Friday 19 May 2017

How to Stay Safe in the Cloud

No business or individual should ever assume 'Cloud Services' are sufficiently secure to protect their data and their cloud service provision. There are always elements of cloud service security responsibility which sit squarely with the service buyer (business) and users. Sage have put together a simple to understand InfoGraphic on Staying Safe in the Cloud, which neatly highlights the threats and the security pitfalls to be aware of when adopting cloud services.

Tuesday 16 May 2017

WannaCry Ransomware Bite Sized Business Prevention Advice

The top three actions to reduce the risk and impact of a WannaCry type Cyber Attack at a business
  1. Perform regular Staff Awareness specifically on spotting Phishing Emails
  2. Have a robust Patch Management Processes. Ensure all Microsoft Windows systems have Microsoft Critical Updates applied quickly - they are marked as critical for a reason!
  3. Have Anti-Virus running on all Microsoft Windows systems, with AV definitions kept up-to-date
Security in Depth
There are further security risk-reducing steps like filtering web traffic, ensuring data is regularly backed up, security monitoring, and network segmentation, but the above three are the most simple and most effective in terms of prevention against this type of attack, especially within the SMB space where security budgets are limited. Expect further versions of the WannaCry ransomware.

The Reasons Behind this Advice
(1) The WannaCry ransomware infects an initial system via a phishing email, the user executes the malware within an attachment or through a weblink. The Microsoft security update will not stop the initial ransomware execution, (3) but updated Anti-Virus system now blocks the current strain of the malware from executing. (2) The Microsoft MS17-010 security update stops WannaCry from rapidly propagating (i.e. worm malware) from the initially infected system to other vulnerable Windows systems (without the MS17-010 update) attach to the local network.

For full details about WannaCry see my other blog posting - 

Monday 15 May 2017

The IT Security Expert Blog is 10 Years Old

Ten years ago today I published my first ever blog post about a BBC news story titled "Home Network Security Scrutinised". A decade ago it was rare to see an IT security or hacking story make the news media, and back then the term 'Cyber Security' would conjure images of Dr.Who's metallically clad arch-villains in most people's minds in the UK.
The Face of Cyber Security in 2007

Fast forward ten years, IT security has long been rebadged as 'Cyber Security' and on Friday the top ten news stories on Sky News were all Cyber Security related, albeit about the same global attack, but how times have changed.

'I found the following article on the BBC news website, which happens to be exactly what I had been talking about in my presentations this week. None of the findings is surprising to me, but I find many people I talk with are in the dark about digital security. Anyway, I thought I'd write this post about it and start my own blog' - 15th May 2007
How times have changed since I started writing this blog, the use of computing devices has vastly increased, with IT systems and devices becoming ever more sophisticated, most of us possess powerful 'smartphone' computers in our hands and we have countless connected devices within our homes. It is clear our society has grown ever more dependent on information technology as evident by the NHS cyber attack on Friday, the loss of NHS workstations due a fairly simple ransomware attack led to cancelled operations and A&E closures.

Some of the highlights from the last Ten Years
  • 2007 Web 2.0
  • 2007 The iPhone is launched
  • 2007 HMRC loses unencrypted CD holding millions of UK citizen's personal details
  • 2007 WikiLeaks is founded (later to be used by Snowden and Manning)
  • 2007 ISPs using WEP (broken) Wifi encryption
  • 2007 Estonia DDoS of government websites and businesses
  • 2007 PCI DSS compliance is pushed
  • 2007 TJX Max 45 million credit card breach is disclosed
  • 2007 Nationwide fined £1m by FSA due to data breach
  • 2008 The Rise of Hacktivism: Scientology attacked by Anonymous
  • 2009 Heartland 130 million credit card data breach
  • 2009 The Gary McKinnon Extradition
  • 2009 The Conficker Worm infiltrates millions of PCs worldwide
  • 2009 Zeus trojan/bot becomes more widespread
  • 2011 EU Cookie Law
  • 2011 PlayStation Network Hack and 102 million Record Data Breach 
  • 2011 DUGU industrial controls virus
  • 2011 Third Party Breach
  • 2011 Lush credit card data breach
  • 2011 Bank of America had 85 million credit cards taken by a Turkish hacker
  • 2012 Flame cyber espionage malware
  • 2012 LinkedIn data breach, 165 million accounts compromised
  • 2013 65.5 Million emails and password leaked from Tumblr
  • 2013 Evernote had 50 million records compromised
  • 2013 Target breached by HVAC third party, 40 million credit cards stolen
  • 2014 Sony Picture DDoS over "The Interview" North Korea satire movie
  • 2014 General Data Protection Regulation (GDPR) agreed by the EU
  • 2014 The Heartbleed bug
  • 2014 Rambler 98 million accounts compromised
  • 2014 Yahoo 500 million accounts compromised
  • 2014 Homedepot 56 million credit cards stolen
  • 2015 TalkTalk Hacked
  • 2015 Rise of IoT insecurity
  • 2015 Jeep car hack
  • 2015 21.5 million personal records stolen from US Government
  • 2015 Superfish privacy invasion by Lenovo
  • 2016 Yahoo 1 Billion Personal Record Data Breach
  • 2016 $101m hack of the Bangladesh Bank
  • 2016 US electron hacking
  • 2016 Friendfinder 412 million accounts compromised
  • 2016 360 Million Stolen MySpace accounts posted online
  • 2016 67 million Dropbox accounts compromised
  • 2016 Massive DDoS attack against DNS provider reg-123
  • 2017 APT10 Cloud Hopper Campaign Threatens
  • 2017 Global Ransomware outbreak which severely impacted the NHS
Of course, cyber security is not ten years old! In 1903 Nevil Maskeylne disrupted John Ambrose Fleming's public demonstration of Macroncies wireless telegraph technology by sending insulting morse code messages through the auditorium's projector. In essence that was a successful hack of an information technology device.

The Cyber Security Game is afoot
The more devices and the more complicated they are, the more likely there are to be vulnerabilities which are exploited by criminals and nation-state actors hellbent on making money and causing mayhem. There is no winning scenario with cyber security, it is a continuous process and the challenge of staying ahead of the bad guys, knowing if you stand still for just a minute like the NHS not upgrading Windows XP systems and not applying Microsoft Critical Security Patches on time, you are going to lose the cyber game big time. So here's to another ten years...

Friday 12 May 2017

WannaCry Global Cyber Attack Killing the NHS Explained & Help

A large-scale cyber-attack has impacted organisations around the world today, including badly affecting NHS services, with at least 25 NGS organisations hit by a mass ransomware outbreak. The ransomware responsible is known as WanaCrypt0r 2.0, WannaCry or WCry2, once it infects a system not only does it encrypt data on the host system, but it attempts to infect other computers over the local network. 

This aggressive malware uses an exploit method named EternalBlue, details of which was posted online by the Shadow Brokers dump of NSA hacking tools on April 14th, 2017. WannaCry exploits this Windows vulnerability (CVE-2017-0145) to enable it to spread quickly over the network (i.e. Worm malware), the vulnerability was security patched by Microsoft on 14th March 2017. More specifically, the vulnerability lies within the SMB protocol, which is used for network file sharing, which the WannaCry malware exploits to replicate itself to other vulnerable Windows devices also attached to the same network.

WCry2 Ransomware Demand

To avoid the WannaCry ransomware infection within a network environment, make sure Microsoft Critical Security Update MS17-010 is applied to all Microsoft Windows. The update was released by Microsoft on 14th March 2017, so if you have operated a good patch management process or allow Microsoft to automatically update your system and run anti-virus and kept AV definitions up-to-date, then you should be well protected from WannaCry mass outbreak. Failing the ability to patch your system, you can look into disabling the SMB service to prevent the malware from spreading.

The MS17-010 stops the WannaCry ransomware from spreading (within a network), it does not stop WannaCry ransomware from running when clicked upon within in a phishing email attachment or link.

To prevent execution update your anti-virus and be vigilant with scam (phishing) emails with enticement o click on links or open attachments.

Microsoft has released patches for their non-supported Windows platforms, including Windows XP and Windows Vista. The Microsoft overview can be found on their Technet blog - 

Controlling an ongoing WannaCry Mass Infection
Where there are multiple malware infections detected, the priority is to contain the spread of the ransomware and the subsequent impact. This means powering off any potentially vulnerable systems and disconnecting them from the network immediately. Before re-connecting any potentially vulnerable system, apply all the security updates and then run a full anti-virus (AV) scan to check for the presence of the malware, and make sure your AV product is able to detect WannaCry, which most common AV products now are.

A comprehensive guide to the WannaCry/WannaCrypt outbreak can be found here

Worried about a Mass Infection at your Business
If your organisation is yet to be infected by this malware and you are concerned, ensure the MS17-010 update is applied on all Windows devices, check Anti-Virus definitions are up-to-date and consider disconnecting from all third party networks until you are certain all systems are fully protected.

Infected: Should I Pay the Ransom to get my Data Back?
I do not recommend paying a ransomware ransom. At this point in time, there is no workaround to decrypt WCry (.wcry) encrypted files. Bitcoin intelligence shows people are paying the WannaDry ransom, and according to reports those that are paying are slowly receiving working keys to decrypt their WannaCry data.

If you don't plan to pay and there is data encrypted (not backed up) you want to keep, I suggest keeping a backup or drive image of the infected systems/encrypted files, as it might be possible to decrypt the data in the future. 

Beware of Bogus Ransomware Removal Tools, there are plenty of dodgy websites offering fake ransomware recovery software or instructions to install further malware. Such illicit tools often come with a price and can destroy any hope of file recovery, so avoid any tools from untrusted online vendors.

WannaCry Removal 
I recommend completely wiping any infected system's hard drive, and recovering data from a recent non-infected clean backup, and obviously ensuring all those Microsoft security updates are applied and anti-virus is running and up-to-date. If you do want to remove the WannaCry ransomware infection without wiping, see - WCry Removal Instructions.

Why is NHS so badly Hit?
Going off tweeted screenshots of the NHS WCry infections, there still appears to be many instances of Windows XP used within the NHS. Windows XP is a long-outdated operating system and has been unsupported for security updates by Microsoft for a number of years. This means Windows XP is completely open to infection by WCry and other forms of malware, although Window XP's security can be beefed up using application whitelisting, I personally wouldn't recommend using it as an operating system due to its insecurity. 

To compound problems staff working within the NHS have been describing a flat network via social media, so instead of a network of firewalled ring-fenced small network segments, it suggests the NHS has a large open network, which allows network self-propagating malware like WCry to spread far and wide rapidly throughout the organisation. 

The advice initial advice is to upgrade away from Windows XP to a supported operating system ASAP, that's a bit tricky for a cash-strapped organisation like the NHS I know. However IT systems are critical components of the overall health service provision, and as such, they should not be neglected when comes to prioritising budgets. Given it is the NHS, I believe the political ramifications of this cyber attack are going to go on for some time, make no mistake what happened with the NHS today is a world-class landmark cyber attack, we'll be talking about it for years within the cybersecurity industry. 

Could it be Cyber Terrorism or a Nation-State Cyber Attack?
As reports of this global cyber attack initially flooded in, the first thought was it could be Cyber Terrorism or a Nation-State orchestrated, given the same ransomware-type had been reported attacking organisations on mass. The fact 'national infrastructure' type organisations like Telefonica and utility gas firms like Iberdrola were hit could be seen as a smoking gun on a more sinister intent behind the attack than criminal money-making. It certainly fits the objective of a cyber-terror attack, spreading fear by causing public mayhem, and placing lives at risk by closing down country-wide critical services, especially health services. However I believe these attacks are unlikely to be terror or nation-state related, we'll have to wait until more details about how the ransomware initially infiltrated these organisations to be certain. Ransomware is predominately a cyber-criminal tool, so perhaps this is a case the malware's 'network worm' propagating element being over successful, as all cybercriminals want is to get paid the ransom, not kill services, and in the case of WannaCry, we know the bad guys are getting paid ransoms.

Update 2021: A North Korean state associated threat actor group named 'The Lazarus Group' was widely blamed for this attack by security researchers, and specifically by both the UK and United States governments and security services. The excellent "The Lazurus Heist" podcast by the BBC tells you everything you to know about The Lazarus Group, with epsidoe 10 specially covering the WannaCry attack - see 
BBC Sounds - The Lazarus Heist - Available Episodes

Above all, today's cyber attack impact serves a harsh lesson to what can go wrong when organisations ignore years of warnings to upgrade unsupported operating systems, and the necessity to apply critical security patches soon after release.

Wednesday 3 May 2017

Cyber Security Roundup for April 2017

In April the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda, which I have featured in a separate blog post - Detecting & Preventing APT10 Operation Cloud Hopper.

The InterContinential Hotel Group, a hotel giant best known for the Crowne Park Plaza and Holiday Inn in the UK, reported data breaches within 12 of its hotels, however, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected. A statement released on the hotel's website says that the malware, which infected the hotels' card payment systems, was identified between 29 September and 29 December 2016.

Payday loan firm Wonga reported a data breach which may affect up to 245,000 of its UK customers. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.

A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security". The BBC investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device's core code so he could examine it closely and found they were about to crack the device's simple passwords.

There was the usual raft of security updates which fixed security vulnerabilities in April, with Microsoft patches causing the most stir with security researchers, some of whom suggested the firm had held back patching some of its products.

Awareness, Education and Threat Intelligence
  • The 2017 Verizon Breach Investigations Report (DBIR) Released
    • 75% of data breaches are down to outsiders and a 25% are insiders
    • 73% are conducted for financial reasons with half involving organised crime.
    • 62% of breaches feature hacking, it still disappoints to see that 81% of hacking related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight% and errors were a factor in 14% of breaches.
    • Ransomware rose 50% compared to last year and accounted for 72% of all malware incidents in the healthcare sector. 
    • Financial services are the most targeted sector at 24%, while healthcare accounts for 15%, the public sector close behind on 12% and the combined total of retail and accommodation accounting for 15% of breaches.