Pauldotcom’s Security Weekly talks about the FBI and the Encrypt Act

Another great security update at pauldotcom’s securityweekly show.

Here Aaron talks about Norse Corp, DHS and FBI Employee info leak, ENCRYPT Act, and Hackers aren’t smart. It is an 8min video that goes over the latest and greatest.

Hack Naked TV – February 18, 2016

You can see the notes from the show here: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_February_18_2016#Aaron.27s_Stories

 

More Ransomware called Locky

There has been a new type of Ransomeware currently taking the internet by storm right now. It is being spread by office365 or by an email in the form of an invoice. This has an attachment with a word doc that has embedded macros. It encrypts everything, and you either have to wipe your PC or pay between $200-$800 dollars to decrypt it.

*The Locky Ransomeware also has the ability to encrypt also your network backups so beware !*

Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus

Here is an excerpt taken from the Hacker News (hackernews.com) “Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states “enable macros”.

Here comes the bad part:
  • Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
  • This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky Ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.”

You can read more about Locky at Kevin’s blog post here:

https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.6lomlhy32

Time to move those backups from network accessibility!!

Using tcpdump for basic network troubleshooting through a security device.

Want to see if traffic is going through a gateway device? Here are some basic network troubleshooting tips on how you can validate that traffic is flowing through a security gateway and actually getting onto the wire.

Scenario one:

Sometimes the log says accept but maybe the traffic isn’t actually leaving the box.

Scenario two:

How about when you need to ‘prove’ to a network admin that traffic is in fact flowing, because they all believe it is the security gateway.

Answer: tcpdump

Most network people accept tcpdump as being an authority. By using tcpdump on both the incoming and outgoing interfaces you can answer either of those scenarios. Login to the box with ssh in two separate windows and run a tcpdump for the same traffic on both the incoming and outgoing interface.
As an example run a tcpdump on the interface where the connection comes from (internal) with the host IP of the device attempting to make the connection. Do this same tcpdump on the interface that the connection is to leave out of (external)

For instance you would see:

SYN (from Client) – Enters Internal Interface — SYN (from Client) Exits External Interface to Server or destination.

Or

ICMP Echo Request (From Client) – Enters Internal Interface — ICMP Echo Request (from Client) Exits External interface to Server or destination.
Whether or not you see the SYN-ACK or the ICMP Echo Reply come back the other way will be solely dependent on the server or network at that point. I used to use this quite a bit when needing to “prove” it is not the security gateway.

You will have to adjust for NAT if you are using it in this scenario however it all still applies.

How to setup the tcpdump (assuming you are ssh’d to the security gateway and in expert mode):

Session 1: Traffic entering internal interface:

tcpdump –n -i [interface name] host <IP of host>  (ex… tcpdump –n –i eth0 host 10.1.1.1 ) or preferably be more specific with your source/destination  (tcpdump –n –i eth0 host 10.1.1.1 and host 192.168.1.1)

Session 2: Traffic exiting external interface:

tcpdump –n -i [interface name] host <IP of host>  (ex… tcpdump –n –i eth1 host 10.1.1.1 ) or preferably be more specific with your source/destination  (tcpdump –n –i eth1 host 10.1.1.1 and host 192.168.1.1)
You can obviously get more and more granular with tcpdump however this is a good starting point.
Here are some examples if you want to run some generic tcpdumps or you want to filter certain things, and then put it in a pcap format.

Session 1:

tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/external.cap

Session 2:

tcpdump -nnei [interface] not port 22 and not port 18192 and not port 67 and not port 18190 and not port 137 -w /var/log/tmp/internal.cap
Have fun. 

Backup Scenarios

I have had people ask me about my other backup post about the types of backups you can do. Everyone wants to know “when” should they do a specific type of backup. Well I took this right from sk105385

BACKUP

Backup files are taken on a regular basis, and it is recommended to always perform a backup before performing an upgrade. A backup creates a compressed file that contains the Check Point configuration including the networking and operating system parameters, such as routing and interface configuration etc., but unlike a snapshot, it does not include the drivers.

A backup, unlike a snapshot, can be restored on the same or a different appliance running the same Check Point version and hotfixes, but the backup file contains the MAC addresses of the original appliance, on which it was taken, and these MAC addresses will be restored as well.

Before restoring a backup to replacement hardware, the original MAC addresses on the replacement hardware should be recorded. After restoring the backup on the new machine, the MAC addresses should be changed back to the original (recorded) MAC addresses. In Gaia this can be done via the WebUI, For SecurePlatform please contact Check Point Support for assistance with this.

To migrate the configuration between a replacement SecurePlatform appliance or a replacement Gaia appliance, instead of restoring a backup on a replacement appliance, it is recommended to use the migrate export and migrate import tools or the upgrade_export and upgrade_import tools found in $FWDIR/bin/upgrade_tools/.

SNAPSHOT

Snapshots are typically performed when the appliance was first installed and in a maintenance window before performing a major upgrade. A snapshot creates a file that contains a binary image of the entire root (lv_current) disk partition. This includes all of the operating system and various Check Point software files, such as specific drivers.
The log partition is not included in the snapshot, so any locally stored Firewall logs will not be saved.
Snapshots are appliance-specific and can only be restored on the same hardware.

migrate export / upgrade_export

The migrate export (Pre-R75) or upgrade_export (R75 and later) utility backs up all Check Point configurations independent of hardware, OS, or version, but does not include OS information. This utility may be used to backup management server configurations and is intended for upgrades or migration of database information to new systems with hardware changes, BUT will not work when downgrading to an earlier version.

It is recommended to perform an export at least every month or more often, depending on how frequently changes are made in the policy or network. It is also highly recommended before upgrading or migrating to a new version. Does not cause interruption of the services so it can be performed anytime outside a maintenance window.

References:

sk105385

Firestorm Vulnerability p0wning Next Gen Gateways.

I wanted you to be aware of a vulnerability called Firestorm. Some say it does not exist, or that it can’t be used. However it does in fact exist and totally works ! The folks at BugSec, actually demonstrate it here. Check it out:

http://www.bugsec.com/news/firestorm-movie/

It is very important that the vendor you pick for a security gateway, does in fact provide security, and not just an easy button for deployment.

Moreover, as I mentioned in an earlier post about vendors patching their stuff. They need to do it quickly when they find such a vulnerability. If not, well than I recommend another vendor. I have been an Incident Responder for a long time and have a few stories.

By the way the specific vendor being p0wned is Not Check Point.