Operationalized Breaches

The attackers have become more business-oriented in that the focus has moved from street credibility to financial gain. This is very evident when there is a breach involved and the attackers sell patient data, encrypts the enterprise with ransomware, or otherwise extort money from the victim. One area hit especially significantly has been the medical field. With the medical patient information and personal identifiable information, this was a likely target.

To avoid issues in your enterprise, medical or otherwise, there are several action to take. One action to take would be to review the network for where confidential data is located. This is not only employee information, but also proprietary data on business assets and patients, along with their credit card numbers. These areas should be examined periodically along with the logs. These areas should be accessed only by the appropriate parties, applying the principle of least privilege. 

With any business, there would be vendor contracts. When the renewal periods would come along, if not already included, the contracts should include the vendor shall comply with your data security and incident response policy, or provide you with their policy for your review and acceptance. Your enterprise is only as strong and robust as the weakest link. If this is an external partner and you have no idea of their security or their stance on reporting breaches, there may be an issue for you in the future.

             

Miel, LLC Infosec Managed Services & Consulting

810-701-5511

charlesparkerii@gmail.com

http://mielinfosec.blogspot.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.

Med Star Health: Ransomware

Ransomware is well know in our environment. This has been used in its various forms to attack and encrypt critical data. As noted several times, a particular target has been the medical field. The end result of this has been mixed with businesses paying the ransom while others not.

One such firm that did not pay was Med Star Health. On a Sunday evening in March 2016, the issue was found at one of the three offsite locations. As time was of the essence, a mid-level director was the point of contact and made the difficult decision, which was also per the protocol, to shut down the electronic medical records system, affecting greater than 370 systems. At this point, the operations were slowed to a snail's pace. This was related to patient care, monitoring biomedical equipment, and many other pertinent services.

There are a number of lessons to be learned that are applicable to not only the medical field, but most others. Due to the users, equipment, and operations affected by this, the decision had to be made quickly. Time was very much of the essence. Waiting or paralysis by analysis would have only made the circumstances worse and cost the business more, both financially and operationally.

Every business should expect to be attacked at some point. This allows for the planning and preparation to this place well before any issue. This reduces any ambiguities and allows for the security in depth to be applied.

The staff members and organization should be able to operate while not using the current level of technology. In the case of a verified attack, the system may have to be shut down and the operations would need to be done low tech. The staff needs to be able to work effectively in this environment. For instance, when the electronic medical records/electronic health records (EMR/EHR) is not operable, the staff would need to work from printed off "face sheets" or patient files showing the treatments, pharmaceuticals, patient's face, etc.

Lastly the subject matter experts in your organization need to understand the problem but need to explain the situation to others. Knowing the information is fantastic, however the person needs to be able to express this to others.

Miel, LLC Infosec Managed Services & Consulting

  

810-701-5511

charlesparkerii@gmail.com

http://mielinfosec.blogspot.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.

Passwords: Robust or Not

            The single area that continues to contribute to breaches and/or other system errors (e.g. ransomware) are the users. The easier attack for this avenue has been the users. The easier attack for this avenue has been with phishing. The general format is the email from the employee’s “friend” or someone from “management” with various topics, including the person to click on the cat picture or a link.

Another form of attack involves passwords. These are intended to protect and secure the access to the application. To make the potential breach more difficult to achieve, one method is to have the users make their passwords more robust. Although this is a grand plan, this policy is not always followed. There are lists published annually showing the most commonly used passwords. These show the feeble passwords that are presently in use.  Recently there have been many high-profile instances of this. Most of these have resulted have resulted in significant losses to the entity and confidence. A less detrimental issue has been with Facebook CEO Mark Zuckerberg’s social media accounts being breached due to a weak password (dadada). Of all people this was substantially surprising. Other breaches with vast liability attached to the user’s password malfeasance are by far more common. For instance, the latest two large breaches would be the Anthem breach arising from several employee’s credentials being stolen, and the infamous Office of Personnel Management (OPM) breach from the contractor’s credentials. Earlier breaches which are notable are the Evernote issue with 50M credentials and Adobe’s with over 38M credentials being compromised.

The passwords need to be robust and crafted. This includes the length being at least 12 characters for the password’s composition, this needing to be varied, and to avoid patterns that could be easily understood after looking at the password briefly (e.g. a person walking by glancing at the screen should not be able to recognize this as a password).

The users need training or meeting to internalize a better appreciation of the process and what could happen with a poorly executed password.

Miel, LLC Infosec Managed Services & Consulting

810-701-5511

charlesparkerii@gmail.com

http://mielinfosec.blogspot.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.

Phishing for All

            Phishing continues to be a common attack to nearly all industries. From the attackers view, this is a very economical manner to send attacks. In a very short amount of time, a vast number of these emails can be sent. For this to generate revenue and a net profit, this process only needs a few people or businesses to click or follow the ill-fated email instructions and the endeavor attack generates enough revenue to be profitable. This is especially the case with ransomware. One recent and rather expensive example of this was FACC attack. Here an email appeared to be from the CEO. The cost to the company was $54M.

            Although the users have received training and have read the news regarding phishing attacks and have a general sense of what a phishing email should look like. Employee training may be beneficial with this. This should take the form of a series. With this mode, the staff member would see the training (e.g. email, conference call, or other) several times and jog their memory from the earlier sessions. Normally, the staff member sees this once a year and forgets it its applicability within a few hours.

            There are several points to discuss. The training may address the user reviewing the email or other communication more than once prior to clicking. The second or third look may allow for the additional time for an error in the email or just enough suspicion to perk up. The target also can contact the sender to verify the person actually sent the email, think prior to sending confidential information over the email unencrypted, minimize the amount of private information shared on media, and disabling macros.

            With these being passed onto the users, the opportunity for an oversight would be lowered.  

Miel, LLC Infosec Managed Services & Consulting

810-701-5511

charlesparkerii@gmail.com

http://mielinfosec.blogspot.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.

Data Analytics + Security = Better Solution

            The internet is widely used for consumers and businesses across the planet. Although this allows for near instant access and is a plethora of knowledge, both good and bad, these are still issues.

            To lessen and mitigate these issues, data analytics has been involved more. The implementation started approximately 10 years ago. At this time with the new technology with the vast number of people not using it yet, most email was spam. Over time and with the application of analytics, this has brought this number of spam emails down that appear in your inbox. Now these are mostly routed to the Spam folder, as they should. This has been accomplished with the email filter. This was designed to analyze the emails to move the spam away from the inbox.

            Big data also has been used with AV to analyze what is malware through heuristics. Other uses have been to review insider acts and access for insider threats, monitor transactions at the bank with your account to analyze if this may be legitimate or a potential theft, monitor email accounts and on the enterprise level for phishing activities, and identify APT.

            The coupling of these two has proved to be a benefit for all involved.

Miel, LLC Infosec Managed Services & Consulting

810-701-5511

charlesparkerii@yahoo.com & charlesparkerii@gmail.com

http://mielinfosec.blogspot.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.

In-Flight Wi Fi: Still Not a Good Idea

The travel season is in full swing as the U.S. is in the middle of the summer months. People are travelling to use their vacation time, visit family and friends, and decompressing. The  destinations are near and far. For the  persons not travelling an extended distance, the people may fly. While on the phone, to pass the time or get a bit of work dine, the passenger may connect to the in-flight Wi Fi with their phone, laptop, or tablet.

This usually is free, which would incline someone to believe this is a good thing. Unfortunately this is not a good thing The in-flight Wi Fi is not secure. Another person on the flight is able to view what another is working on or viewing from teh internet. This is a public Wi Fi service, much like the open Wi Fi at the local coffee shop. The airline's focus is to safely move their passengers from point A to point B.  The free Wi Fi is only an ancillary service provided complimentary for the passengers. The terms and conditions state the Wi Fi is an open Wi Fi spot. By the passenger accepting the terms and conditions, the passenger is also accepting the risk. Although agreed to with a quick click, most passengers don't read this.

An easy mitigation for this is to use a virtual private network (VPN). This would secure the communication.

Mitsubishi - BOHICA

Mitsubishi Oversight: Continued Security Flaws

            As time continues to pass, the vehicles continue to become ore connected. This provides an increasing number of vulnerabilities, endpoints and communication channels for attackers to analyze and check.

            As the consumers continue to enjoy the connected vehicles, the functions continue to grow. The automakers have responded to this need by continuing to add functions. The vehicle manufacturers have accommodated this, but a cost. These are added at such a pace that security is quasi-entertained or pushed aside so the project would not be held back. This has become such an issue that federal authorities have notified the automakers to implement security at a greater pace and to a greater extent.

Timing

            Seemingly the increase in the number of years of connected vehicles, the increased pressure from the various federal authorities, and the number of engineer hours, the number of issues would decrease. Unfortunately this has not been the case. The manufacturer Mitsubishi with the model year 2017 Outlander PHEV (plug in electric vehicle) elected to alter the hardware configuration. This was noted by a researcher, who inferred Mitsubishi, was initially not interested in the security oversight which had been installed in their production vehicles. After this was reported to the BBC, Mitsubishi become interested in the topic.

Vehicle

            The only vehicle tested for this was the Mitsubishi 2017 Outlander PHEV (hybrid electric car). This model is being sold in Australia and the UK. Generally the manufacturer uses the accepted methods for the communication to and from the vehicle. This may include the SMS. Mitsubishi however decided it would be a better to implement the vehicle with its own wireless access point (WAP). This was a new communication channel.

Attack

            There were several issues associated with the WAP being placed in the vehicle. The access point itself was rather clearly visible and the preshared key is different per vehicle, but was located in the owner’s manual and was easily crackable. Once the attack is successful, the on-board diagnostic port (OBD-II) would be available for a hack. The OBD-II port is the attack surface that has presented much focus. This attack, at a minimum, allows the car to be unlocked (an subsequently stolen or vandalized), the heating and A/C to be turned on (allows the battery to be drained), the alarm system to be turned off, and the car to be tracked.

            These attacks are the ones which are presently documented. The next step is to explore the vulnerabilities with the OBD-II port itself. There are a number of vulnerabilities that may be found with this. 

Another Lenovo Security Issue...

Another Lenovo Security Issue...

Within the last year, there have been approximately five problematic issues with a certain laptop manufacturer’s units. Lenovo has had their security lapses over time. Some are more well-known than others. The latest occurred in November 2015 with a problem in the Lenovo System Update. This functions to update drivers and the BIOS when needed. This is also formerly known as Think Vantage System Update. This issue was found by IOActive. This has not been the last issue Lenovo has encountered.

Newest Security Issue

Along comes June 2016 and new opportunities for errors. A new security issue was discovered by Dmytro Oleksiukaka aka Cr4sh. The issue with the latest oversight is with the BIOS. This has not been a short term issue. This started to appear with model X220 and appears through T450. Lenovo has not been exceptionally happy this occurred and was reported in social media. This showed yet another massive hole in security here. This issue had been title Lenovo Security Advisory LEN-8324 and commonly as ThinkPwn. The vulnerability was confirmed in early July 2016 by Alex James.

Issue

This vulnerability allows an attacker to operate the equipment in the System Management Mode (SMM) code on the machine. This would in effect act as a rootkit and disable security features as it allows a person to disable the flash write protection and Secure Boot. This would also allow the attacker to bypass the Virtual Secure Mode (VSM) that is found in Windows 10.

The intent is also in question with this. The vulnerability could have been a simple error in coding. This option does not seem likely as it would have had to go unnoticed through code review (static and dynamic) and any other QA processes. The alternative is this was intentionally coded as a backdoor to be accessed later in a malicious manner. This would, unfortunately, make more sense.

How did this happen?

Lenovo claims and accepts no responsibility for this intentional or unintentional error in coding on their equipment. Operationally Lenovo outsources the BIOS developments. One of their third party Independent BIOS vendors (IBV) (i.e. Insyde Software) developed the BIOS via a copy/paste from Intel. The act of using Intel as a source is not entirely unheard of.

In order to distance itself from the issue and potential liability/costs, Lenovo is attempting to deflect responsibility to the IBV and Intel. Lenovo noted the chain of events in their security advisory. Granted the issue was solely from the IBV, however Lenovo did sell the equipment in order to earn a gross and net profit on each unit. Possibly given the track record of insecurity Lenovo should have monitored the vendors a bit closer.

Info Sec Researcher

Lenovo notes also in the security advisor that they are not pleased with the security researcher that found their oversight. The security researcher, Cr4sh, allegedly did not work well with Lenovo and their timeline to resolve the issue. This may or may not be the case. This is only one side of the issue and at times the manufacturer security teams have their own extended timelines that would not work well with the criticality of the issue.

Resources

Constantin, L. (2015, November 15). Lenovo patches serious vulnerabilities in PC system upgrade tool. Retrieved from http://www.pcworld.com/article/3008865/security/lenovo-patches-serious-vulnerabitliies-in-pc-system-update-tool.htm.

Constantin, L. (2016, July 5). Lenovo ThinkPwn UEFI exploit also affects products from other vendors. Retrieved from http://www.computerworld.com/article/3091750

Hill, B. (2016, July 4). Lenovo rocked by critical BIOS vulnerability, fingers point to shoddy intel reference code. Retrieved from http://hothardware.com/news/lenovo-rocked-by-critical-bios-vulnerability

Kopitiambot. (2016, July 5). Critical BIOS vulnerability found in Lenovo PCs; may affect other manufacturers too. Retrieved from https://kopitiambot.com/2016/07.05/critical-bios-vulnerability-found-in-lenovo-pcs-may-affect-other-manufacturers-too/

Lenovo. (2016, June 30). System management mode (SMM) BIOS vulnerability. Retrieved from https://support.lenovo.com/us/en/solutions/len-8324

Veal, N. (2016, July 4). Yet another security flaw found in lenovo pcs. Retrieved from http://mspoweruser.com/yet-another-security-flaw-found-in-lenovo-pcs/