Good Evening,
Wanted to take a couple minutes to talk about the main topics from this weeks class. Firewalls – a way to protect what and who (in terms of computers) can connect to our operating systems. What we did:
- Install Telnet Server and client on our DC
- Install Telnet client on our Windows 7 computer
- Built a firewall rule to allow talent from our Windows 7 computer to our Window 2008 DC
- Built an IPSec rule to protect a protocol that can not protect itself
- WireShark Capture of Telnet with IPSec and without
- Can you use WireShark to extract what command I ran after connected to the server via Telnet.
- e-mail me for a 5-point extra credit bonus towards your final grade; you have two weeks from tonight March 14th; 11:59.
- Can you use WireShark to extract what command I ran after connected to the server via Telnet.
* Links to the videos are on: Week_07_Firewalls
This weeks Slides: Week 7
As per Professor’s suggestion, I am sharing a video on taking snapshots using vmrun, a utility tool to control virtual machines. You may access the video using the below link.
https://drive.google.com/file/d/1KmT9SUnYsF9-ugt_sMAhsqMcrnyE-M12/view?usp=sharing
Please let me know in case you have trouble playing the video.
Satwika-
Thanks for putting this up however I am not able to open it – some WRF file format that isn’t recognized.
What do you use to open these?
I just tried with Webex player and didn’t have any luck with that either.
Oh.. Sorry about that. Let me try converting it into an mp4 and then shall upload back.
There was some version conflict with my WebEx recorder and that is why the previous video had some issue. Anyways, I have uploaded a new mp4 video. Please find the link below.
https://drive.google.com/open?id=1MVCg2-OvrQQGzuOl8HW5Zccwb-xKrDNz
Hope this one won’t have any issues.
“Security Think Tank: Human, procedural and technical response to fileless malware”
http://www.computerweekly.com/opinion/Security-Think-Tank-Human-procedural-and-technical-response-to-fileless-malware
The question of “what should organizations do at the very least to ensure business computers are protected from fileless malware?” grabs peoples’ attention because the growing number of organizations experienced the fileless malware attacks. This article indicated that the reason why fileless malware attack becoming popular is because the malware’s activities operating by hijacking legitimate Windows tool. Therefore, the attack is difficult to be detected. The author provides some approach to response this kind of attacks by human based and technical based.
Interesting Zirui. The Slingshot article that I posted also uses its own memory resident virtual file system – although it doesn’t attack or use Windows based operating systems (so it doesn’t exploit WMI or PowerShell tools described in your article as a means of attack).
I guess that one implication here may be that pure signature based software protection won’t be enough to truly protect a machine – it will need to be a combination of both behavior based and signature based security strategies for the entire system (again just my opinion here)
If that’s the case then its going to substantially increase computing costs and hardware performance requirements which in turn ultimately accelerates the need for the continuation of Moore’s law.
Just thinking out loud here but one potential way around that scenario (again in my opinion) might be for hardware manufacturers to start including ‘security co-processors’ in their architectures going forward – or – to start moving the security function down into GPU hardware. That’s,a strategy that would let the consumer decide which systems needed that level of added security.
This seems to be referring to script-based malware which is becoming more and more popular these days. As it mentions in the article, a lot of these can be communicated through phishing emails. A combination of continuing employee training, firewall rules, and baselining can all be used to lower the risk of an attack as well as the severity of an attack.
Evil new malware steals everything on your computer — without being installed
https://nypost.com/2018/03/14/evil-new-malware-steals-everything-on-your-computer-without-being-installed/
Newly discovered malware code called Slingshot was recently discovered by Kaspersky Labs.
The malware infects router operating systems and has the ability to log the activity of a machines desktop as its traffic passes through the router. The sophistication of the code has led Kaspersky Labs to conclude that the malware was probably developed by a nation state.
Although Kaspersky Labs could not determine the exact mechanisms of how the malware initially infects the router operating system, they were able to determine that the code has two modules that work together to exploit both the kernel space and the user space of the infected system. The code also creates its own encrypted virtual file system that is embedded in an unused portion of the routers secondary storage. The code also encrypts its own internal text strings in order to bypass security products and can even shut down certain components when forensic tools where employed against the router..
Kaspersky Labs claims that Slingshot has the ability to collect network and keyboard data which include screenshots, passwords, clipboard data and even data from USB drives. The scope of the infection seems to be limited. To date, Kaspersky has only identified the malware running on MikroTik routers in the Middle East and Africa.
Wow, definitely seems like Nation State espionage due to the sophistication of the attack and the limited targets. According to the Ars Technica article – https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/ – it hid in routers for six years and infected about 100 machines.
It’s really fascinating/scary that these things can get so advanced to the point where they start camouflaging themselves whenever forensics are run on the infected pc, as the article states. We need to continue to develop and advancing our detection methodologies and applications to be able to keep up with these new types of malware. Unfortunately for us, we will always be playing catch-up.
Malware attack on 400k PCs caused by backdoored BitTorrent app
https://arstechnica.com/information-technology/2018/03/malware-attack-on-400k-pcs-caused-by-backdoored-bittorrent-app/
This article is about a supply chain attack on a BitTorrent product. called Mediaget. The malware used a backdoor in the software to install malware that was intended to mine crypto currency. It infected 400,000 machines in 12 hours, however the campaign was not successful.
Supply chain attacks are when an actor infects widely used hardware or software by using software backdoors. Recent examples include an attack on CC Cleaner and M.E. Doc (NotPetya).
The feasibility of these techniques have now extended from Nation State actors to common criminals and it reinforces the need to only install software from trusted sources and do not give local admin access to users in your organization!
A common trend with all of these attacks which seem to be surfacing are due to malware being downloaded unknowingly via email phishing or by inappropriately downloading from non-company sites. The connection here is that employee training to not go to these types of sites and for what to look for in emails is key.
This article explains how easily it can affect hundreds of thousands of users.
Intel has finally redesigned its processor architecture by using partitioning. The partitioning will create an extra barrier between applications and user privileges to prevent hackers from gaining access to sensitive data processed by the processor.
These updated processors will come out in their next-generation Xeon processors (Cascade Lake) and 8th generation Intel Core processors in the second half of the year.
https://www.pcauthority.com.au/news/intel-fixes-spectre-and-meltdown-vulnerabilities-with-updates-and-new-chips-487255
– Sev Shirozian
I think this is great news Sev. The vulnerability broke many security boundaries in the hardware systems and gave access to systems. While Intel has focused largely on the Hardware, Oracle too has released its new DB against Spectre and Meltdown attacks. It’s important to see if OEMs can be enforced to patch their hardware before shipping it to customers. Moreover, the question that will still daunt the customers is the release of Xeon processors, until when they would need to use advanced security patch to defend their network systems.
https://blog.cloudflare.com/the-root-cause-of-large-ddos-ip-spoofing/
This is a nice overview of the recent large scale DDOS attacks (github) that we discussed in class. This is from Cloudflares perspective and gives extra insight into how the attack was launched and mitigated. Worth a read.
The article discusses spoofing, which occurs when the source IP address is faked to make a destination PC think the packet is coming from somewhere else, possibly a source IP which can get through a firewall if not protected for. This problem is not specific to IP addresses. There has also been a recent surge in Phone number spoofing. This is where fraudsters replicate a phone number similar to one in the target’s local region. They will usually spoof the first six digits of the phone number (including area code).
Breaking the Ledger Security Model by Saleem Rashid | Mar 20, 2018
https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/
Saleem was able to break the Ledger Hardware Wallet by using a supply chain attack to modify the recovery seed. The recovery seed can be used to change or just extract the PIN. If the Ledger is used after the attack, any funds can be stolen when plugged into a compromised device. However this would require the attacker to physically access the Ledger, or to sufficiently compromise the target’s computer, twice.
I found it interesting that Saleem chose to publish this vulnerability instead of cashing in on the security bounty.
He says that he did so “… mainly because Eric Larchevêque, Ledger’s CEO, made some comments on Reddit which were fraught with technical inaccuracy. As a result of this I became concerned that this vulnerability would not be properly explained to customers.”
AMD Acknowledges Newly Disclosed Flaws In Its Processors — Patches Coming Soon
AMD has finally acknowledged 13 critical vulnerabilities, and exploitable backdoors in its Ryzen and EPYC processors disclosed earlier this month by Israel-based CTS Labs and promised to roll out firmware patches for millions of affected devices ‘in the coming weeks.’
According to CTS-Labs researchers, critical vulnerabilities (RyzenFall, MasterKey, Fallout, and Chimera) that affect AMD’s Platform Security Processor (PSP) could allow attackers to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
Although exploiting AMD vulnerabilities require admin access, it could help attackers defeat important security features like Windows Credential Guard, TPMs, and virtualization that are responsible for preventing access to the sensitive data from even an admin or root account.
In a press release published by AMD on Tuesday, the company downplays the threat by saying that, “any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”
https://thehackernews.com/2018/03/amd-processor-hacking.html
This is truly alarming to me as AMD captures almost 20% to 30% market share in the processor industry. Intel has been quite fast in picking up the new threats and releasing the patches before any serious business lapse occurs. If hijackers are able to gain access to Windows Credential Guard, TPMs, and virtualization, it would technically bring the entire network to a standstill and cause a breakdown. In fact, any nodes hacked in VMs could potentially lead to loss of critical data too. It is important for AMD to release the patches as soon as possible.
Article: Cell Phone Porting Scams
https://www.bbb.org/en/us/article/news-releases/17019-bbb-issues-alert-about-cell-phone-porting-scams
Recently, T-Mobile has warned their customers about a phone number ‘port-out scams’. This is a type of scam where hackers gather all the personal identifiable information (PII) about you, contact your mobile provider with the information gathered and get your number transferred to another provider. Once your number is ported to a new device, then these hackers start accessing your bank accounts and other personal accounts which require an authorization code texted to your phone for verification.
The article provides the following three tips to protect yourself from such an attack:
i) Inquire with your wireless provider about port-out authorization. Most of the service providers have additional security for port-out authorization that customers can set up, like a PIN which will make it difficult for someone to port out your phone.
ii) Watch out for unexpected “Emergency Calls Only” status. Your phone switches to ‘Emergency calls only’ when your phone number has been transferred, so be on the lookout for this or something similar.
iii) Be vigilant in about communications you receive. Beware of any phishing attempts, alert messages from financial institutions, texts in response to two-factor authorization requests.
Windows RDP flaw: ‘Install Microsoft’s patch, turn on your firewall’
http://www.zdnet.com/article/windows-rdp-flaw-install-microsofts-patch-turn-on-your-firewall/
Microsoft released security patches for 75 security bugs, including patches for 15 critical flaws and a serious vulnerability that could potentially lead attackers to steal sensitive passwords and user credentials. While these updates have been primarily used for the spectre and Meltdown malware, many security firms have recently encountered a new bug named CVE-2018-0886, a remote code execution flaw that could impact the CredSSP (the Credential Security Support Provider protocol). The CredSSP is widely used in Microsoft’s RDP (Remote Desktop Protocol) and WinRM (Windows Remote Management) to secure connection of 3rd party systems to the server.
One of the security firms named Preemt says that this bug isn’t an attacker’s entry point, but rather a technique for lateral movement and privilege escalation after they’ve either gained physical access to the target’s Wi-Fi network. A man-in-the-middle attack deployed on the system could lead the attackers to take control of the CredSSP session state to steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server. The one solution that essentially works for this type of bug is to turn on the windows firewall as the RPC is not enabled by default. This would at least prevent the bug from capturing the session state.
Still running Windows 7 instead of Windows 10? You’re at greater risk from malware says report
https://www.techrepublic.com/article/still-running-windows-7-instead-of-windows-10-youre-at-greater-risk-from-malware-says-report/
According to Webroot, users who are still running Windows 7 Operating Systems might be at a larger risk of malware attack. Statistics says that only 15% of the total files determined to be malware in 2017 were seen on Windows 10 systems, while a full 63% were found on Windows 7, the next-most-common OS for businesses. It is seen that on an average 0.04 malware files per Windows 10 systems are seen in relation to Windows 7 that has about 0.08 malware files per system. While the company has not briefed on how to resolve the issue with the existing patches completely, it strongly recommends switching to Windows 10 because of the advanced endpoint protection that uses behavioral analysis and machine learning.
This could be a strategic move too as many would like to believe.It is however uncertain whether this is a real problem or a made-up problem by Microsoft in order to push consumers to its higher version of operating system.