Blog

WikiLeaks Dumps CIA Patient Zero Windows Implant

WikiLeaks Dumps CIA Patient Zero Windows Implant

WikiLeaks on Thursday made public a CIA implant that is used to turn a Windows file server into a malware distribution point on the local network.

The documents describing the tool, Pandemic, explain how remote machines on the local network trying to download and-or execute documents from the file server over SMB are infected with “replacement” documents on the fly. The implant swaps out the document with a Trojanized version while it’s in transit, never touching the original document on the file server.

The documentation that was leaked yesterday spans from January 2014 to April 2014 and is for versions 1.0 and 1.1.

The leaks are just the latest CIA tools to be dumped on the internet by the polarizing whistleblower outfit, which has for every Friday since March—save last week—put CIA documents and attacks online for public consumption.

In between are the ShadowBrokers pouring more gasoline on this information-based firestorm promising monthly leaks of not only NSA-built exploits targeting browsers, handsets and Windows 10 computers, but also stolen data allegedly from China, Iran, Russia and North Korea’s nuclear and missile programs.

The ShadowBrokers have already leaked their share of Windows-based exploits and vulnerabilities, the most worrisome being an April disclosure of SMB flaws and attacks that had been patched by Microsoft in March after it was allegedly tipped off by the NSA. One of those SMB exploits, EternalBlue, was of course used to launch and spread the WannaCry ransomware attacks three weeks ago today.

The ShadowBrokers also had their turn in the spotlight this week announcing a pricing structure and delivery schedule for its so-called Monthly Dump Service.

The Pandemic leak does not explain what the CIA’s initial infection vector is, but does describe it as a persistent implant.

“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a ‘Patient Zero’ in the spread of a disease,” WikiLeaks said in its summary description. “‘Pandemic’ targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine.”

The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.

Version 1.1 of Pandemic, according to the CIA’s documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.

“It will infect remote computers if the user executes programs stored on the pandemic file server,” WikiLeaks said. “Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”

The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.

“The goal of Pandemic is to be installed on a machine where the remote users use SMB to download/execute PE (portable executable) files,” the documentation says. “Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file.”

Source: WikiLeaks Dumps CIA Patient Zero Windows Implant | Threatpost | The first stop for security news

Happy that our paper with Ariel Fernandez & Ryszard Janicki will appear in IJCA

Very happy that our paper Computing covers from matchings with permutations, with Ariel Fernández and Ryszard Janicki, is going to appear in the International Journal of Computer Applications.

We present a matrix permutation algorithm for computing a minimal vertex cover from a maximal matching in a bipartite graph. Our algorithm is linear time and linear space, and provides an interesting perspective on a well known problem. Unlike most algorithms, it does not use the concept of alternating paths, and it is formulated entirely in terms of combinatorial operations on a binary matrix. The algorithm relies on permutations of rows and columns of a 0-1 matrix which encodes a bipartite graph together with its maximal matching. This problem has many important applications such as network switches which essentially compute maximal matchings between their incoming and outgoing ports.

Vintage Programming Languages

 

For the last 30 years, C has been my programming language of choice. As you probably know, C was invented in the early 1970s by Dennis M. Ritchie for the first UNIX kernel and ran on a DEC PDP-11 computer. I am probably a bit old-fashioned. Yes, C is outdated, but I’m simply addicted to it, like plenty of other embedded system programmers. For me, C is a low level but portable language that’s adequate for all my professional and personal projects ranging from optimized code on microcontrollers to signal processing or even PC software. I know that there are many powerful alternatives like Java and C++, but, well, I’m used to C.

C is not the only vintage programming language, and playing with some others is definitively fun. This month, I’ll present several vintage languages and show you that each language has its pros and cons. Maybe you’ll find one of them helpful for a future project? I’m sure you won’t use COBOL in your next device, but what about FORTH or LISP? As you’ll see, thanks to web-based compilers and simulators, playing with programming languages is simple. And after you’re finished with this review of 1970s-era computing technology, give one or two a try!

BASIC

Like many teenagers in the 1970s, I learned to program with Beginner’s All-purpose Symbolic Instruction Code (BASIC). In 1980, after some early tests with programming calculators, a friend let me try a Rockwell AIM-65 computer. An expanded version of the KIM-1, it had an impressive 1 KB of RAM and a BASIC interpreter in ROM. It was my first contact with a high-level programming language. I was really astonished. This computer seemed to understand me! “Print 1+1.” “Ok, that’s 2.” One year later, I bought my first computer, an Apple II. It came with a much more powerful BASIC interpreter in ROM, AppleSoft Basic. (This interpreter was developed for Apple by a small company named Microsoft, but that’s another story.)

PHOTO 1: An online emulator for my old Apple IIPHOTO 1: An online emulator for my old Apple II

Now let’s launch an Apple II emulator and write some software for it. Look at Photo 1. Nice, isn’t it? This pretty emulator, developed in JavaScript by Will Scullin, is available online. Just launch it, enter this 10-line program, and then type “RUN”. It will calculate for you the factorial of eight: 8! = 1 × 2 × 3 × 4 × 5 × 6 × 7 × 8, which is 40,320.

Since its invention in 1964 at Dartmouth College, BASIC is more of a concept than a well-specified language. Plenty of variants exist up to Microsoft’s Visual Basic. But it has plenty of disadvantages, especially its early versions: a lack of structured data and controls, mandatory line numbering, a lack of type checking, low speed, and so on. Nevertheless, it is ultra-simple to learn and to understand. Even if you have never used BASIC, you’ll understand the code shown in Photo 1 without any problem. The main program starts by initializing a variable N with the value 8. I then calls a subprogram that starts at line 100, displays the result F, and stops. The subprogram initializes F to 1 and multiplies the result by each integer up to N. Straightforward.

C LANGUAGE

Let compare this BASIC with a C version of the same algorithm. For this article, I looked for online compilers and simulators. I found a great option at www.ideone.com, which, developed by Sphere Research Labs, supports more than 60 programming languages. You can edit a program using any of them, compile it, and test it without having to install anything on your PC. This is great for experimenting.

PHOTO 2: At Ideone.com, you can enter, compile, and simulate numerous programming languages. Here you see C language.PHOTO 2: At Ideone.com, you can enter, compile, and simulate numerous programming languages. Here you see C language.

The C variant of the factorial algorithm is depicted in Photo 2. I could have used plenty of different approaches, but I tried to stay as close as possible to the “spirit” of C. So, how does it compare with BASIC? The code is significantly more structured, but a little harder to read. C aficionados loves short forms like f*=i++ (which multiplies f by i and then increments i) even when they can be avoided. While this makes the code shorter and helps the compiler with optimization, it is probably cryptic to someone new to the language.

Of course, C also has great strengths. In particular, it offers you precise control of the data types and memory representation, which helps for low level programming. That’s probably why it has been so widely for nearly 50 years.

FORTRAN & COBOL

Let’s stay in the 1970s. BASIC or assembly language was for hobbyists and experimenters. C was used by early UNIX programmers. The rest of the programming world was divided into two camps. Scientifics used FORTRAN. Business leaders used COBOL.

FORTRAN (from FORmula TRANslation) was actually the first high-level programming language. Developed by an IBM team led by John Backus, the first version of FORTRAN was released in 1957 for the IBM 704 computer. It was followed by several incremental improvements: Fortran 66 (1966), Fortran 77, and Fortran 90, all the way up to Fortran 2008. Refer to Listing 1 for the factorial program using FORTRAN 77.

LISTING 1: This is the factorial program using FORTRAN 77.LISTING 1: This is the factorial program using FORTRAN 77.

It seems close to BASIC, right? That’s not a surprise as BASIC was in fact based on concepts from FORTRAN and from another disapeared language, ALGOL. I’m sure that you are able to read and understand the FORTRAN in Listing 1, but its equivalent in COBOL is a bit stranger (see Listing 2). I must admit that it took me some time to make it working, even after reading some COBOL tutorials on the web. COBOL is an acronym for Common Business-Oriented Language, so it is not exactly targeting an application like a factorial calculation. It was developed in 1959 by a consortium named CODASYL, based on works from Grace Hopper. Even though its popularity fading, COBOL is still alive. I even read that an object-oriented version was released in 2002 (COBOL 2002) and even upgraded in 2014.

LISTING 2: The COBOL version looks a little stranger, right?LISTING 2: The COBOL version looks a little stranger, right?

PASCAL & FRIENDS

I never actually used FORTRAN or COBOL, but I developed software on my Apple II using PASCAL. Released in 1970 by Niklaus Wirth (ETH Zurich, Swizerland), PASCAL was probably one of the earliest efforts to encourage structured and typed programming. Based on ALGOL-W (also invented by Wirth), it was followed by MODULA-2 and OBERON, which were less known but still influential.

Do you want to calculate a factorial in PASCAL? Here it is Listing 3. It may look familiar to FORTRAN or BASIC, but its advantages are in the details. PASCAL is a so-called strongly typed language. (You can’t add a tomato and a donut, contrarily to C.) It also forbids unstructured programming and it is very easy to read. PASCAL was a limited, but true, success. It was used in particular by Apple for the development of the Lisa computer as well as the first versions of the Macintosh. It is still in use today through one of its object-oriented versions, DELPHI.

LISTING 3: This is the PASCAL version. Easy to read.LISTING 3: This is the PASCAL version. Easy to read.

THE ADA STORY

In the 1970s, the United States Department of Defense (DoD) conducted a survey and found that they were using no less than 450 different programming languages. So, it decided to define and develop yet another one—that is, a new language to replace all of them. After long specification and selection phases, a proposal from Jean Ichbiah (CII Honeywell Bull, France) was selected. The result was ADA. The name ADA, and its military standard reference (MIL-STD-1815), are in memory of Augusta Ada, Countess of Lovelace (1815–1852), who created of the first actual algorithms intended for a machine.

While ADA is, well, strongly typed and very powerful, it’s complex and quite boring to use (see Listing 4). The key advantage of ADA is that it is well standardized and supports constructs like concurrency. Thanks to its very formal syntax and type checking, it is nearly bug-proof. Based on my minimal experience, it is so strict that the first version of the code usually works, at least after you correct hundreds of compilation errors. That’s probably why it is still largely used for critical applications ranging from airplanes to military systems, even if it failed as a generic language.

LISTING 4: ADA is more verbose.LISTING 4: ADA is more verbose.

LISP & FORTH

ADA is a difficult language. In my opinion, LISP (List Processing) is far more interesting. It is an old story too. Designed in 1960 by John McCarthy (Stanford University), its concepts are still interesting to learn. McCarthy’s goal was to develop a simple language with full capabilities. That’s quite the opposite of ADA. The result was LISP. The syntax can be frightening, but you must try it. Listing 5 is a version of the factorial calculation in LISP.

LISTING 5: LISP is definitively fun!LISTING 5: LISP is definitively fun!

In LISP, everything is a list, and a list is enclosed between parentheses. To execute a function, you have to create a list with a pointer to the function as a first element and then the parameters. For example, (- n 1) is a list that calculates n – 1. (if A B C) is a structure which evaluates A, and then evaluates either B or C based on the value of A. If you read this program, you will see that it is not based on a loop like all other versions I’ve presented, but on a concept called recursion. A factorial of a number is calculated as 1 if the number is 0, and as N times the factorial of (N – 1) otherwise. LISP was in fact the first language to support recursion—meaning, the possibility for a function to call itself again and again. It is also the first language to manage storage automatically, using garbage collection. Even more interesting, in LISP everything is a list, even a program. So in LISP, it is possible to develop a program that generates a program and executes it!

Another of my favorites is FORTH. Designed by Charles Moore in 1968, FORTH also supports self-modifying programs like LISP, and it is probably even more minimalist. FORTH is based on the concept of a stack, and operators push and pop data from this stack. It uses a postfix syntax, also named Reversed Polish Notation, like vintage Hewlett-Packard calculators. For example, 1 2 + . means “push 1 on the stack,” “push 2 on the stack,” “get two figures from the stack, add them and put the result back on the stack,” and “get a figure from the stack and display it.”

Here is our factorial program in FORTH:

: fact dup 1 do I * loop ; 8 fact .

The first line defines a new function named fact, and the second line executes it after pushing the value 8 on the stack. The syntax is of course a bit strange due to the postfixing but it is clear after a while. Let’s start with 8 on the stack. The command dup duplicates the top of the stack. The do…loop structure gets count and first index from the stack so it executes I * with I varying from 1 to 7, and each iteration multiplies the top of the stack by the index I. That’s it. You can try it using another web-based programming and simulation host: https://repl.it. Look at the result in Photo 3.

PHOTO 3: This is an example of FORTH in the Repl.it online compiler and simulator.PHOTO 3: This is an example of FORTH in the Repl.it online compiler and simulator.

FUN WITH PROLOG & APL

LISP and FORTH are fun, but PROLOG is stranger. Developed by Alain Colmerauer and his team in 1972, PROLOG is the first of the so-called declarative languages. Rather than specifying an algorithm, such a declarative language defines facts and rules. It then lets the system determine if another fact can be deduced from them. An example is welcome.

LISTING 6: The PROLOG version based on a completely different paradigm.LISTING 6: The PROLOG version based on a completely different paradigm.

Listing 6 is our factorial in PROLOG. The first fact states that the factorial of any number lower than 2 is 1. The second fact states that the factorial of any number X is F only if F is the product of X and another number, named here FM1, and if FM1 is the factorial of X – 1. This looks like a recursion, and this is recursion, but expressed differently. Then the last line states that X is the factorial of 8 and ask PROLOG to display X, and you will have the result. This is a confusing approach, but it is close to the needs of artificial intelligence algorithms.

Lastly, I can’t resist to the pleasure to show you another exotic vintage programming language, A Programming Language (APL). Refer to the factorial example in APL in Photo 4. I can’t even write it in the text of this article because APL uses nonstandard characters.

PHOTO 4: APL looks great, right? It’s unique keyboard alone is fun!PHOTO 4: APL looks great, right? It’s unique keyboard alone is fun!

In fact, APL-enabled computers had APL-specific keyboards! Published in 1962 by Kenneth Iverson (Harvard University and then IBM), it was firstly a mathematical notation and then a programming language. Based largely on data arrays, APL targets numerical calculations so it isn’t a surprise to see that our factorial example is so compact in this language. Let’s understand it by reading the first line from right to left. The omega Greek symbol is the parameter of the function (that is, 8 in this case). The small symbol just before the omega called “iota” is generating a vector from 0 to N – 1, so here it is generating 0 1 2 3 4 5 6 7. The 1+ is adding one to each element of the array. This gives 1 2 3 4 5 6 7 8. Lastly, the x/ asks to multiply each value of the vector, which is the factorial!

GET STARTED

After finishing this article, I searched the web for other interesting languages and found, well, a more than impressive website. Launch your browser right now and enter http://rosettacode.org. These crazy guys simply listed 837 programming tasks, and let the community program each of them with all programming languages. Yes, all of them, and no less than 648 different languages are referenced! Of course, I searched for a factorial calculation algorithm and found it. Versions of the factorial code for 220 different languages are provided! So, you can find similar versions to the ones I provided in this article as versions for more recent languages (Java, Python, Perl, etc.). You will also find obscure languages.

My goal with this article was to show you that languages other than C and JAVA can be fun and even helpful for specific projects. Vintage languages are not dead. For example, it seems that FORTH was used for NASA’s Rosetta mission. Moreover, innovation in computing languages goes on, and new and exciting alternatives are proposed every month!

Don’t hesitate to play with and test programming languages. The web is an invaluable tool for discovering new tools, so have fun!

This article appears in Circuit Cellar 323.

Robert Lacoste lives in France, between Paris and Versailles. He has 30 years of experience in RF systems, analog designs, and high speed electronics. Robert has won prizes in more than 15 international design contests. In 2003 he started a consulting company, ALCIOM, to share his passion for innovative mixed-signal designs. Robert’s bimonthly Darker Side column has been published in Circuit cellar since 2007.

Source: Vintage Programming Languages | Circuit Cellar

Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar

On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.

Over the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance. Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.

Source: Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar | Proofpoint

WannaCry

Researchers urge Windows admins to apply MS17-010 before the next attack using the EternalBlue NSA exploit deploys a worse payload than WannaCry ransomware.

No one should be letting their guard down now that the WannaCry ransomware attacks have been relatively contained. Experts intimately involved with analyzing the malware and worldwide attacks urge quite the opposite, warning today that there’s nothing stopping attackers from using the available NSA exploits to drop more destructive malware.

The key is to patch vulnerable Windows machines while there is a downtime, ensure offline backups are secure and available, and that antimalware protection is running and current.

Kaspersky Lab researcher Juan Andres Guerrero-Saade and Comae Technologies’ Matt Suiche said today during a webinar, below, that the EternalBlue exploit targeting a SMBv1 flaw could be fitted with payloads ranging from banking Trojans to wiper malware that destroys a computer’s hard disk.

“Absolutely,” Guerrero-Saade said when asked if this could have been a wiper attack rather than ransomware. “We’re talking ring0 access (via the DoublePulsar rootkitinstalled by the EternalBlue exploit). It would have just come down to a matter of implementation at that point.”

Accelerating the researchers’ anxiety about what could be next was yesterday’s ShadowBrokers announcement that it would begin in June a monthly dump of new exploits—including Windows 10 attacks—and stolen data. The ShadowBrokers’ leak in April of EternalBlue and other Windows attacks handed attackers not only the exploits but also documentation that lowered any barrier to entry for using these attacks.

“This is really worrying because we’ve seen the impact of what those files out in the wild can do,” Suiche said.

The attacks also exposed the shortcomings associated with patching, despite experts for more than a decade stressing the importance of keeping operating systems, browsers and third-party software up to date. MS17-010, the patch that addressed the SMB vulnerabilities leaked by the ShadowBrokers in April, has been available since March. Microsoft rated the security bulletin as critical and experts cautioned that this patch was to be prioritized, and that SMB port 445 on Windows machines should not be exposed to the internet. Yet, Rapid7 today said its scans have found more than 1 million internet-connected devices exposing SMB over 445 with more than 800,000 of those devices running Windows. Rapid7 said it’s likely that a large percentage of that number includes vulnerable versions of Windows with SMBv1 enabled.

“Beyond the prevalence of what these exploits might be, but it really has been a test on the industry and defenders as well,” Guerrero-Saade said. “What we saw here was not the super secret zero-day situation you can’t save yourself from. It was a test of how well we’re implementing the solutions and recommendations that have been out there a very long time that everybody touts every single day. We were asked to put our money where our mouth is with this WannaCry infection.”

The biggest mitigating factor in slowing down the WannaCry outbreak was the discovery of a so-called killswitch that was likely an evasion technique by the malware to check whether it was running in a sandbox. The malware called out to a hard-coded URL, and if it responded, the malware would not execute. The speculation is that getting a response back from the killswitch domain indicated the malware might be executing instead in a sandbox.

Researcher Marcus Hutchins of the MalwareTech blog registered the domain coded into last Friday’s version of WannaCry while Suiche registered a second and third killswitch domain found in subsequent variants, shutting down most infections in the wild.

Guerrero-Saade said his concern is that the next version likely won’t have a killswitch, and could contain a more dangerous and costly payload.

“We have essentially bought time with the killswitches. That’s something where we got incredibly lucky that was even involved in the development of the malware,” Guerrero-Saade said.

They also touched on the shared code between an early WannaCry version found in February and a sample from the Lazarus APT from February 2015. Lazarus is the North Korean group alleged to be behind the Sony hack, which featured wiper malware and damaging data leaks, as well as the SWIFT attacks against banks in Bangladesh, Poland and Mexico. The attacks against financial organizations, experts said during the Kaspersky Lab Security Analyst Summit, were performed by an internal Lazarus splinter group called Bluenoroff in an attempt to help fund the APT’s other activities.

Google’s Neel Mehta found the same code in both samples, which was confirmed by Kaspersky Lab and Suiche later. Guerrero-Saade, who worked on the Lazarus research and on separate research on APTs and their use of false flags, said today that this was not an attribution claim that Lazarus was behind WannaCry, but instead a clustering claim.

“What we’re talking about is what cluster of activity this fits into, what threat actor fits the bill for this,” he said. The linkage between the SWIFT attacks and Lazarus, made by BAE Systems researchers, was based off similar code re-use of a wiper function in a Lazarus attack and the Bangladeshi attack. “The amount of proof grew over times and we laid to rest the concerns about whether the SWIFT attackers are actually part of the Lazarus group.

“Having only had WannaCry for five days, I think it’s important to understand that this is only a lead, and not a simple lead,” Guerrero-Saade said. “It’s not necessarily easy to just replicate a very specific function of code from a very obscure piece of malware from two years ago that you only put into version 1.0 and then removed. That’s not a false flag, that’s too subtle. No one would have noticed it if not for Neel Mehta doing fantastic work.

“I understand that while it’s important to have some healthy skepticism, in this particular case, I think we’re just catching a bit of code re-use. The claims aren’t necessarily bigger than they are, but they aren’t quite as hard to stomach when you look at the code itself.”

via Next NSA Exploit Payload Could be Much Worse Than WannaCry — Threatpost | The first stop for security news

Top Cybersecurity Boss Talks Priorities

The country’s top cybersecurity boss said the country is headed the wrong way when it comes to cybersecurity.

BOSTON–Citing Mirai and WannaCry as recent examples, Rob Joyce, special assistant to the president and cyber security coordinator for the White House, said the global landscape of cyber threats can’t be ignored and the U.S. needs to sharpen its defenses when it comes to fending off attacks.

“If you step back and look at the trend lines for cybersecurity, they are going the wrong way. You only have to look at last week at WannaCry to understand,” Joyce said during a talk sponsored by Massachusetts Technology Leadership Council.

Last week, President Donald Trump signed an executive order that prioritizes the protection of federal networks, critical industries and works to implement the NIST Framework. It’s Joyce’s job to carry it out. Joyce, former chief of the NSA’s office of Tailored Access Operations, was tapped by Trump in March for the role.

“The Trump administration signed an executive order that allows us to get our legs underneath us in terms of cybersecurity,” he said. “With this executive order we are going to step back and we are going to manage the federal government’s IT activity as a single enterprise. Even though we are talking millions-upon-millions of assets and thousands-upon-thousands of networks, we are going to step back and try to view it as a sum total of risks.”

Joyce said Trump’s cybersecurity executive order consisted of three main pillars, or priorities. One included securing the federal networks. Joyce said that pillar shared many of the same challenges of private enterprise faces, from difficulties in finding qualified cybersecurity professionals, handling risk between agencies and being able to defend against hacks and contain breaches should they happen.

“We know we aren’t going to be able to defend against all breaches. So we need to have methods for detecting early and defend against them and compartmentalize them so that breaches don’t cascade into massive data losses… We need to able to take hits and contain damage and restore capability quickly,”  he said.

The second pillar is working with private industry to make sure portions of the United States’ privately owned critical infrastructure, made of 16 sectors, can defend against attacks and rebound if it should take a hit.

“So, with those interrelated and interdependent systems, we understand our critical infrastructure is probably not in the state we need to be to survive a deliberate or natural hazard,” he said.

Part of working with private industry will include an initial focus on defending against Mirai-like DDoS attacks and mitigating against IoT botnets. “Recent events, Mirai botnet and others, showed how just how vulnerability we are to technologies that have been pushed into the ecosystem–often without really strong plans for security.”

Joyce added that much of the Trump’s cybersecurity focus would also include working with private companies to better identify APTs  and improve the amount of sharing between government and private companies.

Lastly, strengthening cyber defenses and boosting deterrence was another priority along with reaching out to other countries to fight global threats.

“It’s going to take a coalition of like-minded countries to advance the global common space we have here,” he said. “We will be looking to foster an open interoperable, reliable and secure global internet that benefits the U.S. and the rest of the world. We built the internet and gave it to the world, we think it’s very important that it continues to reflect our values.”

In his hour-long address, Joyce also touched on hot button topics such as net neutrality and recent proposed changes to the Vulnerabilities Equities Process.

“When you look at net neutrality, that is one of the sticky decisions that has to be made in the regulator space… But, we have to find a balance point between what we have today and allow some changes… If you are just are going to have a pipe that lets everything straight through, you are inviting people through your unlocked door,” Joyce said.

He said that government and private service providers can’t be hamstrung in cases where internet traffic used for malicious purposes must be left alone.

When asked about the Vulnerabilities Equities Process, Joyce said he was noncommittal about pending changes, however leaned toward the status quo.

“There is a process to legislate the VEP. We are working with Congress about that right now. I do have some concerns because legislators are talking about giving authority to a non-neutral entity. I think the processes right now gives us the balance where we don’t have the offense or the defense with too much thumb on the scale.”

via Trump’s Cybersecurity Boss Talks Priorities — Threatpost | The first stop for security news

Digital Forensics and Security Toolkit to be made available online

My student Mattias Huber presenting a tool for detecting Malware at the CSU Channel Islands Computer Science Capstone Showcase on May 11, 2017.

This tool can be used to upload a target file, directory, or URL to Virus Total, a website that scans the target with around 60 virus scanners from the industry. If the target is not already in the Virus Total database, the scan will be queued and completed shortly. As this is an asynchronous process, this tool is useful in uploading jobs, checking if jobs have completed, and displaying reports on completed jobs. The system also keeps track of all files uploaded, performs checks on already uploaded files to save bandwidth, saves all completed reports in a list, and all positive reports in a separate list.

Utilizing Amazon Web Services (AWS), Elastic Compute Cloud (EC2), and Simple Storage Service (S3), this system can be set up allow users to place files into a S3 bucket which will then be scanned automatically and user can be notified of any possible positives found.

  1. The User places a file they wish to scan into the S3 bucket, such as http://mybucket.s3.amazonaws.com
  2. A dedicated EC2 instance watches the bucket, detects the new file, and uploads the file to Virus Total.
  3. The EC2 instance waits until Virus Total returns a completed report.
  4. If any positives are found the instance notifies the user, otherwise the report is added to the completed list.

Virus total has a public API that is limited to 6 uploads per minute, but CSU Channel Islands was granted research API access which is limited to 600 uploads per minute.

Mattias is going to make this tool available for everyone through GitHub.

Capstone Showcase Spring 2017; see here for more details and here for more pictures. And click here for the presentation poster.

@CSUCI Comp Sci students: position at QAD

We have a single immediate opening for our year long training program. This is a great opportunity for for a CSUCI student. This is the same program I’ve mentioned in the past. The person we hire gets 6 months hands on training in RnD here in Summerland. Them we fly them out to the east coast for 3 months of hands on training within out Support organization, and they finish the program with 3 more months working at customers sites at any number of random global customer sites. During the 12 month program, they are paid full salaries and get 6 months housing with with RnD or on the east coast. This position will have the option to relocate to Michigan at the conclusion of the program.

Daniel Villanueva
Project Manager
dzv@qad.com
805.566.5292

QAD Inc
1100 Innovation Place
Santa Barbara, CA 93108 USA
http://www.qad.com
QAD – Our Passion. Your Advantage.

The day after: world-wide cyberattack has companies and institutions scrambling

What is it?
Attackers, using a tool allegedly stolen from the U.S. National SecurityAgency, took advantage of flaws in Microsoft Windows systems to spread malware around the world on Friday. The “ransomware” encrypts files, effectively hijacking computer systems, and demands money, in the form of bitcoin, in exchange for decrypting them. Microsoft Corp. had issued a fix, or patch, for the flaw on March 14.

How big is it?
Kaspersky Lab, an antivirus vendor, said it has tracked 45,000 instances of the attack, dubbed WannaCry, in 74 countries around the world, mostly in Russia. Other hot spots include Ukraine, India and Taiwan. Computer security experts say, however, the virus’s spread has been contained by the actions of a private security researcher who found a “kill switch” inside the virus.

Who has been hit?
Victims include Britain’s National Health Service, FedEx Corp., car makers Nissan Motor Co. and Renault SA, Germany’s biggest train operator as well as Russian banks. China state media reported early Saturday that some gas stations and universities have been affected.

Has anyone paid the ransom?
It is impossible to say. Screenshots of affected computers indicate hackers are asking for as little as $300 in bitcoin from affected users. The chief data officer at Telefónica, a Spanish telecom provider hit by the virus, said in a personal blog post that a bitcoin account associated with the attackers shows they haven’t “achieved much real impact.” That account had received only 25 payments by midafternoon Saturday in Europe. It is very likely though that the attackers used many accounts. U.K. Home Secretary Amber Rudd told the British Broadcasting Corp. that the government has advised the NHS not to pay.

https://apple.news/AKF-mEQ9GTWGfgHb8_ke9bA

WannaCry

A cyber-attack that hit organisations worldwide including the UK’s National Health Service was “unprecedented”, Europe’s police agency says.
Europol also warned a “complex international investigation” was required “to identify the culprits”.
Ransomware encrypted data on at least 75,000 computers in 99 countries on Friday. Payments were demanded for access to be restored.
European countries, including Russia, were among the worst hit.
Although the spread of the malware – known as WannaCry and variants of that name – appears to have slowed, the threat is not yet over.
Europol said its cyber-crime team, EC3, was working closely with affected countries to “mitigate the threat and assist victims”.
In the UK, a total of 48 National Health trusts were hit by Friday’s cyber-attack, of which all but six are now back to normal, according to the Home Secretary Amber Rudd.
The attack left hospitals and doctors unable to access patient data, and led to the cancellation of operations and medical appointments.
Who else has been affected by the attack?
Some reports say Russia has seen more infections than any other country. Banks, the state-owned railways and a mobile phone network were hit.
Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.
In Germany, the federal railway operator said electronic boards had been disrupted; people tweeted photos of a ticket machine.
France’s carmaker Renault was forced to stop production at a number of sites.
Other targets have included:
■ Large Spanish firms – such as telecoms giant Telefonica, and utilities Iberdrola and Gas Natural
■ Portugal Telecom, a university computer lab in Italy, a local authority in Sweden
■ The US delivery company FedEx
■ Schools in China, and hospitals in Indonesia and South Korea
Coincidentally, finance ministers from the G7 group of leading industrial countries had been meeting on Friday to discuss the threat of cyber-attacks.
They pledged to work more closely on spotting vulnerabilities and assessing security measures.
Read more:
‘I was the victim of a ransom attack’
Who has been hit by the NHS cyber attack?
Explaining the global ransomware outbreak
A hack born in the USA?
How did it happen and who is behind it?
The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.
NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.
The infections seem to be deployed via a worm – a program that spreads by itself between computers.
Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.
It is not clear who is behind the attack, but the tools used to carry it out are believed to have been developed by the US National Security Agency (NSA) to exploit a weakness found in Microsoft’s Windows system.
This exploit – known as EternalBlue – was stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.
But in a BBC interview, he warned that it was only a temporary fix. “It is very important that people patch their systems now because there will be another one coming and it will not be stoppable by us,” he said.
‘Accidental hero’ – by Chris Foxx, technology reporter
The security researcher known online as MalwareTech was analysing the code behind the malware on Friday night when he made his discovery.
He first noticed that the malware was trying to contact an unusual web address but this address was not connected to a website, because nobody had registered it.
So, every time the malware tried to contact the mysterious website, it failed – and then set about doing its damage.
MalwareTech decided to spend £8.50 ($11) and claim the web address. By owning the web address, he could also access analytical data. But he later realised that registering the web address had also stopped the malware trying to spread itself.
“It was actually partly accidental,” he told the BBC.
Blogger halts ransomware ‘by accident’