Wednesday, 12 April 2017

Detecting & Preventing APT10 Operation Cloud Hopper

There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.   

Overview of the Threat
APT10, a Chinese-based hacking group also known as Stone Panda, MenuPass, CVNX, and Potassium is operating a hacking campaign known as Operation Cloud Hopper, which is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP's backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.

So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here.

PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.

APT10 is Active and Here to Stay
Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don't expect APT10 to be going away anytime soon, after all APT actually stands for Advanced 'Persistent' Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.

Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.

Tuesday, 11 April 2017

WinZip Encryption Password Security (2017)

9 years ago I wrote a post on WinZip Encryption Security, that post has received tens of thousands of visits over the years and continues to be pretty popular, but it is high time for that advice to be refreshed. The advice below also applies to 7-Zip, which also supports the same type of encryption as WinZip.

Do not use WinZip ‘Standard Zip 2.0 Encryption’
WinZip pre-version 9 only offered WinZip's own proprietary encryption algorithm called Zip 2.0 encryption, which is broken, so never use WinZip pre-version 9 or the “WinZip's Zip 2.0 Encryption” as an option, as passwords of any strength can very easily be recovered with third party cracking tools. WinZip versions 9 to 21 defaults to use the National Institute of Standards and Technology (NIST) scrutinised and US government agency approved encryption algorithm called the Advanced Encryption Standard (AES) - . This is great, however, WinZip still includes the option to change the encryption to use the flawed Zip 2.0 encryption.

Use AES-256, but there’s nothing wrong with AES-128
The latest version of WinZip (Version 21) defaults to use the AES-256 encryption and also supports AES-128. There is hardly any noticeable speed advantage in encrypting and decrypting with AES-256 over AES-128 given the brilliant efficiency in the way AES cryptographic algorithm works, so given the lack of overhead, it makes sense to stick with the default and much stronger flavour of AES-256. 
However, both AES-128 and AES 256 are considered strong enough for commercial industry best practice and both are NIST approved to use until at least the year 2031. To put the strength of AES-128 into perspective, the '128' bit number equates to 3,400,000,000,000,000,000,000,000,000,000,000,000,000 possible keys, so guessing or cracking a key of that length is far from feasible at the moment. We also know the AES algorithm doesn’t have any sufficiently serious flaws to get around the encryption process, the Achilles Heel is the password you choose to generate that encryption key.

Use a Complex Password (Super Important)
I recommend the following password rules if you are serious about protecting your data with WinZip AES encryption, or any other AES encryption which uses a password for that matter, use a password that is:
  • at least 12 characters in length
  • is random i.e. does not contain any dictionary, common words or names
  • is not commonly known or guessable password i.e. P@$$w0rD1
  • has at least one Upper Case Character e.g. A to Z
  • has at least one Lower Case Character e.g. a to z
  • has at least one number e.g. 0 to 9
  • has at least one Special Character e.g. !,",£,$,%,@,#
Recommended Vs WinZip Default Password Policy

Why you need a Complex Password
WinZip’s AES encryption uses “Symmetric” encryption, as such the password is used to generate an AES private encryption key, if you know or can guess the password, you beat the encryption. So the complexity and strength of the password is by far the weakness point. An attacker in possession of a WinZip encrypted file has unlimited attempts at guessing that password to decrypt the WinZip archive, the defence is time, by using a password complex and long enough the thwart the unlimited amount of attempts at being successful. Hackers mainly use two attack types to crack WinZip encrypted file passwords, Dictionary Attacks and Brute Force Attacks. We'll save Rainbow table encryption cracking for another post.

A Dictionary Attack is as it sounds, the attacker tries commonly known to be used passwords and words found in a dictionary. Hackers build their own password dictionary databases by harvesting password uncovered in past data breaches which are freely available online and on the dark web, such as the recent account passwords dump following the Yahoo Data Breach. The attacker then uses a tool to script attempts, allowing thousands of password attempts from their dictionary databases to be tried in minutes.

Dictionary Attack Tool

Top Ten Account Password in Breached Yahoo Accounts
  1. 123456
  2. password
  3. welcome
  4. ninja
  5. abc123
  6. 123456789
  7. 12345678
  8. sunshine
  9. princess
  10. qwerty
The other common password cracking technique is a Brute Force Attack, in which every single combination of characters possible e.g. aaaa to zzzz is attempted, which is why I recommend using different character cases and specialist characters within lengthy passwords, as it serious extends the timeline for this type of attack to be successful.

Brute Force Attack 

Document names can be read within Encrypted Archives
There is one final issue to be aware of with WinZip encryption, an issue you don't have with other file encryption applications. Without knowing the password it is still possible for anybody to browse and read the filenames within encrypted archive, which obviously can give an attacker vital clues about the content and whether the encrypted zip file password is worth the effort to crack. One way around this is to double zip the archive, giving initial zip archive a random name, or use an alternative encryption tool following the creation of the zip file.

Anyone can read the Encrypted Zip Archived file names without the password

File Encryption Applications to Consider
There are plenty of other encryption tools you can use for file encryption as an alternative to using WinZip. 
  • TrueCrypt is free, multi-platform and has been my personal recommendation for many years. However after its development was discontinued in May 2014 following an audit, it caused controversy in the cyber security industry. Despite that, I think the latest version of TrueCrypt is still safe to use.
  • Ver spawned out of TrueCrypt, an excellent and supported encryption tool which also works with Windows, Mac and Linux
  • AxCrypt is another free Windows-based encryption tool I recommend.
  • GNU Privacy Guard is an open-source version of the legendary Pretty Good Privacy (PGP)

Monday, 3 April 2017

Cyber Security Roundup for March 2017

Security researchers found there were able to find numerous sensitive documents by searching Microsoft’s Office 365 documents made publically accessible through the website. Documents found included business confidential information, passwords and personal data. The issue was not caused by any security vulnerability in O365, but by its users misconfiguring or not understand the access permissions on their Microsoft O365 file storage, inadvertently permitting public access to their confidential data.  Businesses and users need to meet cloud services halfway when it comes to security, that starts obtaining a clear understanding of what security the cloud service does and does not do, so ensure your security homework is done before adopting the cloud.

A patch for a critical vulnerability in Apache (Server) Struts was released this month, the vulnerability, which is being actively exploited by cyber criminals in ransomware attacks, allows the remote execution of commands on the server. Non-Microsoft patches are more likely to be missed, given the patch process of Apache servers is often a manual one. It is essential to check any Apache server software facing the internet is constantly kept up to date, in this case, make sure the Struts framework element as used with Java EE web apps, is running a non-vulnerable version, either Struts 2.3.32 or Struts

It is the official 'goodbye Vista' next month as of 11 April 2017, Microsoft will no longer support Windows Vista, which means no further security updates to fix new vulnerabilities, either free or via paid assisted support options. So if you have Windows Vista, either upgrade or apply additional security measures such as application whitelisting to be safe. It is less overhead and cheaper long-term to upgrade to a supported Operating System in my view.

Finally, the UK Government Digital and Culture Minister, Matt Hanock, is pushing for further adoption of the Cyber Essentials scheme, insisting all governance contractors hold a Cyber Essentials certificate. A number of businesses have also agreed to require their suppliers to achieve Cyber Essentials, including Barclays, BT, Vodafone, Astra Zeneca, Airbus Defence & Space and Intel Security.  Hancock said   “We know the scale of the threat is significant: one in three small firms and 65% of large businesses are known to have experienced a cyber-breach or attack in the past year. Of those large firms breached, a quarter was known to have been attacked at least once per month.” Cyber-security is one of the seven pillars of the government's digital strategy, he said. “It's absolutely crucial UK industry is protected against this threat – because our economy is a digital economy.” 

Awareness, Education and Threat Intelligence

Thursday, 16 March 2017

10 Biggest Cyber Crimes and Data far

The good folk at The Best VPN have put together an Infographic summarising ten of the worst "known" cyber attacks and data breaches to date, its a good recap of the high stakes when cyber security goes wrong.

Infographic: 10 cyber crimes

Thursday, 9 March 2017

PCI DSS Fines? Cyber Insurance? How to Estimate the Cost of a Payment Card Breach

How much does a payment card breach cost? How large are the potential fines? What happens if we aren't PCI DSS complaint and suffer a cardholder breach?

Those are common unanswered questions which businesses accepting and processing debit and credit card payments raise, businesses which are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). In recent years a growing number of UK businesses are taking out cybersecurity insurance, and are more pressingly wanting to know whether their insurance coverage is sufficient enough to cover the cost of a payment card data breach.

It is not possible to produce a formula or calculator to provide precise payment card breach costs on a per card lost basis, as no two business payment operations are ever the same, and there are just too many factors that can impact the overall cost of a breach.  So instead I have put together the following six pointers to aid the estimation of a payment card breach.

Calculating the Approximate cost of a Payment Card Breach 
1. All Payment Card Data breaches must be investigated by PCI Qualified Forensic Investigator (QFI).  Depending on the technical complexity and scale of the breach, the cost equates to the number of investigator hours and days required, depending that expect to fork out around £20,000 to £100,000 for a QFI. It is worth noting should a business not play ball with the acquiring bank, card brands and card issuers in appointing a QFI, they can remove entire business' capability to take card payments altogether, so there is no choice but to dig deep from the outset upon a data breach discovery.

2. Following the forensic investigation, completion of remediation work and a successful PCI DSS level 1 QSA assessment is required. Remediation work and Qualified Security Assessor (QSA) assessment as a PCI DSS level 1 merchant or processor typically costs up to £100,000, depending on the environment that is in-scope of compliance. This will be a considerable new overhead for environments deemed as PCI DSS level 2, 3 or 4, as these would have previously been self-assessed by the business.

3. The cost per payment card breach is very subjective, however, Verizon's 2015 Data Breach Investigations Report page 30 figure 23, gives a good indication on the "cost per card lost", which I have converted from US dollars.

Optimists should read the left side of the table, pessimists should read the right side of the table.

4. Often there will be a penalty surcharge levied per transaction following a breach, adding an increase to every payment transaction.

5. Reputational damages, loss of customer and client trust in the business and brand, this is a hard figure to quantify, but it is worth noting most cyber insurance policies does not cover any business losses due to reputational damages following data breaches.

6. The Information Commissioners Office (ICO) regards payment card data as Personal Information, which means they can add an up to £500,000 per payment card data breaches. And from May 2018 when the new GDPR data privacy regulation kicks in, potential data protection fines will ramp significantly, especially for large enterprises, with fines of up to 4% of the global turnover of the entire business.

So take the worse case breach scenario, namely a compromise of all payment cards ever stored and processed, apply the above costs, and you should have a worse case scenario ballpark figure. If that number doesn't focus minds and incentivise a robust PCI DSS compliance programme and investment in cyber security, nothing will.

Why Passing a PCI DSS Assesment isn't a 'Get out of Jail Free Card'
No business operating in a PCI DSS compliant state is known to have been breached. Passing a PCI DSS assessment does not mean the business is actually PCI DSS compliant, and it certainly is not a 'get out of jail free' card or carries any weight if a breach occurs. A PCI DSS compliance business means the in-scope of compliance environment and operations meets every single PCI DSS requirement in a continual state of operation, 365 days a year, 24 hours a day, and for every single second.

Wednesday, 1 March 2017

Cyber Security Roundup for February 2017

Earlier in the month of February, a grey hat hacker named "Stackoverflowin" ran a simple script which resulted in over 150,000 printers, mainly in businesses, printing out pages with some nice ASCII art and a message saying the printer was owned. Many in the media pointed the blame as a printer security issue, but the main reason was horrendously poor firewall configuration. These printers were made vulnerable due to the presence of a highly insecure rule in their network's firewall, which allowed internally networked printers accessible across the entire internet. It didn't matter if the printers were large sophisticated multi-functional devices or simple till receipt printers, they all received rogue print jobs directly from the internet thanks to terrible firewall management. Makes you wonder what else is vulnerable on these business' networks as a result of poor firewall configuration and without the security management safety net of regular network vulnerability scanning and firewall rules review.
Image result for Stackoverflowin
Printing outs sent Printers open on the Internet

Third party cloud security comes into question after CloudFlare, a popular content delivery network used by more than 5.5 million sites, accidentally leaked customers' sensitive information for months. If you are a CloudFlare customer I strongly advise to change your passwords. The Yahoo’s sale to Verizon has dropped by $350m following Yahoo’s recently reported data breaches. And Sports Direct came in for criticism for not advising its 30,000 staff that their personal details had been hacked.

Back on the technical security front, Google researchers illustrated security weakness in SHA-1. The cryptographic hashing algorithm has not been considered secure since 2010, so the research is a poignant reminder to never use SHA-1 on new configurations, and to review and phase all SHA-1 usage in any existing solutions, such as site-to-site VPNs and within application development, go for SHA-256 or SHA-3 hashing instead.

Awareness, Education and Threat Intelligence

Friday, 24 February 2017

Blueprint for Secure Driverless Cars

Robust Cyber Security is an intrinsic requirement with all connected technology in our daily lives, and it is especially challenging with new cutting edge technological advances. Connected and driverless cars promises to be one greatest technological advances of the century, as such fascinates and excites yet at the time there are concerns. Getting cyber security right from the outset will be critical to the success of this industry, as vulnerable connected computer controlled cars is a matter of life and death. Securing the ever increasing sophistication and complexity of computers that control cars is certainly not for the faint hearted.

The car industry recognises trust and security go hand in hand, so in league with the likes of Aeris, Intel and Uber, the industry formed an industry wide organisation called FASTR - Future of Automotive Security Technology Research.  FASTR seeks to enable automotive security by driving cybersecurity across the entire vehicle manufacturing supply chain, to ensure smart cars will be secure from cyber attack.

FASTR recently produced an interesting infographic covering their approach to cyber security, it also has great stats about the car's of today and the cars of tomorrow. If you are interested in learning more about FASTR's approach, check out their Manufesto

Tuesday, 21 February 2017

Google & Bing UK Piracy Website Blocking is a Bad Idea for Security

Search engine giants Google and Bing have announced an agreement to make it harder for UK internet users to find pirated films, music and illegally stream football by blocking websites. It appears they have bowed to pressure by the entertainments industry and the UK government's Department for Culture, Media and Sport, to sign up to a voluntary code of practice.

I certainly don’t condone piracy or digital theft of any kind, but blocking websites is really a terrible idea for the security, privacy and even piracy prevention and enforcement, as it will just drive more people onto the dark web looking for the material they desire. I fear this will only serve to pour petrol on the illicit activities of the dark web by the swelling dark web ‘punters’. What's worst is new and inexperienced UK dark web users are vastly more likely to end up as victims of cyber crime in their desperate attempts to find banned content. 

This is a 'sweeping under the carpet' approach, driving piracy underground onto the dark web where it will be almost impossible to police and prevent. A much more sensible approach to better educate the masses about morality and impact of digital theft. If the UK government are serious about protecting our digital economy from digital piracy, then this morality education needs to start within UK schools.

I am sure privacy advocates will be looking for their Guy Fawkes masks alarmed that the UK government are seemingly involved in pushing the UK's two major search engines into blocking Internet content to UK citizens.

Lee Munson, a security researcher at, said.

“The new voluntary code of practice pledged by major search engines is bad news for anyone looking to download or consume content without paying for it but good news for everyone who wants to stay safe online.

While not every pirate site hosts or links to misnamed files, Trojan-laden porn or malware-infected movie files, many do and, even though security software should be in place, we all know that a great many people do run into trouble on these sorts of sites.

That’s not to say that this new initiative will make malicious files a thing of the past though – the determined will still find the websites they need, however far down the search engine results pages they may fall, and the sharing of such files between family and friends will no doubt carry on unabated.”

Tuesday, 31 January 2017

Cyber Security Roundup for January 2017

Lloyds Banking Services were hit by a massive 3-day long DDoS attack in mid-January, impacting millions of Lloyds, Halifax and Bank of Scotland customer’s ability to conduct online and mobile banking. Lloyds weren't the only UK business hit with a major DDoS attack in January, web hosting firm 123-Reg was taken down by another large DDoS attack. It seems major DDoS attacks are set to continue in 2017, their scale and capability fuelled by the rise of insecure IoT devices popping online. I think large scale DDoS attacks will be a major menace to the UK national and financial infrastructure for the years to come. 

For the first time 'Cyber Crime' statistics were included in the England and Wales crime survey, with over 3.6 million fraud cases and over 2 million computer misused offences recorded in 2016, which is more than the typical 'physical world' recorded crime. It is worth considering that not all cybercrime is reported in England and Wales, in my view the majority of UK cybercrime isn't reported.

The latest Beazley Breach Insights Report predicts the number of Ransomware attacks will double again in 2017, and UK schools are the latest sector to become victims of Ransomware. With the growing ransomware threat in mind, the Malware Hunters Team produce an interesting breakdown of a new ransomware strain called FireCrypt this month, well worth a look if you are interested in how the bad guys create, evolve and use ransomware tools.

There are lessons for the UK call centre industry to learn from a US telemarketing firm, which had a database of 400,000 call recordings reportedly breached. These voice recordings were said to hold personal information and more concerningly debit/credit card information. This breach is a reminder of the importance of adequately securing call recording data with call centres, and of the Payment Card Industry Data Security Standard (PCI DSS) industry regulation requirement 3.2, which states debit/credit card “3 or 4 digit security codes”, known in the industry as Sensitive Authentication Data, is never permitted to be recorded or stored beyond the authorisation of the card payment transaction. This is a PCI DSS requirement that far too many UK call centre businesses turn a blind eye to. This strict requirement is there for a reason, as if fraudsters get hold of credit/debit card data with the 3/4 digit security code, they can instantly commit fraud without having possession of the customer's payment card.

Awareness, Education and Threat Intelligence


Thursday, 5 January 2017

Cyber Security Roundup 2016: The Year of the Big Data Hack

A decade ago I was walking into Boardrooms clutching newspaper clippings of half dozen data breaches which had occurred during the previous years, in a bid to warn of future threats and to persuade executives to increase their information security budgets. Those days are long gone, as most executives I encounter tend to be already worried about the cyber threat to their business, all reinforced by the mainstream media which today reports hacks most days.

"Big Data" is a recent marketing buzzword used to usher in the age of businesses utilising the vasts amount of data which they process and store for increasing efficiently and profit. The problem is much of this "Big Data" is our personal data, and there are cyber criminals also seeking to profit from it. So here we are in the era of "Big Data Hacks", which sums up 2016 quite well.

I have compiled a list of media headlines of data breaches in 2016 below, the volumes involved with these data theft hacks are truly mind–boggling. Yahoo on their own had 1.5 billion personal records stolen in two cyber attacks. It isn't necessary that stealing digital text data in such volumes is difficult, but have to wonder about what level of IT security was in place to protect such large volumes of personal data in the first place.

DDoS attacks continued to grow in strength in 2016, thanks to the explosion of the Internet of Things, with hackers creating huge DDoS botnets from insecure and rushed IoT devices, which frankly have no business of being sold and placed online with default passwords and basic software vulnerabilities.

2016 was also the year Ransomware made a huge comeback. The UK public sector seems particularly vulnerable to ransomware infections, with cyber criminals making millions by evolving various strains of ransomware and catching victims out with the age old infection techniques of phishing emails, malware infected websites and trojan software.

In 2017 we can expect to see more Big Data hacks and huge IoT fuelled DDoS attacks. Ransomware isn't going to go away either, however I am most concerned we'll see our first IoT attack which results in physical world damage and human harm in 2017.

Personal Data Theft and Data Breaches in 2016

Tuesday, 3 January 2017

Cyber Security Roundup for December 2016

Yahoo announced the largest ever data breach in history, with over 1 billion Yahoo user accounts compromised by a past cyber attack, which I covered in Yahoo's Mind-blowing One Billion Data Theft Hack. This truly humongous data hack is distinct from the 2014 breach of 500 million accounts reported by Yahoo in September. Elsewhere KFC, Topps, The Daily Motion and LinkedIn’s also reported large customer data breaches of millions of records during December. 

We need to be mindful of never to "get use to" and accepting these massive numbers of hacked online accounts, by businesses we entrust with our personal information, especially where these businesses have been found 'wanting' on the cyber security defences by under investing. The old spin doctor excuses of indefensible super hacks orchestrated by sophisticated nation-state backed dark forces tends not to stand up once the facts are uncovered. There is nothing sophisticated about teenage kids using freely downloadable software to take advantage of decade old and basic security vulnerabilities.

The media and security experts continues to pour scorn on TalkTalk’s cyber security, following the firm’s poor handling and customer advice after a cyber attack of unpatched TalkTalk customer broadband routers.

ThyssenKrupp, a large German steel maker firm, disclosed it was a victim of cyber intellectual property (IP) theft. Businesses rarely admit to IP data theft given such admissions can serious harm the business's reputation and share price. Given the high media and public attention in protecting personal data from cyber attacks, following a year of high profile large customer record losses due to cyber attacks, it can be easy for businesses to take their eye off protecting their IP, and to become complacent with IP protection and security.

I was quoted in the Focus Training's Blog. An 'Ask the Experts' piece on 'How to Protect your business from Cyber Crime', my advice was as follows.

There was a Christmas bumper of patch releases in December, with Microsoft, VMWare, Joomla, PHP and Android all releasing patches for critical vulnerabilities.

Awareness, Education and Intelligence