Archive for the ‘Security and Compliance’ category

TSB upgrade – what lessons are there to learn?.

May 5th, 2018

By now most of us have heard about the catastrophic attempt by the Spanish-owned TSB to introduce a new IT platform for their UK customers.
As my first mortgage was with the TSB many years ago, and I was also in the U.K. when the story broke I took a little more interest.

TSB, (Trustee Savings Bank), merged with and was spun out of Lloyds Bank after the EU ruled that it was a monopoly, because of the state aid it had received at the time of the banking crisis. TSB used Lloyds IT at a cost of about £220 million a year, but later moved to the Proteo platform, also used by its new owners, Sabadell. The Proteo system design goes back to 2000 and was specifically for mergers, and was used for successful integration of the four Spanish banks.

Proteo is based on Accenture’s Cobol-based Alnova system, and is customized, installed and managed by TSBs staff and runs on Amazon Cloud.

At the launch of Proteo4UK, Paul Pester, CEO of TSB, boasted that they had “created a more digital, agile and flexible TSB”. Carlos Abarca, the CIO, agreed, “It’s the technology journey that we are on together with our customers!” Similar ‘digital transformation’ good news messages from cloud providers are all too familiar.

This was to be “customer-centric by design” platform to “enable the open banking revolution”.

Well there was a revolution alright – from the locking nearly two million banking customers out of their accounts for up to ten days.

This was over a month-end, when businesses rely more heavily on access to their accounts.

TSB turned to IBM, to help get the system under control and “to help identify and resolve performance issues in the platform”. This included customers : experiencing zero balances, incorrect currencies, massively inflated mortgage amounts, and e-mails saying that there are no records of recent direct debits. IBank customers puzzled over on-screen messages, such as: ‘BeanCreationNotAllowedException exception: Error creating bean with name ‘contextManagerPostController’: Singleton bean creation not allowed while the singletons of this factory are in destruction (Do not request a bean from a BeanFactory in a destroy method implementation!)’

Customers who tried to make transfers got errors like: ‘ArrayIndexOutofBounds’ and java.lang.NullPointer and some Branches reported the systems spewing out error messages in Spanish. When I travelled back form U.K. early May, problems with internet banking wee still being reported by customers.

Instead of saving TSB over £100 million a year, this has greatly reduced public confidence in the bank but also in other banks and other financial services on the cloud generally. TSB are likely to be fined by the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO), which is the last thing they need to get things sorted – the loss in reputation alone is huge.

Supporters of Peter Pester believe he is being scapegoated for tech disaster:
• Allies said he has been ‘betrayed’ by a ‘bunch of Spanish numpties’
• Software that caused the problems was installed by Sabadell’s technology offshoot, Sabis
• Regulators could put TSB under a Section 166 probe – a formal investigation by an independent expert

What are the lessons?
Well, the first is not to claim success until the job is done. ( A damning report on the Guardian website suggests there were plenty of warning signs, up to a year before this all happened. Quoting an anonymous insider, the report explains how a mixture of poor technical and business decisions led to the eventual crises TSB finds itself in today.)

Which leads to the second lesson- bearers of bad news may have appoint to consider and is a hint at least the challenge needs more attention.

It seems Sabadell, the company that bought TSB, was warned about the high risk of its migration plans, which were seen by some as having too short a deadline and not big enough a budget. But Sabadell was not to be discouraged, and it pressed ahead with its plans, confident that it could successfully transfer TSB customers to its own Proteo software, as it had done with other customers in the past.

If you are doing some thing big and complicated consider the worst case and what that means for: insurance, contingency plans, contractual and legal protection, (so far none of the original contractors on the TSB redesign and upgrade have acknowledged any culpability) and PR mitigation:

PR week called it the flop of the month …….. and recipe for reputational disaster. Pester is well respected in the industry, but took too long to accept responsibility, was too quick to assume the problem was over, and too slow to appease customers. Easy to say from an armchair in Dubai but why do corporate leaders fail to heed the lessons of the past and to recognise the potential for disaster and that that when disaster arrives the only way to avoid reputational damage is to offer maximum compensation and care and to call in reinforcements asap.
Sabis is understood to have given TSB a written assurance that the parts of the system for which they were responsible had been comprehensively tested- maybe TSB needed to be more involved in those tests.

How good is your password? Can it withstand an attack every 39 seconds?

April 27th, 2018

A Clark School study at the University of Maryland found a near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and non-secure usernames and passwords give attackers more chance of success.

“Brute force” hackers, use simple software-aided techniques to randomly attack large numbers of computers.The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

Top usernames in the hackers’ scripts were “test,” “guest,” “info,” “adm,” “mysql,” “user,” “administrator” and “oracle’ so avoid use of these. The most common password-guessing ploy is to re-enter or to try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by “123″ was the second most-tried choice.

A password should never be identical or even related to its associated username.

The hackers’ most common sequence of actions is to check the accessed computer’s software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

http://www.eng.umd.edu/html/news/news_story.php?id=1881

Total meltdown – patch now and revisit patches mnay are bugged

April 27th, 2018

A person known as XPN, whose blog lists identifies as a hacker and infosec researcher, posted details of a working exploit that takes advantage of Total Meltdown on Monday. The source code for Total Meltdown, a vulnerability created when Microsoft tried to patch the initial Meltdown flaw, is available on GitHub.

XPN describes Total Meltdown as a “pretty awesome” vulnerability in that it allows “any process to access and modify page table entries.”

XPN also noted that the goal was to create an exploit that could “elevate privileges during an assessment,” but it was only to help other people understand the exploitation technique, not to create a read-to-use attack.

Total Meltdown was originally created from a botched patch Microsoft issued for the original Meltdown flaw–of the Spectre/Meltdown vulnerabilities reported earlier.

Whereas the original Meltdown flaw was read-only, Total Meltdown also provides write access. This only affects 64-bit versions of Win7 and Server 2008 R2.

See the Woody on Windows column in Computerworld, https://www.computerworld.com/article/3269003/microsoft-windows/heads-up-total-meltdown-exploit-code-now-available-on-github.
There have been a series of flawed patches and its not pretty reading so take tiem to check out the article in full.

To tell if you’re protected from Total Meltdown, you’ll have to check your patch history. If you have no patches from 2018, you should be good, according to Woody on Windows. If you do have patches, KB 4100480, 4093108, or 4093118 installed, you should also be protected. Without those, Woody on Windows noted, you’ll need to rollback your machine, manually install KB 4093108, or use “Windows Update to install all of the checked April Windows patches.”

However there is lot more cautionary advice to read.

Drupal CMS critical bug

April 2nd, 2018

The team behind the popular open-source CMS Drupal is urging admins to update their sites to ward off a nasty bug that could leave their sites “highly compromised” to attackers, according to the organization.

The effected versions (Drupal i 6, 7 and 8) of the CMS power over one million websites on the internet.

Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

“This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,”

“Meltdown” and “Spectre and azure.”

February 10th, 2018

Last month as reported on this blog, Intel revealed two critical vulnerabilities they found in Intel chips. These vulnerabilities allow cyber-attackers to steal data from the memory of running apps. This data can include passwords, emails, photos, or documents. Intel dubbed these as: “Meltdown” and “Spectre.”

Microsoft released a patch for Azure the very next day. Just as well because Microsoft Azure is a shared-computing environment by default. One server hosts applications and development of applications, and various Virtual Machines tap into the server to allow employees to and others to access these applications. As such, the Meltdown vulnerability allows an attacker to compromise the host and read all the data from every operating system tapping into it. Around 3-10 million physical servers host Azure, and these servers in turn host tens of millions of Virtual Machines. So impressively Microsoft developed deployed a patch for these vulnerabilities in less than a week’s time. Azure is a cloud-based application and so Microsoft could focus their security team to work on the cloud servers and only the cloud servers. This way, these millions of servers and users had a patch and all applications hosted on the Azure cloud-platform were immediately protected.

A good business case example for business to move to Azure cloud services.

Malware developers are still out there. German antivirus testing firm AV-Test reported 139 samples of malware trying to attack the Meltdown vulnerability in January to exploit those who have not patched.

Microsoft patched their cloud servers, but non-Azure users (as well as all Windows users, period) still need to apply their operating system patches to ensure complete protection. This is one vulnerability you definitely don’t want cyber-attackers to exploit, whether it’s your personal computer or your business’s server.

Cyber attacks doubled in 2017 – expect 2018 to be worse.

January 27th, 2018

Cyber attacks on businesses nearly doubled in the past year. A new report, the Cyber Incident & Breach Trends Report, released by the Online Trust Alliance (OTA) found 156,700 cyber incidents last year, compared to 82,000 in 2016. The OTA is a Internet Society initiative designed to improve online trust.

The organization believes that since a majority of cybersecurity attacks are never reported, the number of cyber incidents last year could actually be closer to 350,000. “Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” said Jeff Wilbur, director of the OTA initiative at the Internet Society. “This year’s big increase in cyberattacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack.”

The OTA claimed that most of the incidents could have been prevented easily – 93 percent of breaches could have been avoided by regularly updating software, blocking fake emails, and training people to recognize phishing attacks.

52 % of security incidents were the result of an actual attack.
15 % resulted from a lack of security software,
11 % were caused by credit card skimming,
11% resulted from companies not having controls to prevent employees’ negligent or malicious actions,
8 % were the result of phishing scams.

Electron is a node.js, V8, and Chromium framework created for the development of cross-platform desktop apps with JavaScript, HTML, and CSS, The Electron framework is popular and widely used by a range of desktop app services. Skype, Signal, Slack, Shopify, and Surf are among the users, A critical vulnerability affecting Electron desktop apps has recently been disclosed.

Regular patching has always been a best practice and neglecting it is a known cause of many breaches.

In 2017 the Equifax breach brought home that message

In 2018 a patching strategy needs to be integral to your processes because of the Spectre and Meltdown vulnerabilities reported (see our earlier posts) when it was highlighted that nearly every computer chip manufactured in the last 20 years was found to contain fundamental security flaws.

Meltdown and Spectre – why do these matter?

January 6th, 2018

One of the most basic premises of computer security is isolation: When you run somebody else’s code as an untrusted process on your machine, then you restrict it to its own tightly sealed test environment. Otherwise, it might peer into other processes, or snoop around the computer as a whole. A security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.

A bug in Intel chips allows low-privilege processes to access memory in the computer’s kernel, the machine’s most privileged inner sanctum. Theoretical attacks that exploit that bug, based on quirks in features Intel has implemented for faster processing, could allow malicious software to spy deeply into other processes and data on the target computer or smartphone. On multi-

Meltdown affects Intel processors, and works by breaking through the barrier that prevents applications from accessing arbitrary locations in kernel memory. Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data, or malicious software from being able to see and modify it at will. Meltdown makes this fundamental process fundamentally unreliable.

Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it. Which, of course, is everything from thermostats to baby monitors now.

It works differently from Meltdown; Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area. This is a trickier one to pull off, but because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.
user machines, like the servers run by Google Cloud Services or Amazon Web Services, they could allow hackers to break out of one user’s process, and instead snoop on other processes running on the same shared server.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.

Because Meltdown and Spectre are flaws at the architecture level, it doesn’t matter whether a computer or device is running Windows, OS X, Android, or something else — all software platforms are equally vulnerable. A huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.

Not only that, but Meltdown in particular could conceivably be applied to and across cloud platforms, where huge numbers of networked computers routinely share and transfer data among thousands or millions of users and instances.

The one crumb of comfort is that the attack is easiest to perform by code being run by the machine itself — it’s not easy to pull this off remotely. So there’s that, at least.

On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.

“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”

Both attacks are based on the same general principle, Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. And while the researchers say that Meltdown is limited to Intel chips, they say that they’ve verified Spectre attacks on AMD and ARM processors, as well. With these glitches, if there’s any way an attacker can execute code on a machine, then it can’t be contained.

Meltdown and Spectre

https://twitter.com/brainsmoke/status/948561799875502080

When processors perform speculative execution, they don’t fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer’s kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel’s memory with speculative execution.

he processor basically runs too far ahead, executing instructions that it should not execute. .

Retrieving any data from that privileged peeking isn’t simple, since once the processor stops its speculative execution and jumps back to the fork in its instructions, it throws out the results. But before it does, it stores those in its cache, a collection of temporary memory allotted to the processor to give it quick access to recent data. By carefully crafting requests to the processor and seeing how fast it responds, a hacker’s code could figure out whether the requested data is in the cache or not. And with a series of speculative execution and cache probes, he or she can start to assemble parts of the computer’s high privilege memory, including even sensitive personal information or passwords.

Many security researchers who spotted signs of developers working to fix that bug had speculated that the Intel flaw merely allowed hackers to defeat a security protection known as Kernel Address Space Layout Randomization, which makes it far more difficult for hackers to find the location of the kernel in memory before they use other tricks to attack it, but the bug is more serious: It allows malicious code to not only locate the kernel in memory, but steal that memory’s contents, too.

Tough Fix

In a statement responding to the Meltdown and Spectre research, Intel noted that “these exploits do not have the potential to corrupt, modify, or delete data,” though they do have the ability to spy on privileged data. The statement also argued that “many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits,” mentioning ARM and AMD processors as well.

Microsoft, which relies heavily on Intel processors in its computers, says that it has updates forthcoming to address the problem. “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers,” the company said in a statement. “We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers.”

Linux developers have already released a fix, apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Apple released a statement Thursday confirming that “all Mac systems and iOS devices are affected,” though the Apple Watch is not. “Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown,” the company said. “In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.”

Amazon, which offers cloud services on shared server setups, says that it will take steps to resolve the issue soon as well. “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD, and ARM across servers, desktops, and mobile devices,” the company said in a statement. “All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected. The remaining ones will be completed in the next several hours.”

Google, which offers similar cloud services, pointed WIRED to a chart of Meltdown and Spectre’s effects on its services, which states that the security issue has been resolved in all of the company’s infrastructure.

Those operating system patches that fix the Intel flaw may come at a performance cost: Better isolating the kernel memory from unprivileged memory could create a significant slowdowns for certain processes.

According to an analysis by the Register, which was also the first to report on the Intel flaw, those delays could be as much as 30 percent in some cases, although some processes and newer processors are likely to experience less significant slowdowns. Intel, for its part, wrote in its statement that “performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Until the patches for Meltdown and Spectre roll out more widely, it’s not clear just what the speed cost of neutering those attacks may turn out to be. But even if the updates result in a performance hit, it is a worthwhile safeguard: Better to put the brakes on your processor, perhaps, than allow it to spill your computer’s most sensitive secrets.

Spectre, is not likely to be fully fixed any time soon. The fact is that the practice that leads to this attack being possible is so hard-wired into processors that the researchers couldn’t find any way to totally avoid it. They list a few suggestions, but conclude:

While the stop-gap countermeasures may help limit practical exploits in the short term, there is currently no way to know whether a particular code construction is, or is not, safe across today’s processors – much less future designs.

Critical Server Patches for Meltdown and Spectre – processor bugs

January 5th, 2018

There is a set of critical bugs in our processors. There are two issues, known as Meltdown and Spectre.

If you haven’t been paying attention, a serious security flaw in nearly every processor made in the last ten years was recently discovered. Initially it was thought to be just Intel, but it appears it’s everyone. The severe design flaw in microprocessors allows sensitive data, such as passwords and crypto-keys, to be stolen from memory is real – and its details have been revealed.
On a shared system, such as a public cloud server, it is possible, depending on the configuration, for software in a guest virtual machine to drill down into the host machine’s physical memory and steal data from other customers’ virtual machines.

This is so serious CERT recommends throwing away your CPU and buying a non-vulnerable one to truly fix the issue.

https://www.kb.cert.org/vuls/id/584653

There are two bugs which are known as Meltdown and Spectre. The Register has a great summarized writeup here – no need for me to regurgitate. This is a hardware issue – nothing short of new chips will eradicate it. That said, pretty much everyone who has written an OS, hypervisor, or software has (or will have) patches to hopefully eliminate this flaw. This blog post covers physical, virtualized, and cloud-based deployments of Windows, Linux, and SQL Server.

The fact every vendor is dealing with this swiftly is a good thing. The problem? Performance will most likely be impacted. No one knows the extent, especially with SQL Server workloads. You’re going to have to test and reset any expectations/performance SLAs. You’ll need new baselines and benchmarks. There is some irony here that it seems virtualized workloads will most likely take the biggest hit versus ones on physical deployments. Time will tell – no one knows yet.

What do you need to do? Don’t dawdle or bury your head in the sand thinking you don’t need to do anything and you are safe. If you have deployed anything in the past 10 – 15 years, it probably needs to be patched. Period. PATCH ALL THE THINGS! However, keep in mind that besides this massive scope, there’s pretty much a guarantee – even on Linux – you will have downtime associated with patching.
Information that you might want to review and decide how to patch your systems.

SQL Server Versions Affected

This is a hardware issue, so every system is affected SQL Server running on x86 and x64 .for these versions:

SQL Server 2008
SQL Server 2008R2
SQL Server 2012
SQL Server 2014
SQL Server 2016
SQL Server 2017
Azure SQL Database

It is likely that SQL Server 2005, SQL Server 2000, SQL Server 7, SQL Server 6.5 are all affected. No SQL Server patches are coming.

Note: according to Microsoft, IA64 systems are not believed to be affected.

SQL Server Patches

There is a KB that discusses the attacks. Here are the patches as of this time:

SQL Server 2017 CU3
SQL Server 2017 GDR
SQL Server 2016 SP1 CU7
SQL Server 2016 SP1 GDR
.
OS Patches

The Window KB for guidance is 4072698. Here are the OS patches that I’ve been able to find.

Windows Server (Server Core) v 1709 – KB4056892
Windows Server 2016 – KB4056890
Windwos Server 2012 R2 – KB4056898
Windows Server 2012 – N/A
Windows Server 2008 R2 – KB4056897
Windows Server 2008 – N/A
Red Hat v.7.3 – Kernel Side-Channel Attacks CVE-2017-5754, 5753, 5715
SUSE Linux – 7022512
Ubuntu – N/A

VMWare has a security advisory (VMSA-2018-0002) and patches. They have released:

ESXi 6.5
ESXi 6.0
ESXi 5.5 (partial patch)
Workstation 12.x – Upgrade to 12.5.8
Fusion 8.x – Updated to 8.5.9

When to PATCH – Immediately

If you have SQL Server 2017 or SQL Server 2016 running, then patches are available.

SQL Server (Windows) VM in your data center – Patch host OS or isolate SQL Server back on physical hardware. Check Windows OS for microcode changes.

SQL Server (Windows) on bare metal or VM, not isolated from application code on the same machine, or using untrusted code – Apply OS patches, SQL Server patches, enable microcode changes.

SQL Server Linux – Apply Linux OS patches, Linux SQL Server patches, check with Linux vendor

Note that when untrusted SQL Server extensibility mechanisms are mentioned, they mean:

SQL CLR
R and Python packages running through sp_external_script, or standalone R/ML Learning Studio on a machine
SQL Agent running ActiveX scripts
Non-MS OLEDB providers in linked servers
Non-MS XPs

There are mitigations in the SQL Server KB.

When You Can Patch Later

If you have SQL Server 2008, 2008 R2, 2012, 2014 you’ll have to wait on SQL Server patches. They aren’t out yet. However, there are other situations that remove an immediate need for patching.

When You Don’t Need to Patch
If you are on AWS, they’ve patched their systems, except for EC2 VMS. Those need patches from you. AWS Statement

Azure is patched according to KB4073235. Guidance in ADV180002 says .This does not include VMs that don’t get automatic updates. You need to patch those manually.

Apple – If you’re running High Sierra, Sierra, or El Capitan, it looks like Apple took care of this back in December of 2017.

Browsers

Chrome – It looks like Google is going to release a patch for Chrome later in January. See this link for more information.
Firefox – Version 57 or later has the proper fixes. See this blog for more information, so patch away!
Edge and Internet Explorer – Microsoft has a blog post . It looks like the January security update (KB4056890) takes care of that. So if you’re using either of these browsers, please update your OSes as soon as possible.

Details On the Exploits

Descriptions of the exploit, if you want to dig down and understand.

https://meltdownattack.com/

The Register
Ars Technia
cyber.wtf researcher blog

U.A.E. VAT registration time is running out……..

December 17th, 2017

Companies in the UAE that have not got their tax registration number (TRN) yet will have to procure it within the next 14 days.

Companies who have not completed their VAT registration within the dates prescribed by the Federal Tax Authority (FTA) will have to pay a fine worth Dh20,000 and also stop sales until they get the TRN or tax registration certificate (TRC).

Data security – how secure should we be?

December 9th, 2017

The back story to this is that a British politician (Damian Green) is presently in hot water for allegedly accessing porn on his gov PC. U.K> politician https://twitter.com/NadineDorries recently tweeted :

Nadine Dorries
✔ @NadineDorries

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

10:03 PM – Dec 2, 2017 “

So Nadine is implying it could have been someone else on his PC using his identity.

So should politicians share passwords? What are the problems with doing so? So what about your own staff?
Well it seems the practice is widespread -read here for example: https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/?utm_source=DBW&utm_medium=pubemail

It’s an interesting read, and certainly points out that the expediency for users to share a workload but it has plenty of downsides in accountability and auditing of actions.

I see little excuse for sharing security credentials in UK government – there are other solutions to handle this issue.

I am more sympathetic in real time environments, like hospitals, where the login process might literally cause a death in the event of a delay.

Authentication aside we often share data among individuals inside of an organization. Outside of sysadmins, not be many people really understand or consider who should have access, let alone who does have access, to some data.

Over time organizations tend to lean towards allowing an ever-growing number of people having access to data in file shares. Knowledge gives power to take decisions- functional silos are out ….but segmentation of duty, compliance, are the other side of the argument. In these days of self serve internet access and social connectedness people expect access to information.

While we might prevent database access and grant/revoke this at times, the output from our systems also often ends up in Excel sheets or other files, fg hard copy print out, and people that do not have direct access still see the data.

People may leave data lying around on desks or tacked to a wall or on printer, or just on screen in an open plan office to be viewed by passers by. Many do not log off or shutdown their pcs at night. Why? They have never been trained or told to do so, and there is no management oversight to enforce it.
The trend to BYOD means data leaves your premises and then you have no control over it. Removable usb devices, 0r just uploads to one drive or emails to a hotmail account are all possible holes in your security defences.

Credentials on a post-it stuck only your monitor? Server rooms that are not locked?

It’s not just your co-workers, but also janitorial staff, tradespeople, and others likely wander regularly through your office spaces.

Security is a tough battle, and most of the time we don’t need much more than good passwords. Most people don’t have the time or inclination to deal with their own data, much less yours. However, when an attack is targeted on your organization, from outside or within, it’s extremely difficult to ensure your data won’t get lost or corrupted.

There is no magic bullet. There are good reasons to limit access to data on our systems, not the least of which is auditing and accountability. Beyond that, inculcate users to exercise judgment about with whom they may share or to whom they expose reports and other data.

Data breaches and what it means for a Middle East Board of Directors

December 6th, 2017

The new wave of cyber-attacks does appear to be unstoppable. With the increase in data breaches across the world, the UAE holds the world’s highest increase in breaches. Data breaches in the region have risen by 20% from $4.12m in 2016 to $4.94m in 2017, according to a report by Ponemon Institute.

The Middle East also has the highest spend on data breach response, roughly costing $1.43m per organisation.
Early this year, approximately 15 government agencies and private institutions in the Kingdom of Saudi Arabia were attacked by the Shamoon virus. This was followed by a tidal wave of Wannacry and Petya ransomware attacks.

An IDC research states that organisations are expected to spend $101.6 billion by 2020 on security-related hardware, software, and services. Additionally, Gartner states that by 2018, 10% of all enterprise organisations will have adopted deception technologies into their security solutions. A board of directors must engage in a continuing balancing act between the cost of information security and potential risks.

Although information security is essential to corporate compliance with existing laws and regulations, directors are often required to focus less on ensuring “best security” in favour of “good enough” security. The lack of a clear definition of “best security” is largely responsible for this thinking.

What was previously viewed as good enough, will not keep up with the advanced or insider threats of today.

• Important messages that CISOs should communicate to their boards about the importance of focusing on information security:

Information security is now required, and disclosure is no longer solely at a company’s discretion. Between existing laws, insurance mandates, industry regulations, and shareholder demands, robust information security is now a corporate requirement.

• Information security is a significant corporate risk. It is nearly impossible to conduct any facet of a business today without a computer. As a result, the information that resides in an enterprise’s networks is the lifeblood of the business and if not protected, could result in financial damages and negative impact on the company’s brand. This makes information security a critical business issue. Any security strategy that does not include an adaptive security plan with in-network detection to detect attacks that have bypassed prevention solutions will result in a network breach sooner or later, if it hasn’t occurred already.

Some obvious things to consider:
- Policies, procedures, and awareness – Protection via data classification, password strengths, code reviews and usage policies
- Perimeter – Protection via firewalls, denial of service prevention, and message parsing and validation
- Internal network – Protection via transport layer security, such as encryption, and user identification and authentication
- Host/OS – Protection through OS patches and desktop malware
- Application – Protection through protocols such as single sign on (SSO) and identity propagation
- Data – Protection through database security (online storage and back up), content security, information rights management, message level security.

Do your systems still cater for the digital world of a mobile workforce with smart phones, BYOD social media, low cost, high capacity flash drives, and any time, anywhere connections?.

Data breach

December 5th, 2017

We have been asked to assist several companies targeted by ransomware ad phishing attacks in the last year.

The moments after you have experienced a breach are of the utmost importance and can significantly impact your organization and the effectiveness of an investigation.

How prepared is your information technology (IT) department or administrator to handle security incidents?
According to the Computer Security Institute, over 20% of organizations have reported
experiencing a computer intrusion, and common sense says that many more intrusions have
gone unreported. No matter how much detail you know about the network environment, the risk of being attacked remains.

Any sensible security strategy must include details on how to respond to different types of attacks. Many organizations learn how to respond to security incidents only after suffering attacks. By this time, incidents often become much more costly than needed. Proper incident response should be an integral part of your overall security policy and risk mitigation strategy.

There are clearly direct benefits in responding to security incidents. However, there might also be indirect financial benefits. For example, your insurance company might offer discounts if you can demonstrate that your organization is able to quickly and cost-effectively handle attacks. Or, if you are a service provider, a formal incident response plan might help win business, because it shows that you take seriously the process of good information security.

If you suspect a computer systems intrusion or breach, then Immediately Contain and Limit the Exposure – Stop the breach from spreading.
• Do NOT access or alter compromised systems (e.g., do not log on or change passwords).
• Do NOT turn off the compromised machine. Instead, isolate compromised systems from the network (e.g., unplug the network cable). If for some reason it is necessary to power off the machine, unplug the power source.
• Do NOT shutdown the system or push the power button (because it can sometimes create a “soft” shutdown), which modifies system files.
• Preserve logs and electronic evidence. A forensic hard drive image will preserve the state on any suspect machines. Any other network devices (such as firewalls, IDS/IPSes, routers, etc.) that have logs in the active memory should be preserved. Keep all past backup tapes, and use new backup tapes for subsequent backups on other systems.
• Log all the actions you have taken, including composing a timeline of any knowledge related to the incident.
• If using a wireless network, change SSID on the wireless access point (WAP) and other machines that may be using this connection (with the exception of any systems believed to be compromised).
• Be on high alert and monitor all systems.

Alert All Necessary Parties Within 24 Hours
All external disclosures should be coordinated with your Legal Representative. Potential agencies include local and national law enforcement, external security agencies, and virus experts. External agencies can provide technical assistance, offer faster resolution and provide information learned from similar incidents to help you fully recover from the incident and prevent it from occurring in the future.

For particular industries and types of breaches, you might have to notify customers and the general public, particularly if customers might be affected directly by the incident.

If the event caused substantial financial impact, you might want to report the incident to law enforcement agencies.

For higher profile companies and incidents, the media might be involved. Media attention to a security incident is rarely desirable, but it is often unavoidable. Media attention can enable your organization to take a proactive stance in communicating the incident. At a minimum, the incident response procedures should clearly define the individuals authorized to speak to media representatives.

Normally the public relations department within your organization will speak to the media. You should not attempt to deny to the media that an incident has occurred, because doing so is likely to damage your reputation more than proactive admission and visible responses ever will. This does not mean that you need to notify the media for each and every incident regardless of its nature or severity. You should assess the appropriate media response on a case-by-case basis.

Be sure to notify:
• Your internal information security group and incident response team, if applicable.
• The card associations and your merchant bank if the breach is part of a cardholder data segment.
• Your legal advisor

Maybe your auditors.
Maybe your insurers.
Maybe the authorities/police.

Synergy Software Systems support desk.

Consider what message you need to give to staff, and to your trading partners.
Update your policies and procedures, and tools.

Thank those who helped you – you may need them again.

Security, security

November 5th, 2017

The IRS fends off 4 million hacking attempts a day, Commissioner John Koskinen said last Tuesday

System accounts – security

October 29th, 2017

An Office 365-focused Botnet puts the spotlight on the security of System Accounts which are commonly overlooked

A botnet it dubbed “KnockKnock” aActive since at least May, and especially active from June through August, is relatively small botnet whose attack highly targeted for both: the types of accounts it attacks and the types of organizations. GThis is interesting is because it is trying to get into system accounts, that are commonly used to connect the Exchange Online e-mail system with marketing and sales automation software. In cases where the system accounts are compromised, KnockKnock exports data from the inbox, creates a new inbox rule and starts a phishing attack from the account against the rest of the organization.

The attacks analysed averaged only five e-mail addresses per customer. Additionally, the organizational targeting was extremely specific — aimed at infrastructure and Internet of Things (IoT) departments within the manufacturing, financial services, health care and consumer products industries, as well as U.S. public sector agencies.

Non-human system accounts are less likely to be protected by multi-factor authentication or security policies, such as recurring password reset requirements. Once such accounts are provisioned, they’re easy to overlook and can prove to be the weakest link in Office 365 and in general the security infrastructure.

Bad Rabbit – a virulent wave of data-encrypting malware is sweeping through Eastern Europe

October 28th, 2017

A new, potentially virulent wave of data-encrypting malware is sweeping through Eastern Europe and has left a wake of outages at news agencies, train stations, and airports, according to multiple security companies

A new ransomware outbreak similar to WCry is shutting down computers worldwide, Ransom:Win32/Tibbar.A or Bad Rabbit, as the outbreak is dubbed, is primarily attacking targets in Russia, but it’s also infecting computers in Ukraine, Turkey and Germany, researchers from Moscow-based Kaspersky Lab said. In a blog post, the antivirus provider reported that the malware is using hacked Russian media websites to display fake Adobe Flash installers, which when clicked infect the computer visiting the hacked site. Researchers elsewhere said the malware may use other means to infect targets.

Bad Rabbit appears to specifically target corporate networks by using methods similar to those used in a June data-wiping attack dubbed “NotPetya” that shut down computers around the world.
Bad Rabbit infects Windows computers and relies solely on targets manually clicking on the installer, Kaspersky Lab said. So far, there’s no evidence the attack uses any exploits.

The Ukrainian computer emergency agency CERT-UA posted an advisory on Tuesday morning reporting a series of cyberattacks.

Kevin Beaumont said on Twitter that Bad Rabbit uses a legitimate, digitally signed program called DiskCryptor to lock targets’ hard drives. Kaspersky Labs’ blog post said the executable file dispci.exe appears to be derived from DiskCryptor and is being used by Bad Rabbit as the disk encryption module.

Bad Rabbit relies on hard-coded credentials that are commonly used in enterprise networks for file sharing and takes aim at a particularly vulnerable portion of infected computers’ hard drives known as the master boot record. A malicious file called infpub.dat appears to be able to use the credentials to allow the Bad Rabbit to spread to other Windows computers on the same local network, The malware also uses the Mimikatz network administrative tool to harvest credentials from the affected systems.

Once Bad Rabbit infects a computer, it displays a message in orange letters on a black background. It directs users to a Dark Web site that demands about $283 in Bitcoin to decrypt data stored on the encrypted hard drive. The dark Web site also displays a ticking clock that gives victims 40 hours to pay before the price increases. It’s not yet known what happens when targets pay the ransom in an attempt to restore their data. The NotPetya malware was written in a way that made recovery just about impossible, a trait that has stoked theories that the true objectives of the attackers was to wipe data in an act of sabotage, as opposed to generate revenue from ransomware. It also remains unclear who is behind the attack.

The outbreak is the latest reminder that you should back up all their data on drives that are secured with a password or other measure to protect them from ransomware.

Windows Defender Antivirus detects and removes this threat with protection update 1.255.29.0 and higher.

This threat appears as a fake Adobe Flash Player update.

Microsoft advice:
Microsoft doesn’t recommend you pay the ransom. There is no guarantee that paying the ransom will give you access to your files. If you’ve already paid, then see our https://www.microsoft.com/en-us/mmpc/shared/ransomware.aspx for help on what to do.

Review logs and shutdown or run Windows Defender Offline.

This ransomware attempts to reboot your PC so it can encrypt your files. You might be able to stop your PC from rebooting and instead shut it down or run a Windows Defender Offline scan:
Check event logs for the following IDs: 1102 and 106
• Event 1102 indicates that the audit log has been cleared, so previous activities can’t be seen.
• Event 106 indicates that scheduled tasks “drogon” and “Rhaegel” have been registered (these are ransomware wipers)
• If events 1102 and 106 are present, then issue a shutdown with the parameter -a to prevent a reboot

You can also immediately inititate a Windows Defender Offline scan by using PowerShell or the Windows Defender Security Center app.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:
• Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
• Microsoft Safety Scanner – Run a full scan to look for anyhidden malware.

Advanced troubleshooting – To restore your PC, download and run Windows Defender Offline.

Ask us about how to use cloud protection to guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10. Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.

Indicators of compromise
Presence of the following files in %SystemRoot%:
• infpub.dat
• cscc.dat
• dispci.exe
• You can’t access your files or your PC
• A ransom message in red on a black background