Miel Cybersecurity Engineering and Architecture

Miel, LLC Cybersecurity Architecture, Design, and Engineering Cybersecurity architecture is a requirement in today's environment. If you don't address cybersecurity in your organization, there will be problems. Miel, LLC offers architecting and embedded systems hacking services provide proactive cybersecurity services to improve your defenses, so you aren't reactive. Miel, LLC Cybersecurity Architecture, Design, and Engineering 810-701-5511 charles.parker@mielcybersecurity.net

Wednesday, March 30, 2016

Malware-Genome

In a world of constant change, one thing is constant-there will be more malware coded every day. As attackers find new vulnerabilities and areas to attack, new malware will be coded to exploit these. The number of new pieces of malware introduced daily will also increase. This is a function of the increase in computer and other connected electronics along with the criminal mind looking to exploit a situation.

One such piece is Genome. This was first detected on January 18, 2011 and is engineered to attack the Windows systems. Granted this is over five years old, however, this has been noted again in the wild. Although the users may be careful, they may still click on the cute kitten picture or link in an email from a third cousin the user did not know was in existence ever.

Description

Once the user clicks on the malicious link or opens a file the Trojan begins the download. Generally, this reaches out through port 80 to get.whitesmoke.com. Once loaded, this notifies the C&C there is a new infected user, the infected system is able to receive the malicious packets and other downloads, receive any updates, and upload any data to the C&C from the infected user. These programs and files are downloaded without the user’s consent or knowledge. As more malware are downloaded to the user’s system, this may have the system process much slower, freeze it, and eventually the user will receive the infamous BSOD.

Mitigation

Hopefully the users will have a sufficient amount of appreciation of info sec and listen to the IT department. If this is on their personal system, the user would need to in the least update their AV and download the new definitions. They should then run a full system scan. This may pick up the malware.

This sounds easy enough, however it may be difficult to remove. What makes this a bit curious is unless this is completely removed, this will quasi-regenerate via another download. This may also reside in the root. Another easy way to verify this is done via a search for two files (utdqhz5i9inix.exe and zlsrbvjm.exe).These generally indicate the user is infected with the Genome. The user may still be infected even if these files are not present.

The info sec engineers can also remind the users to watch for spam. They really should not just open anything. They should also be reminded to not click on any links or open attachments, especially the files with the “.exe” extension.

This malware infection can be avoided with only a few steps and being careful with certain emails.

Human Factor

A person or group of people focused on a social engineering attack in general has the benefit of experience and being keenly aware of the human character.

The social engineering attacks use many tools to mislead the target into believing their script. The commonality with the attacks is the human factor. As a member of humanity, one common attribute most of the population internalizes is to be helpful or provide assistance when asked. We tend to be social creatures and if one of the groups needs assistance, one of the groups would offer to be there.

Recently this has been applied to rather high profile services. A widely respected info sec author/blogger’s PayPal account was also compromised. The social engineer used the general attack methodology. As the target was well-known, the attacker was able to search general and social media for his background data. With this in hand, the attacker could call the service, and assume his identity. This clearly is not optimal.

In yet another highly publicized example, an Amazon customer also was victimized. In this instance, the user had an account at Amazon, like so many others. Here, however the attacker depended on the customer service representative’s good nature and willingness to help the “customer” who seemingly needed it. Here the “customer” did not have the product that was purchased, did not have the last four digits of the credit card number (as it was his work credit card), he really needed to get the report back to his manager, did not have access to the account, did not know the expiration date of the card, etc. The only thing the person knew was the card was a VISA. In utilizing statistics, there was in the least a 33% opportunity to choose correctly. Given the prior conversation, the customer service representative would probably have allowed the “customer” to guess until correct.

Lessons to Apply

This contact is yet another example of why there needs to be a better training program. These need to consist not only of the usual presentation on the negative aspects of when social engineering is a success. The people need not to be fearful of asking simple, direct questions. If the wrong or inconclusive answers are presented, the conversation should go no further.

Red Flags

There were several read flags with their exercise in mental gymnastics. First, chronologically, the “customer” wanted a refund even before the product arrived. On its face this is exceptionally odd. As a rule of thumb and industry, the person orders the product, receives it, decides it just will not work, and asks to return it. This should have been a red flag.

Regarding the credit card, the “customer” did not have it, did not have the last four numbers on the card, could not even give the last two digits of the card, and asked for the expiration date on the card. If the “customer” did not have the card to verify the last four or two digits, how would the “customer” be able to verify the card from the expiration date? The “customer” would not as this was a farce.

The “customer” said at one point the customer did not have the access to the account. It only takes two pieces of data to do this with a computer. Clearly the “customer” should have known the login and password.

Best Course

There is a distinctly different course of action that should have been followed. By following this the customer service representative should have used a bit of common sense in comparison to bending over backward to give the “customer” every opportunity to commit fraud and then helping the “customer” to log in. When something starts to smell, much like what happened here, the representative should start to review the situation and ask questions.

Lessons

Sys Admins, please provide the training the staff needs. At times people can get too caught up in their jobs and forget what they are also responsible for-info sec and keeping other’s data safe. If not you may be breached and getting a call from the government agencies.

New Year!

Each New Year brings with it the opportunity to start fresh; learn from the prior year’s errors and victories. This bifurcation between the years allows for this reflection. With the upcoming year, there are a number of initiatives that the corporate CTO/CISO can implement to better the business and further mitigate risks associated with eh operations and business itself.

One action item for the corporation to accomplish if it had not been done already is to hire a qualified Information Security Engineer/Architect. This should be a top priority if it is not already done. This person will be able to assess the enterprise, advise what needed to be done, and begin to implement the changes.

Communicate with your staff and ensure they follow these. One of the more profitable attacks that grew traction over the last year was the ransomware of everyday consumers, manufacturers, and hospitals, and also the executive pay scam. The former involves anyone at work or home simply clicking on an image or opening a malicious file. The latter involves a multi-step social engineering process with one of the staff members as funds are wired from the business on the false behest of the C-level. To mitigate this attack, people need to know they don’t have to click on everything, including kitten pictures. The business can also communicate their wiring processes and simply verify the email to mitigate this risk.

During the next year, a focus should be on training the staff to better recognize social engineering attempts. The training cannot be the same mindless, boring presentations with graphs on PowerPoint slides. The training needs to be engaging and interesting. The role of the training staff is not to entertain, but this helps with knowledge retention over time. No training will be perfect; however every little bit assists in mitigating the risks. The alternative is become a victim of social engineering, and have to manage the issues arising from this.

Here is to a New Year with a focus of securing the enterprise!

Healthcare

The problem with healthcare and info sec is the primary objectives of healthcare. Fortunately for all of us the directive of the healthcare industry is patient care. Prima facie, this is common sense. The hospital or other facility in fulfilling its mission has to share data (patient records, prescriptions presently being taken, treatment plans, etc.) among multiple parties. This provides an opportunity for breaches as the endpoints for attack increase exponentially. Instead of one person or group having access, there are many others who require this.

The increase in the number of persons with access provides many more targets for social engineers. This increase in vulnerable endpoints allows for work to be focused on exploiting and breaching the healthcare provider. A not so gentle reminder of this issue are the hospital breaches and encrypted files/servers, especially the recent example in Hollywood with the ransomware payment of $17k, and the infamous OPM breach.

To mitigate this, there is a simple formula. The issue has been and will continue to be difficult for the user to implement. The most direct integration strategy involves training. The standard training regimen is completely applicable. With the data flow and number of endpoints, coupled with the liability to the entity in the event of a breach, additional training is reasonable. The staff members (nurses, nursing assistants, physicians, physician assistants, and others) need to know what to be aware of. The training would need to focus on the spear phishing, methods social engineers use to gain the rapport of others, so the staff members are aware of what modes of attack may be used.

With this being done, the opportunity for a successful breach would be lowered.

Hacktivists

Social Engineering attempts are not going to diminish in their numbers any time soon. This will be a persistent threat indefinitely. It used to be in the early days (I am able to use this term as my first experience was coding in BASIC and C in the 1980’s) that “hackers” would work to breach a system as a badge earned and to build credibility among peers. The attackers have been viewing this more as a business and using social engineering for financial gain. Recently over $50M was stolen from the aircraft manufacturer FACC. On January 19^th it was reported the Crela Bank, a Belgium bank, has a $75.8M claim due to the same type of CEO fraud scam earlier reported on. In mid-February a hospital in Hollywood paid $17K to receive the key for the encryption on their servers. The hospital had to stop using their electronic medical records/electronic health records (EMR/HER) and was using pen and paper due to the issue. These are not the only high dollar incidents, but only the recent occurrences. As long as money can be made, the social engineering will continue to be operationalized as a business. This will also draw others to this nefarious line of work.

Hacktivists may also be involved as a method to embarrass people or agencies, or to bring the facts to the forefront. The hacktivists may be of any age and skill level. In early October 2015, teen-age attacker(s) breached the CIA Director’s email. Recently, the Director of National Intelligence email was breached. The breaches were a product of social engineering third parties, e.g. Verizon, and not the directly affected person.

One lesson to be learned from this involves being vigilant, watching your accounts, and authenticating people that call you claiming to be from a business. If the users continue to be lackadaisical, there will continue to be issues. The issues or lessons to learn from can be expensive and others yet more expensive.