Update to Security Model

So there is a new model making the rounds on the interwebs as an update to the well known Cyber “Kill-Chain” recently. I think its a reasonable model and makes sense. Forgetting there is an underlying corporate message from Carbon Black here, the general notion that this is more of an iterative loop than a chain is a decent evolution in looking at something like this.

https://www.securityweek.com/cyber-kill-chain-reimagined-industry-veteran-proposes-cognitive-attack-loop

Link to PDF that most of these articles are based. (warning – Carbon Black landing page). I have used their products, but am not endorsing anything 🙂

https://www.carbonblack.com/wp-content/uploads/2019/06/CB-WP-Cognitions-of-a-Cybercriminal.pdf

What is old is new again

So I have had this blog for 4+ years. Use it rarely as you can see. Going to give it another crack to put some random musings so I can find them again in a future existence 🙂 – feel free to enjoy or not. 

For Reference – IOT goodness – Mirai source code

Going to start posting some stuff here again at times. Makes it easier to share with folks.

Will likely be improved upon quickly, but cannot help but laugh about how insecure IOT is and consumers go and buy these things, install them and leave them out there. Its going to get worse before it gets better..Millions of non-technical consumers connecting stuff because they can…..

https://github.com/jgamblin/Mirai-Source-Code/tree/6a5941be681b839eeff8ece1de8b245bcd5ffb02

 

Equation Group Details – Professionals Infecting Whoever They Want

Equation_sm

If you are here, you have likely heard about the news making the rounds in the last couple days about the “Equation Group”. Several sites have been giving high level reviews of the exploits and information.

Kaspersky Labs has published some details on what all this means… Rather than bore you with a recount of what was already reported, I am attaching the direct from the source info. So below is attached the 44 page Q&A whitepaper that outlines details, dates and info.

High level information that was interesting from an exploit standpoint

– The ability to infect Hard Drive firmware that survives reboots, formatting and reinstall of OS and carves out its own space.

– Zero day exploits of Firefox TOR browsing

– Interesting write up about PHP infection of web forums that only infect you once you are registered with the forum.

– Amount of time this has been going on (years)

Based upon the target list and rates, it sure seems pretty clear (in my opinion) that this is US sponsored activity…but who knows for sure.

Also a link to the Kaspersky Labs article that summarizes it as well.

Equation Group – Death Star of the Malware Galaxy

Equation_group_questions_and_answers – PDF with details

 

Cryptowall 3.0 information and analysis

cwall

So be sure to tell your end users to again to practice safe computing. Don’t click on email links and simply open attachments, be careful what you surf to in shady corners of the Internet.

Appears that there is still some cryptowall floating around in this “3.0” ransomware trojan variant that has been detected.

The folks over at SANS Internet Storm Center have a nice analysis on the traffic.

Analysis and write up here

They also mention malwr.com which is a nice free analysis service where you can submit or get your hands on the code in question to test or analyze youself. (be careful). Additionally you can upload also….

Lastly one of the screen shots mentions a nice tool called security onion which is a linux distro that will give you some advanced tools (like security monitoring, intrusion detection, etc). If your enterprise is not doing this sort of proactive monitoring of your systems, then its something you need to consider.

 

NTP needs a security update

ntp

NTP users and server admins – There are multiple vulnerabilities that are in the wild that are being exploited actively. If you have not been paying attention to security updates, attached is a consolidated report that will give you the resources you need to protect your infrastructure.

Take a few minutes to read and see if the version you are running needs updated.

NTP-details

Poodle Bites Back

vulnpoodle

Another Poodle related vulnerability has been reported in the wild in various channels. This time impacting TLS to a degree. So admin’s should take a moment and read up on it and keep current as its likely to continue developing over the next couple days/weeks as more vendors are likely determined as I am sure F5 was just the start.

As reported in the links below, about 10% of web sites operated are likely vulnerable, and F5 devices are vulnerable, and some others. Links below offer some handling details, testing, and it appears a CVE has been reserved, but is not fully populated just yet.

Mitre Page

Blog entry with further details.

Poodle Bites blog entry

Web server testing tool (same as original poodle article with enhancements)

SSL Labs testing page

Adam Langley – Google Security Engineer – Blog (Imperial Violet)

Imperial Violet Blog – Poodle Again

F5 security page about the vulnerability (lists models and details)

F5 models and vulnerabilities