect being in a lab environment...

You see the file was allowed further into our network, so the files weren't blocked because the examination can take a while... This means I and another colleague  got these files in our mailbox!  The  file invoice_latest_reminder.doc was allowed on 2015-11-10 15:11:34  but was blocked 2 hours later when it was mailed again to me.  By then the firewall manufacturer had put the file signature in their database so all customers are warned for this file.

It is still very, very important to educate end users how to identify these threats, because as you saw, those files are only blocked when the firewall is sure the content is malicious.

Take care guys!