The WannaCry ransomware worm that plagued many people last week is notable for two reasons: first, it is a worm, meaning it self-propagates. It also uses a special exploit that was first developed by the NSA and then stolen by hackers. It first began on Friday and quickly spread to parts of Europe and Asia, eventually infecting more than 200k computers across more than 100 different countries. It moved quickly, and the weekend saw many IT managers busy to try to protect their networks. One researcher called it a “Frankenstein’s monster of vulnerabilities.”
Most of the victims were using outdated Windows versions such as XP. This map shows real-time tracking of the infected systems, where the bulk of infections hit Russian sites, although Telefonia in Spain was also attacked.
The hardest-hit were numerous hospitals and clinics run by the British National Health Service. Apparently, they had an opportunity to update their systems two years ago but didn’t due to budgets. So far, the best analysis is on The Register.
WannaCry attack summary and timeline
American sites weren’t infected due to an interesting series of events. A young British security researcher who goes by the Twitter handle MalwareTechBlog discovered by accident a kill switch that stopped its operation. His account of that fortunate happenstance can be foundhere. Basically, by reverse engineering its code, he found that the malware checks for the existence of a specific domain name (which didn’t exist at the time and which he quickly registered). Once that domain had an operating “sinkhole” website, the malware attacks ended, at least until new variations are created without the kill switch or that check for a different site location. Sadly, the researcher was outed by the British tabloids. No good deed goes unpunished.
The story on payouts
One curious story about WannaCry is the small ransom payouts to date. About 100 people have been recorded paying any ransom, according to the three Bitcoin accounts that were used by criminals. (Yes, Virginia, Bitcoin may be anonymous but you can still track the deposits.) Other Bitcoim addresses could be used, of course, but it is curious that for something so virulent, so little has been paid to date.
Microsoft reaction and mitigation
The malware leverages an exploit that had been previously patched in mid-March by Microsoft and assigned the designation MS17-010. The company and took the unusual step to provide patches for all currently supported Windows along with Windows XP, Windows 8 and Windows Server 2003 versions.
Microsoft also recommends disabling SMBv1 and firewalling SMB ports 139 and 445 from the outside Internet. If you haven’t been doing these things, you have a lot of other problems besides WannaCry.
Microsoft’s president posted an op/ed blog piece saying “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. Users are fighting the problems of the present with tools from the past.” Speaking of the past, they didn’t mention how many people are still running ancient versions of Windows such as XP, but at least should be commended for having patches for these older systems.
Numerous security vendors have posted updates to their endpoint and network protection tools that will catch WannaCry, or at least the last known variant of it. And that is the issue: the hackers are good at morphing malware into something new that can pass by the defensive blocks. One interesting tool is this Python script that will detect and remove DoublePulsarexploits. That was the original NSA hack that can creates a backdoor to your system. In the meantime, as I said last week, hope is not a strategy.
I take a look at the Linksys Velop Wi-Fi access points. This is the third in my series of reviews for Network World on smart home devices. If you are going to invest in smart home tech, you want a solidly performing wireless network throughout your house. While I had some minor issues, the Velop delivered solid performance and I recommend its use, particularly if you have existing radio dead spots in your home or have to use multiple networks to cover your entire property. You can read the review here.
In my day job as editor of the Inside Security email newsletter, I read a lot of infosec stories from various sources: some technical, some legal, some for beginners. But I was struck by reading this piece in Dark Reading this week by this sense of failing purpose, and how IT is at best at parity with our attackers.
The piece is by a security consultant, Mark Hardy. Entitled, 7 Steps to Fighting Ransomware, it does what it says, providing some practical advice for corporate IT managers on how to prepare for the coming attack. Make no mistake: it is coming. All it takes is one person and one careless click and your network is compromised.
Some of Hardy’s suggestions are pretty predictable: make sure your systems are kept up to date on patches. Segment your network to limit the exposed systems that an attacker can easily access. Backup frequently and move them offline for further protection. Yeah, yeah, we’ve heard it before. Some corporations actually do these things too.
But one suggestion stopped me in my tracks: Buy some Bitcoin to prepare in advance, in case you have to fork over the ransom on short notice. That was a chilling point to make because it says no matter how carefully you prepare, there is still the off chance that you may have missed something and will need to pay out the ransom.
This is what I mean when I say we are at parity with the bad guys. We are fighting an asymmetric war against them: they have the ability to penetrate our networks and steal our data with a vast array of tools that are only getting better and more finely crafted. There is malware that can operate in memory and hide by using bits and pieces of software already part of your operating system that is very difficult to detect. There is malware that changes its attack signature every second. There is malware that uses flaws in the operating system (such as one that was patched this week by Microsoft, ironically in its malware protection engine program). And there are malware kits that run completely in the cloud, so all it takes is money and a few commands to launch an attack. So it is inevitable that someday your company will be hit, it is just a matter of when.
Security strategies are forged in the heat of battle when you realize that no matter how many spare copies or protective procedures, something went wrong: your copies are bad, you have mission-critical data lurking on some executive’s laptop that wasn’t part of the backup, or some phisher dangled some bait and succeeded. Game over.
I speak from sad experience. Not over ransomware, but a simple backup error. Many years ago I lost my mailing list server due to a flooded basement. All the content on my server was duplicated elsewhere, offsite, save for one thing: the actual names on my list. A pretty critical piece of information, don’t you think? If that server didn’t come back online (it did), I would be out of business. I didn’t have a spare copy of my list. All it took was a simple command to have that list of names. But somehow I forgot to include that in my workflow. Oops.
Hardy says, “Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you’re vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you’re relying upon to prevent an infection is hope — and hope is not a strategy.” So stop hoping, and start preparing.
I spoke to Krishnan Chellakarai about his thoughts. He is currently the Director, IT Security & Privacy at Gilead Sciences and has been a security manager at several biotech firms in the past. One thing he is concerned about is the increasing threats from IoT. He gave me a theoretical example. “What happens if you are reading your emails on your Apple Watch and you click on a phished link. This could lead to a hacker gaining access to credentials and use this information to stealing information from your network.” As users bring in more Fitbits and other devices with Internet access to corporations, “every company needs to worry about this threat vector because it is a foot in the door.” This is part of a bigger trend, where “we have less data stored on individual devices, but there is more access” across the corporation. What this means is that there is “less visibility for IT security pros in case of an exploit.”
Certainly, some of the responsibility with keeping a firm’s infrastructure secure has to lie with each individual user. Chellakarai asks if “people ever look at their Gmail last account activity in the right bottom corner?” Or do we ever click on the security link that pops up when you are signed in to your account from multiple places? This is food for thought. “IT managers need to put some common sense controls in place so they can have better network visibility,” he says. Another example: when was the last time anyone checked their printer firmware or other legacy devices to ensure that they have brought up to their latest versions. “It is time to stop thinking of security after an app is built, and start thinking about security from the beginning, when you are planning your architecture and building your apps.”
Chellakarai says, “One of my first things when I start working for a new company is to do a data analysis and network baseline, so that I can understand what is going on across my infrastructure. It is so critical to do this, and especially when you join a company. I look at policies that aren’t being enforced and other loopholes too. Then I can prioritize and focus on the risks that I find.”
If you haven’t been paying attention, today’s typical home-town newspaper has gone high tech. A few recent articles in the NY Times and elsewhere should make that clear.
For example, how about the tech that Michael Shear uses. He is one of the Times’ White House correspondents. He uses Sling TV so he can watch cable TV news no matter where he is in the world. He uses 2FA for all his accounts and tries mightily to detect phishing campaigns, as much as we all can. His sources “now routinely ask to discuss issues with secure texting apps such as Signal or Confide.” He watches various Twitter feeds, too. “I had to adjust my Do Not Disturb settings on my iPhone so that notifications resume earlier — at 5:30 a.m. now.” He also has his Apple Watch set to alert him every time the President tweets, but thankfully set to silent mode.
But that is just one reporter. How about if you had to support the entire Times newsroom? That is the job for Runa Sandvik, who has the unique title of Director of Information Security for the Newsroom. Her job is a combination of IT support and researcher. She has already created a number of secure tip lines for sources to leak info to the paper. This includes a public-facing Signal and WhatsApp number, as well as a SecureDrop instance. She has set up 2FA on all the paper’s Twitter accounts and routinely gives security lectures to help reporters improve their security hygiene.
These tips are a big deal: the Times gets hundreds of them a day, and in the past they weren’t very secure. A hackathon in Australia last month developed another secure messaging app that could be simply deployed even by smaller papers that don’t have their own Sandvik-in-residence, and posted the code on Github. The effort was part what is being called “Editor’s Lab” sponsored by Walkleys, a journalist/tech collaboration.
Alecia Swasy did her doctoral research by studying the habits of 50 top reporters at four metro papers for the past couple of years. With all of them, reluctance to use Twitter gave way to acceptance and now expertise. One early advantage was that Twitter can monitor a reporter’s beat 24×7. “Twitter gives print journalists a chance to beat TV news cameras to breaking news,” she posted. It is also the new phone directory for a reporter to track down a source or confirm an identity. “You still need to wear out your shoes and knock on doors,” she posted. Twitter can also expand your readership to a global reach, far beyond your metro circulation boundaries. As an example, an environmental reporter in Tampa had a commanding Twitter presence which landed him a gig on Slate and eventually a book deal. The new rule for reporters is: If you don’t have it on Twitter first, it’s not a scoop.
Finally, there is this news nugget. When someone working at the NY Times (or at least having an IP address in the Times’ network address range) shows up in your web server logs, it could tip off someone that they might be a target of an investigation. This is what happened in a 2015 federal corruption case. Sandvik uses this as an example of why more reporters should be using VPNs and Tor and similar services. The same thing routinely happens at non-governmental organizations that may be targeted by groups that don’t agree with their mission. Some groups are at the receiving end of malware that targets their IP addresses too.
No doubt about, tech is here to stay. Who knows – it might help the newsrooms become more productive as staff sizes shrink?
As more banking customers make use of mobile devices and apps, the opportunities for fraud increases. Mobile apps are also harder to secure than desktop apps because they are often written without any built-in security measures. Plus, most users are used to just downloading an app from the major app stores without checking to see if they are downloading legitimate versions.
Besides security, mobile apps have a second challenge: to be as usable as possible. Part of the issue is that the usability bar is continuously being raised, as consumers expect more from their banking apps.
In this white paper for VASCO, I show a different path. Mobile banking apps can be successful at satisfying the twin goals of usability and security. Usability doesn’t have to come at the expense of a more secure app, and security doesn’t have to come at making an app more complex to use. Criminals and other attackers can be neutralized with the right choices that are both usable and secure.
As part of a class at Syracuse University in their Information Systems department, I will give a lecture on this topic next week. Here are my slides.
With the announcement last week of the Enterprise Ethereum Alliance, it is timely to look at what is going on with blockchain technologies. The Alliance was formed to try to encourage a hybrid kind of blockchains with both public and private aspects. Its members include both cutting-edge startups along with established computer vendors such as Microsoft and major banks such as ING and Credit Suisse. As mentioned in this post by Tom Ding, a developer at String Labs, the Alliance could bring these disparate organizations together and find best-of-breed blockchain solutions that could benefit a variety of corporate development efforts.
When Bitcoin was invented, it was based on a very public blockchain database, one in which every transaction was open to anyone’s inspection. A public chain also allows anyone to create a new block, as long as they follow the protocol specs. But as blockchains matured, enterprises want something a bit more private, to have better control over the transactions for their own purposes and to control who is trusted to make new blocks.
This isn’t a mutually exclusive decision, and what is happening now is that many blockchain solutions use aspects from both public and private perspectives, as you can see from this infographic from Let’s Talk Payments.
You want the benefits of having multiple programmers hammering against an open source code base, with incentives for the blockchain community to improve the code and the overall network effects as more people enter this ecosystem. You also gain efficiencies as the number of developers scales up, and perhaps have future benefits where there is interoperability among the various different blockchain implementations. At least, that is theory espoused in a recent post on Medium here, where R Tyler Smith writes: “One thing that blockchains do extremely well is allow entities who do not trust one another to collaborate in a meaningful way.”
The Ethereum Alliance is just the latest milepost that blockchains are becoming more potentially useful for enterprise developers. Over the past year, several blockchain-as-a-service (BaaS) offerings have been introduced that make it easy to create your own blockchain with just a few clicks. Back in November 2015, Microsoft and ConsenSys built the first BaaS on top of Azure and now have several blockchain services available there. IBM followed in February 2016 with their own BaaS offering on BlueMix. IBM has a free starter plan that you can experiment with before you start spending serious money on their cloud implementations. Microsoft’s implementation is through its Azure Marketplace. There is no additional charge for blockchain services other than the cloud-based compute, network and storage resources used.
IBM’s BlueMix isn’t the only place the vendor has been active in this area: the company has been instrumental in supporting open source code regarding blockchain with large commitments to the Apache Hyperledger project. Not to be left out of things, the Amazon Web Services marketplace offers two blockchain-related service offerings. Finally, Deloitte has its own BaaS service offering as part of its Toronto-based blockchain consulting practice.
If you want to get started with BaaS, here is just one of numerous training videos that are available on the Microsoft virtual academy that covers the basics. There is also this informative white paper that goes into more details about how to deploy the Microsoft version of BaaS. IBM also has an informative video on some of the security issues you should consider here. (reg. req.)
Many website operators have wrestled with the decision to move all their web infrastructure to support HTTPS protocols. The upside is obvious: better protection and a more secure pathway between browser and server. However, it isn’t all that easy to make the switch. In this piece that I wrote for IBM’s Security Intelligence blog, I bring up the case study of The Guardian’s website and what they did to make the transition. It took them more than a year and a lot of careful planning before they could fully support HTTPS.
It used to be so simple to understand how a web browser and a web server communicated. The server held a bunch of pages of HTML and sent them to the browser when a user would type in a URL and navigate to that location. The HTML that was sent back to the browser was pretty much human-readable, which meant anyone with little programming knowledge and a basic knowledge of command syntax could figure out what is going on in the page.
I can say this because I remember learning HTML code in those early days in a few days’ time. While I am not a programmer, I have written code in the distant past.
Those days (both me doing any code or parsing web pages) are so over now. Today’s web servers do a lot more than just transmit a bunch of HTML. They consolidate a great deal of information from a variety of sources: banners from ad networks, images from image headers that are used in visitor analytics, tracking cookies for eCommerce sites (so they can figure out if you have been there before), content distribution network codes and many more situations.
Quite frankly, if you look at all the work that a modern web server has to do, it is a wonder that any web page ends up looking as good as it does. But this note isn’t just about carping on this complexity. Instead, it is because of this complexity that the bad guys have been exploiting it for their own evil ways for many years, using what are called script injection techniques.
Basically what is happening is because of poorly written code on third-party websites or because of clever hacking techniques, you can inject malware into a web page that can do just about anything, including gathering usernames and passwords without the browser’s knowledge.
One type of injection, SQL injection, is usually near the top of the list of most frequent attacks year after year. This is because it is easy to do, it is easy to find targets, and it gets big results fast. It is also easy to fix if you can convince your database and web developers to work together.
But there is another type of injection that is more insidious. Imagine what might happen if an ad network server would be compromised so that it could target a small collection of users and insert a keylogger to capture their IDs and passwords. This could easily become a major data breach.
A variety of security tools have been invented to try to stop these injections from happening, including secure browsers (such as Authentic8.com), using various sandboxing techniques (such as Checkpoint’s Sandblast), running automated code reviews (such as with runtime application self-protection techniques from Vasco and Veracode), or by installing a browser extension that can block specific page content. None of these is really satisfactory or a complete solution.
If you are concerned about these kinds of injections, you might want to experiment with a couple of browser extensions. These are not new. Many of these tools were created years ago to stop pop-up ads from appearing on your screen. They have gotten new attention recently because many ad networks want to get around the ad blockers (so they can continue to make money selling ads). But you can use these tools to augment your browser security too. If you are interested in trying one of them out, here is a good test of a variety of ad blocker performance done several years ago. There is another comparative review by LifeHacker which is also several years old that focuses on privacy features.
I was interested so I have been running two of these extensions lately: Privacy Badger (shown here) and Ghostery. I wanted to see what kind of information they pick up and exactly how many third-parties are part of my web transactions when I do my banking, buy stuff online, and connect to the various websites that I use to run my life. The number will surprise you. Some sites have dozens of third-party sites contributing to their pages.
Privacy Badger is from the Electronic Frontier Foundation, and is focused on the consumer who is concerned about his or her online privacy. When you call it up onscreen, it will show you a list of the third-party sites and has a simple three-position slider bar next to each one: you can block the originating domain entirely, just block its cookies, or allow it access. Ghostery works a bit differently, and ironically (or unfortunately) wants you to register before it provides more detailed information about third party sites. It provides a short description of the ad network or tracking site that it has discovered from reading the page you are currently browsing. The two tools cite different sites in their reports.
There are some small signs of hope on the horizon. An Israeli startup called Source Defense is in beta; they will secure your website from malicious third-party script injections such as keylogger insertions. I saw a short demo of it and it seems promising. Browsers are getting better, with more control over pop-ups and third-party cookies and blocking more obvious malware attacks. Although as browser security controls become more thorough, they also become more difficult to use. It is the nature of the Internet that security will always chase complexity.