WannaCry Ransomware

WannaCry implements several advanced malware techniques, it may penetrate via web or mail, or even directly through a computer with an
SMB connection open to the internet. Once the initial penetration was successful it spreads laterally using vulnerabilities in unpatched Windows SMB.

Check Out the video from Check Point Software here:

NSA got owned

By now many of you have hear about the NSA hack. Because of this some vendors have  disclosed their vulnerability to the community.  This is a Hugh potential for issues in many environments worldwide. Today’s security administrators have a daunting task. Security devices log thousands of network events every day. New, complex targeted attacks designed to be evasive are difficult to identify and many be hidden within a multitude of other events.

Here is what happened according to an article at techcrunch:

“A group calling itself the Shadow Brokers dumped data online this weekend that it claimed to have stolen from the Equation Group, a hacking team widely believed to be associated with the NSA.

Cisco said in a security advisory that two vulnerabilities in the Shadow Brokers’ data could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system,” Cisco’s disclosure says.

The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so Cisco firewalls may have been vulnerable for years.

This exploit is referred to in the Shadow Brokers’ dump as EPICBANANA.

The second exploit, EXTRABACON, affects all releases of Cisco’s ASA software — but getting it to work is is tricky. The exploit would allow an attacker to take full control of the firewall system, but its complexity — and the fact that Cisco hadn’t discovered and patched it — suggests it was developed by a talented adversary.

Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. More recent versions should not be affected, Fortinet said, although the company noted that its investigation into the code released by the Shadow Brokers is continuing.

Meanwhile, the Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak.”

As the IT environment evolves, mobile, cloud the Internet of Things. It is important for security to be one step ahead of the attackers and not a step behind. Did you know that Check Point Software just received it’s 12th NSS_Blog_260x260Recommended rating from NSS labs? Check Point’s Next Generation Threat Prevention (NGTX) with SandBlast™ was tested in the recent 2016 NSS Labs Breach Detection System (BDS) group test. Check Point earned the NSS ‘Recommended’ recognition for security effectiveness and value.

An essential ingredient to successfully block unknown malware and zero-day threats is an integrated, advanced sandbox, like Check Point SandBlast Zero-Day Protection. Sandblast inspects files in a safe, virtual environment to discover malicious behavior before it enters the network; and its advanced CPU-level detection identifies and stops attacks at the exploit phase, before malware even has the chance to deploy.

Need for CPU Level Sandboxing

sandpit-762541_960_720

When cyber criminal (or just some black hat hacker) has written a malware he/she must spread it somehow and make available for victims. One very common way is to hide the malware in a file that is then send as an e-mail attachment or web-link to their targets.

We who work with IT security keep repeating the message “do not open unknown attachments or visit suspicious web sites”. However, if the mail message tells that you have won in a lottery or somebody is just giving out money or sending you a CV, many people are keen to open the file… and BOOM, you are infected.

Why the virus radars didn’t catch this malware then? Because it was completely new, never seen before, so called zero-day attack, probably addressing some vulnerabilities the very first time.

Is there anything we can do to prevent users from even getting these malicious files with previously unknown malware? Yes there is. This technology is called sandboxing where files are opened in a safe environment, a.k.a. sandbox before delivering them to the recipient. Sandbox monitors the behavior that takes place when the file is opened. If any malicious activity (changing registry settings, adding unknown library files, changing browser settings etc.) is found, the file is dropped and the intended recipient only gets a message that the e-mail attachment or the downloaded file was stripped because it seemed to be malicious. So, set up a sandbox and you are safe, right? Well, unfortunately not right, because cyber criminals have also noticed that their stuff doesn’t go through anymore have learnt to alter their malware so that the traditional sandboxes don’t see it.

How can malware be altered then to avoid sandboxes catching it? This is very easy… Just do nothing. Sleep and activate only on specific hour or when user does certain movements. In order to catch also this kind of malware that doesn’t activate in a traditional sandbox, a CPU level sandboxing was developed.

A program can contain a lot of different functions. When function A calls function B and function B calls function C, they always should return values to the functions that called them (C should return to B and B to A etc.). Malware can take advantage of vulnerabilities in the program and return values to different locations. This behavior is called Return-Oriented-Programming (ROP). CPU level sandbox is capable of catching ROP.

Not all vendors have this technology. Make sure that your sandbox can prevent (not only detect) unknown malware and that it can pick up the ROP behavior as well. Currently Check Point has this feature available in the product called Sandblast.

What does it feel of being hacked?

Protecting us from hackers is getting more and more important. Clever social engineering attacks don’t even need any technical skills…

The following video demonstrates how one guy’s life could be practically destroyed with hacking attacks.

Here is link to the original story.

Why should I have firewalls from more than one vendor in my network?

You shouldn’t!

Every now and then I meet customers whose company policy is to use firewalls or other security devices from two or even more vendors. Always they justify this decision with security. However according to Gartner over 99 % of all firewall breaches are caused by misconfiguration, not by firewall flaws. Gartner gave this statement already in 2008. Since then firewalls have got a lot more features that actually increase the risk for misconfiguration if you don’t know what you are doing.

In this light using firewalls/security gateways from more than one vendor seems to be more risky than consolidating all in one.

Following is my top list of reasons why one vendor is better than several.

  1. Personnel needs to be trained for only one vendor solution, instead of several.  Lack of knowledge increases the risk for misconfiguration.
  2. It’s easier to keep your software up-to-date with one vendor solution.
  3. Centralized management is easier to deploy with one vendor solution.
  4. Different policies are easily comparable and can be consolidated or migrated when they are all from the same vendor.

What should be taken into account when selecting a security vendor.

  1. Real security. Make sure vendor’s products are regularly tested by an independent test lab.
  2. If you have more than one gateway, make sure your vendor supports good and secure centralized management.
  3. In case you need help the vendor should provide credible technical support that is also easily reachable.

Disclaimer: I work for a security vendor, Check Point Software Technologies myself, but this text is entirely my own and does not represent opinions of my employer.

This is me and R80

This is me, Lari. I have over 15 years experience in information security industry. I work as a security consultant in the Professional Services organization of Check Point Software Technologies.
I said yes when my colleague and good friend Mark Bennet asked me to become a co-author of this blog. So, here we go. This is my first blog post, but there will be more…

Yesterday Check Point announced R80, the next generation security management platform. Check Point’s centralized security management system has always been the best in market, but now the best got even better.

What is so cool about this new platform?

1. Unified policy. Everything can be done from the same view in SmartDashboard.
2. Policy segmentation. Different layers in policy increase efficiency.
3. Automation. Security operations can be automated to make them more efficient.
4. Orchestration. Integration with existing 3rd party tools over trusted APIs
5. Concurrent administration. Several admins can edit the policy simultaneously.
6. Consolidated logging and monitoring
7. Segregation of duties allow e.g. separate teams to manage IPS and firewall
… And much more…

For more details, see the Exchange Point Forum.

Pauldotcom’s Security Weekly talks about the FBI and the Encrypt Act

Another great security update at pauldotcom’s securityweekly show.

Here Aaron talks about Norse Corp, DHS and FBI Employee info leak, ENCRYPT Act, and Hackers aren’t smart. It is an 8min video that goes over the latest and greatest.

Hack Naked TV – February 18, 2016

You can see the notes from the show here: http://wiki.securityweekly.com/wiki/index.php/Hack_Naked_TV_February_18_2016#Aaron.27s_Stories

 

Oracle removing it’s Java plugin from the browser

It seems that Oracle is deprecating the plugin after it’s next release of Java 9. Much to the hails to many on the internet. However many organizations that use the plugin may have to endure the pain of redoing their stuff.

A good read on the announcement can be read here :

Oracle-removing-java