US Cities, Are They Under Attack ?

Are our US Cities under attack right now?  Sure seems like it given the number of cities in the news that have been taken down with Ransomware attacks.

Ransomware attacks against organizations are never going away, and attacks against government institutions seem to be an easy target, and an easy way to make money for some.

In a quick 5 minute search on google, I located 13 Government run networks that were taken down/breached recently with Ransomware.

I have a read a few articles that actually put that number higher, more than 50 government run (City, County, State, Federal) networks that were ill prepared, not up to date, and clearly not being monitored by anyone. All of them breached with Ransomware.

Some have elected to pay the ransom, others (like Baltimore) decided not to do so, and now are spending millions of dollars to recover. There was even talk about asking FEMA to assist them.

In the recent case of Riviera Beach, they knew their systems were antiquated, had gone to the city council on Feb 20 2019 asking to spend $798,419.00 to purchase a new backup system. The council approved it that night, but it was never installed.

All of them have something in common, besides being a tax payer funded government, and that is basic precautions were not taken, including monitoring.

With the recent announcement from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) regarding the large increase of attacks from Iran specifically, all organizations should look to better monitor what is occurring 24/7 on their networks and systems. Something as basic as reviewing logs 24 hours a day can go a long way in mitigating threats.  This of course is something we do as part of our MDR & Threat Hunting services we offer for hundreds of customer right now, including governmental organizations.

Cyber War 2019 – Has It Started – Some Thoughts

 

Last week, on Thursday morning, I started to see what I call the first real shots being fired in the Cyber War of 2019 with Iran.  I thought I would write down a few thoughts I have regarding the situation in general.

 

For the past 18 months we at Milton Security had been tracking certain types of activity that we knew for certain or believed to be from Iran, across our customers. The types of activity ranged from simple to elaborate phishing attempts, password spray attempts (and successes in the cases of a few firms we know of including Citrix, which was made public). We also know of and tracked some counter developments.

 

In addition there is a possible double agent within Iran, who is dissatisfied with what was occurring, and has a grudge against the Iranian government. This individual has been releasing information, including doxing individuals in the Iranian government, and its defense contractors. They have listed out targets, tools and techniques used by the Iranian Cyber teams on Telegram.

 

When the drone was shot down by the Iranians, we knew this was going to escalate cyber activity against US targets. I am still trying to make sense of all the information around the downing of the drone. A few possibilities I have seen over the past 48 hours :

 

  1. Our drone was in international waters and Iran struck it down
  2. Our drone was in Iranian waters and Iran struck it down
  3. Our drone was in international waters, Iran jammed the GPS on the drone which made the drone go off course into Iranian territory
  4. Our drone was in international waters and a third party jammed the GPS on the drone which made the drone go off course in Iranian territory

 

Iran also stated that it had our Navy P-8 plane, which was monitoring the drone, in its sights and decided not to fire at it, since it had US Navy personnel onboard.

 

Now, I am not an expert in strategy or military operations, but knowing a little bit on how the US Navy and the US Coast Guard do operations, I do see the US Navy flying right along the demarcation line, much like we send US Navy and US Coast Guard vessels along the same line, to show there is an international presence, and do what’s called Freedom Of Navigation.  This ensures that commerce can go unimpeded.  This is also done frequently in the South China Sea contested areas as well.

 

This is also how the US Navy Riverine Boats were captured by the Iranians in 2016.  Running along the boundary and one of the vessels becoming dead in the water.  Was this also a case of GPS issues?

 

When President Trump decided at the last moment not to retaliate with weapons, this confused the Iranian side and it confused the American press.  It gave the Iranians time to regroup, and re-assess their defense against possible missile strikes. Wether this was a true case of having second thoughts of potentially killing 150 Iranian military and civilian personnel, or was it part of the plan, I guess depends on how you view this administration.

 

After the drone was struck down the US was able to accomplish retaliatory cyber strikes against Iranian computers systems that control their missiles and radar sites.

 

Since Thursday, our team at has seen the intensity of attempts increasing from potential Iranian backed actors. And this is not the end, just the beginning, of the Cyber War with Iran. The Whitehouse is looking to expand its cyber toolset, with greater flexibility in using cyber attacks.

 

This week is lining up to be very interesting. Tomorrow, President Trump said he will apply new sanctions against Iran, and Iran has stated they will bypass the nuclear 300 kilogram limit within 4 days.

Applications, should Parents trust them?

Sunday afternoon thoughts :

As a parent to two daughters, I am always concerned about interactions with apps.  What data do these applications actually collect, are they safe for general use, etc.

Today I thought I would look at TikTok, a popular application.

(link https://en.wikipedia.org/wiki/TikTok)

I set about this task :

  1. I setup my MacBook to share its WiFi connection to the LAN.
  2. I reset an iPad
  3. Connected to WiFi on MacBook from iPad
  4. Downloaded the TikTok application
  5. Ran packet capture during the setup of the account for TikTok

For a comparison I had one of my daughters use her iPhone/TikTok and captured that data as well.

While most of the transactions that occur with TikTok are in fact TLS, there are a couple of things when the application starts up that is not.

Do you see an issue with these?

What do you see that should be of concern?

In addition to these non-TLS packets of data, Whenever there is a a new video played, some or all of it is actually sent without TLS/SSL.

This is from 15 minutes of reviewing.  From first glance they use OpenUDID which I thought was closed down in 2015.

 

 

 

 

Tech Tip Tuesday

DNS and Firewall logs can be your friend.

Just because the domain name has the name INTEL or AMD or HP in it, doesn’t mean it truly is that firm, at least now it isn’t.

One thing I like to do is track domain names and url’s that product vendors hard coded in their products. Over the years I have purchased dozens of domain names that large companies had used to check on firmware status, update checkers, etc. When newer products come out, eventually the old domain names are not renewed.

I like the ones that were hard coded into firmware on NIC’s for example. There are a number of domains (most I don’t own, a few I do) that are still active, listening for beacons/pings from thousands of NIC’s still in use around the globe. I know, because they are beaconing to one of the domains I own.

It’s interesting to note, that most companies have ok to decent inbound security and filtering, but quite a lot of organizations actually hard code some of these domain names into their rules to explicitly allow outbound initiated comms.

I know of a few Storage Area Network (SAN) appliances from major firms that have hard coded “call home” functionality for example, going to domain names they don’t own any more.

 

So it is time to look through those logs, find out what your systems are connecting too.  Verify that it is still required, is the domain still controlled by the vendor.  What information is it sending.

 

RSA 2018 struggles

This year Lee Neely and I are bringing a very short Web Application Security class to RSA.  This should be a 2 to 3 day class, that we have condensed down to 2 hours (plus break time, so content down to 1.5 hours I think)

Our slide deck was over 100 for two days, we shrunk that to 15.

I decided that the best way people learn is hands on.

Crazy idea popped into my head (which happens a lot), and I purchased 35 used Chromebook’s. With the help of my trusty Intern Gary, we got Linux sideloaded along with 20 tools we are going to cover during class, installed and running.

We also are bringing 2 ESXi systems with some vulnerable web apps to hack against.

So this is sort of like a crash course/intro/ctf/cheat/overview class.

A few “struggles”

  1. Will the airline (United) over charge me for the Pelican 1730 with 35 Chromebook’s
  2. Will the Chromebook’s survive the air travel
  3. Will it all work when we set up at RSA
  4. Will I have room for some Bourbon in the case
  5. Are we trying to condense too much into less than 2 hours
  6. Will the attendees like the coursesize of Pelican case :

    pelican-1730-rolling-transport-hard-cases

Furniture > Security & Risk Mitigation

One of the things I really enjoy is taking part in the introductory meetings with our sales team. During these meetings I get a lot of firsthand knowledge about what firms are doing currently in securing, monitoring and remediating their infrastructure.

However, one of the most discouraging things to occur happened recently. I got to talk to a firm with over 2,500 employees/contractors spread across 10 offices in the US. This particular organization tells me they don’t have a security team per se, more like an ad-hoc group of IT personnel that also do security.

They outline that besides the ransomware that has occurred a few times in the past year, they believe they are totally secure because nothing else has happened to them, despite the fact that they have no standard policies and procedures, and their 8-year old SonicWalls have never been updated. They believe they’re secure especially since they passed their last visit by a QSA and their PCI Audit/Certification.

They see a need for a service like what Milton offers (Managed Detection and Response), but since they don’t look at their logs now anyway, and they haven’t needed to in the past, they do not think they will look at this until CY 2019 as they have a new office opening and have to do PC Upgrades and new office furniture.

Of course, if the reason they gave me was, “Oh we went with your competitor,” I would have walked away knowing that, phew, at least they understand this is needed, and they went to someone who will give them a level of MDR above what they have currently.

It certainly feels upside down when organizations prioritize Security and Risk Mitigation below  new computers and new desks.