Cyber Security Blog

SMB Security Best Practices —

Original release date: January 16, 2017 | Last revised: January 17, 2017

In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems.

US-CERT recommends that users and administrators consider:

  • disabling SMB v1 and
  • blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

US-CERT cautions users and administrators of potential issues that could be created by disabling SMB v1. For more information on SMB, review Microsoft Security Advisories 2696547 and 204279.

This product is provided subject to this Notification and this Privacy & Use policy.

Share Button a web api for SEIM phishing hunts , (Tue, Jan 17th) —

Last year, over the Thanksgiving break, Justin Henderson and I worked ona tool to provide a web API interface foranother tool I released last year called is used to identify randomized DNS names used by malware. Providing a web API would allow a Security Information andEvent Management (SEIM) system to automatically score character frequency data from a variety of log sources. So was born.Since then it has been great to see different organizations using it and finding malware in their domain. ThisThanksgivingJustin contacted me again with a new project and I was immediately intrigued.

This timeJustin wanted to automatically score phishing domains based upon the born on date of the domain registration. Justin told me about some really great techniquesthat organizations can use to identify potential threats if you could query the data at the speed of SEIM. The difficulty is in processing the huge number of records that a SEIMcollectswithout rudely overwhelming the whoisservers. The system has to be quick andwe need to cache the data for frequent domains. Python makes building these types of interfaces quick and easy. Justin told me what he wanted and a few hours later I sent him working prototype. The tool is available for download and integration into your SEIM now. Download a copy here.Check out SANS SEC573to learn how to quickly develop programs like this on your own. There are two opportunities to take the Python course from me in the near future. Come see me”>in Londonor come see me”>in Orlando Florida at SANS 2017

So what can you do this new tool? Well, it was Justins idea, so Ill let him tell you. Take it away Justin!

Thanks Mark. We live in a day were data is everywhere. The security community is constantly stepping up in new ways to defend and protect this data. They are constantly inventing new techniques, tools, and processes. Yet some good techniques have been lost due to lack of publication or an inability to easily apply the technique at scale.

One such technique is using WHOIS information and specifically creation dates. Many who came before me have made mention that companies typically do not perform business with new domains. I dub these baby domains” />

Running a simple whois kicks back lots of information included a creation date. The problem: performance. Each run of whois varies greatly. In fact, in my testing it would vary between about 0.50 seconds and 10 seconds which if ran against millions or billions of domains would not be able to keep up. Then there is Mark Baggett” />

The number returned if using an older version of the Alexa top 1 million is the sites rank. Just remember that instead of using an old Alexa file you can also generate a custom list of most frequently accessed sites or known good sites or even known bad sites. This can then be used to tag domains in order to skip certain checks that are more time consuming such as WHOIS lookups or perform other tasks/logic.

So how would you put this all together? Where I regularly use is by invoking it from SIEM products. For example, I take incoming DNS logs and use Logstash, a log aggregator and parser, to query If a DNS log matches certain query types such as an A record or MX record, then Logstash applies the following logic:

Step 1 – Does the query match an internal domain name? If yes, no additional processing required. If no, move to step # 2.

Step 2 Pass the domain to using /alexa. If a result is returned the domain matches a whitelist and no additional processing is required. If 0 is returned it is not a well-known domain. Move to step # 3.

Step 3 Pass the domain to using /domain/creation_date. Store the creation date for manual analysis. (I then use a dashboard/report to display baby domains that are less than 90 days old)

The ultimate deliverable is a list of baby domains being accessed and knowing which systems are possibly engaging them. This could provide early detection of emails coming in from phishing domains or end users accessing phishing websites. When combined with other techniques such as fuzzy phishing ( catching phishing domains becomes much more likely and quite frankly a lot more fun.

A big shot out to Mark Baggett for his awesome Python scripting skills that enabled this. While written in Python it has proven through repetitive testing to outperform other solutions. I encourage everyone to consider using for WHOIS queries (such as for creation dates) or its whitelisting capabilities.

Follow Justin Henderseon@securitymapper

Follow Mark Baggett @MarkBaggett

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Italian siblings arrested for cyberattack —

Italian police have arrested a nuclear engineer, Giulio Occhionero, 45 and his sister, Francesca Maria Occhionero, 49 for hacking into 18,000 high-profile email accounts, including the former Prime Minister.
Authorities suspect that the siblings may have ties to the Freemasons, because the malware used in the hack was called “Eye Pyramid,” believed to be a reference to the all-seeing eye of God, or Eye of Providence, a symbol typically associated with Freemasonry. The name of the software may also have been a play on his own surname – Occhionero means “black eye” in Italian.
The widespread cyber-attack compromised communications of prominent Italian institutions and individuals, including Vatican’s two former Prime Ministers, Vatican cardinals, bank executives and other high profile targets, which prosecutors claim was used to conduct insider trading. Mario Draghi, the president of the European Central Bank was also among the targeted individuals. Former Prime Minister, Matteo Renzi was also one who resigned in December last year after losing a constitutional reform referendum.
The attackers, who have dual residencies in London and Rome, are accused of spearphishing attacks using malware to gain access to victims’ email accounts and illegally accessing classified information and breaching and intercepting information technology systems and data communications since 2012. The siblings were most recently living in Italy.
Vatican officials have not yet commented on the attack and it is yet unknown to what extent sensitive Vatican information may have been compromised.
There are indications the malware campaign may have been running from as early as 2008. In total, just under 1800 passwords were allegedly captured by the Occhionero siblings, who exfiltrated around 87 gigabytes of data to servers in the United States.
Mr Occhionero who had strong links to the Masonic movement allegedly developed software that infected email accounts, enabling him to access the information. Several of the compromised accounts belonged to Mason members.
Whether or not there are ties to the Masons, cyber security experts believe it is highly unlikely that the sibling pair acted alone.
The illegally accessed information was stored on servers in the United States, leading to an ongoing investigation with the assistance of the FBI’s cyberdivision. The stolen data has been seized by Italian police and the FBI.

Italian police believe the siblings used the stolen confidential information to make investments through a firm operated by Mr Occhionero, a nuclear engineer by profession.
Share Button

Supreme Court issue notice to WhatsApp and Facebook over privacy policy —

The Supreme Court of India has issued notices to central government,  Telecom Regulatory Authority of India (TRAI), WhatsApp, and Facebook over a plea seeking privacy on data.

The petition was filed by two law students against the  WhatsApp’s proposal to start sharing some of the user data with the parent company, Facebook.

The Delhi High Court had earlier denied the petition and refused to interfere with matter. However, the Apex court has directed the companies to reply to the notices within two weeks.

“What is disturbing here is you want to continue using this private service and at the same time want to protect your privacy… You can choose not avail of it [WhatsApp], you walk out of it,” Chief Justice of India J.S. Khehar said.

According to the petitioner, there are 157 million users on WhatsApp and Facebook.

It’s not that Facebook and WhatsApp are facing privacy issue in India only, the even European Union has raised questions about Facebook’s privacy policy.

Last month the European Union  Commissioner, Margrethe Vestager,   had said that “Facebook was misleading it about WhatsApp.Companies are obliged to give the Commission accurate information during merger investigations… In this specific case, the Commission’s preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp. Facebook now has the opportunity to respond.”

Share Button

Who’s winning the cyber war? The squirrels, of course —

Beware its furry cyber-wrath. (credit: Washington State)

WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of “cyberwar” against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations’ fabric have been foretold repeatedly over the past two decades, and each round has become more dire. The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US “faces imminent danger from a cyber attack.”

So far, however, the damage done by cyber attacks, both real (Stuxnet’s destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian “attack” on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels.

That was the message delivered at the Shmoocon security conference on Friday by Cris “SpaceRogue” Thomas, former member of the L0pht Heavy Industries hacking collective and now a security researcher at Tenable. In his presentation—entitled, “35 Years of Cyberwar: The Squirrels Are Winning”—SpaceRogue revealed the scale of the squirrelly threat to worldwide critical infrastructure by presenting data gathered by CyberSquirrel 1, a project that gathers information on animal-induced infrastructure outages collected from sources on the Internet.

Read 6 remaining paragraphs | Comments

Share Button

ISC Stormcast For Tuesday, January 17th 2017, (Mon, Jan 16th) —

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Whitelisting File Extensions in Apache, (Sun, Jan 15th) —

Last week, Xavier published a great diary about the dangers of leaving behind backup files on your web server. There are a few different ways to avoid this issues, and as usual, defense in depth applies and one should consider multiple controls to prevent these files from hurting you. Many approaches blacklist specific extensions, but as always with blacklists, it is dangerous as it may miss some files. For example, different editors will use different extensions to marks backups files, and Emacs (yes… I am an Emacs fan), may not only leave a backup file by appending a ~ at the end, but it may also leave a second file with a # prefix and postfix if you abort the editor.

For all these reasons, it is nice if you can actually white list extensions that are required for your application.

As a first step, enumerate what file extensionsare in use on your site (I am assuming that /srv/www/html is the document root):

find /srv/www/html -type f | sort | sed s/.*\.// | sort | uniq -c | sort -n     19 html~     20 css     20 pdf     23 js     50 gif     93 html    737 png   3012 jpg

As you see in the abbreviated output above, most of the extensions are what you would expect from a normal web server. We also got a few Emacs backup HTML files (html~).

We will set up a simple text filegoodext.txt with a list of all allowed extensions. This file will then help us create the Apache configuration, and we can use it for other configuration files as well (anybody knows how to do this well in mod_security?) . The output of the command above can be used to get us started, but of course, we have to remove extensions we dont want to see.

find . -type f | sort | sed s/.*\.// | sort -u  ~/goodext.txt

Next, lets run a script to delete all the files that do not match these extensions. I posted a script that I have used in the past on GitHub.

The script does use thegoodext.txt file we created above. The first couple lines can be used to configure it. Of course, run it in debug mode first, to see what files will be deleted, and make a backup of your site first!

Next, we create an Apache configuration file. Currently, the script only works forApache 2.2. Apache 2.4 changed the syntax somewhat, and I need to test if the order of the directives needs to change. Include it as part of the Directory section of the configuration file:

Order allow,denyAllow from all Include www.goodext     

(I dont name the extension file .conf so it will not be included automatically but only in this one specific spot).

The two, rather simple, bash scripts to delete the bad files and then create the Apache configuration files, can be found here:

Why use a script for this vs. just editing the files manually?

  1. typos
  2. faster if you have multiple servers
  3. there are two kinds of sysadmins: those that script, and those that will be replaced by a script.

Note that the scripts are strictly in the works for me state. Any bug reports and comments are welcome (use GitHub for bugs)

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Trump’s appoints a cybersecurity adviser whose own website is a mess —

President-elect Donald Trump has nominated former New York mayor Rudolph W. Giuliani as an informal adviser on cybersecurity.

According to the Presidential transition office,  Trump’s transition team will include Giuliani as a cyber security adviser.

“This is a rapidly evolving field both as to intrusions and solutions and it is critically important to get timely information from all sources,” the transition team said in a statement.

“Mr. Giuliani was asked to initiate this process because of his long and very successful government career in law enforcement and his now sixteen years of work providing security solutions in the private sector,” the statement continued.

Giuliani is the CEO of his own cybersecurity consulting firm Giuliani Partners, will assist in finding solutions to cyber security issues and will help the government to tackle the different cybersecurity issues.

As he was selected as an adviser of the cyber security, people started visiting his website “” and found that the site has no cyber security itself and is very vulnerable to attacks.

The website runs on an old version of Joomla, which is aa free, open-source content management system (CMS). It also uses an outdated version of the script language PHP, uses an expired SSL certificate, runs over a 10-year-old version of FreeBSD OS server and even fails to follow other basic security practices.

A security researcher at Errata Security, Robert Graham said that Giuliani did not build the site himself; instead he “contracted with some generic web designer to put up a simple page with just some basic content.”

“There’s nothing on Giuliani’s server worth hacking. The drama over his security, while an amazing joke, is actually meaningless,” Graham said in a blog post. “All this tells us is that Verio/ is a crappy hosting provider, not that Giuliani has done anything wrong.”

Share Button

WhatsApp’s encrypted messages can be vulnerable to MITM attacks —

This week, an article by Guardian reported that Whatsapp’s encrypted messages are vulnerable to hacks. The encryption keys in social messenger leave users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

Last spring, Whatsapp announced that every message on its service is delivered with end-to-end encryption which means not even Whatsapp can tell what’s inside.

In the MITM attack, if an attacker gains access to a WhatsApp server, he could forcibly reset the keys used to encrypt messages and install himself as a relay point, intercepting any future messages sent between the parties. The recipient of the message would not be alerted to the change in keys, and the sender will only be alerted if they’ve opted into the app’s “Show security notifications” setting.

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app by Open Whisper Systems isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely.

WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

Based on its Signal Protocol (also used for encrypted messaging in Google’s Allo), each client is identified by a public key that’s shared with other people, and a private key on the device. Because people change phones or uninstall and reinstall apps, the pair of keys can change. Users can ensure their communication is secure by checking the security code displayed on each end, if it matches, then they can be sure their messages aren’t subject to MITM attack by a third party.

The attack cannot be exploited by many criminals because it requires server access but still an unusually skilled attacker or a court order could compel WhatsApp to break its own security.

The messenger was quick to push back against the allegation saying that “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.” WhatsApp team and people who helped design the implementation defended the flaw saying that the design decision isn’t putting users at risk.

The bug reported in the article had long been known to security professionals, and there’s no evidence WhatsApp ever tried to conceal it. The persistence of the weakness shows how hard it is to balance security with the demands of everyday users.

The flaw has been described as a “security back door” by The Guardian and privacy campaigners but more sober voices have described it as a minor bug and criticised the media outlet for going over the top. A number of security professionals have chimed in to agree, including Frederic Jacobs, who helped design the protocol being used.

The vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016. In his blog, Boelter blamed the bug on the use of closed-source software, rather than a deliberately inserted back door.

The Guardian raised the urgency of this flaw by pointing to the UK’s recently passed Investigatory Powers Bill, which gives that government significant new legal powers for aggressive data collection. But it would be very hard to use this vulnerability for mass surveillance. A successful attack would allow WhatsApp servers to break a given conversation’s encryption, but to provide data en masse to the government, the servers would have to perform that attack continuously on every conversation in the UK, sending out a cascade of pings to anyone with security notifications enabled.

If WhatsApp were to leverage this bug to fulfil lawful access demands, the company would have to implement the attack continually on every user in the country, which would be extremely noisy and extremely visible. The end result wouldn’t be much different from shipping an update and announcing that the service is no longer encrypted.

For users, the most responsible thing to do seems to be to turn on notifications and check your security codes regularly.

Share Button

Shmoocon 2017: A Simple Tool For Reverse Engineering RF —

Anyone can hack a radio, but that doesn’t mean it’s easy: there’s a lot of mechanics that go into formatting a signal before you can decode the ones and zeros.

At his Shmoocon talk, [Paul Clark] introduced a great new tool for RF Reverse Engineering. It’s called WaveConverter, and it is possibly the single most interesting tool we’ve seen in radio in a long time.

Share Button

Translate »
Clef two-factor authentication