Category: Articles

The Hay CFP Management Method – Part 2

I’ve had a lot of positive feedback from my first post which explained how to create the Trello board to track your Call For Paper (CFP) due dates, submissions, and results. In this post, I’ll explain how to create the cards and populate them with the required data to better manage your CFP pipeline.

To start your first card click the ‘Add a card…’ link in the CFP Open swim lane.

Type in the name of the conference and select the ‘Add’ button.

Once the card is added, click the pencil icon to add more context.

Within the card, place the location of the conference in the ‘Add a more detailed subscription…’ section and select the Save button. Note: I strongly advise that you follow a consistent location naming (e.g. Houston, TX or Houston, TX, USA) to make visualizing the data easier later on.

Now we have to add the CFP due date. Select the ‘Due Date’ button.

When I input the CFP due date, I often use the date prior to the published due date ( I also set the time to 11:59pm) as a way to ensure I don’t leave the submission to the absolute last minute.

After the date is selected I fill the card with more CFP-specific information that I find from the event website, Twitter, or a third-party CFP site. I also pate the URL for the CFP submission form into the card so that I don’t have to hunt for it later (it automatically saves it as an attachment). If other information, such as important dates, conference details, or comments about the event are available I often add those in the ‘Add Comment’ section. Just make sure to his the ‘Save’ button or the data won’t be added to the card.

Optionally, you can leverage the ‘Labels’ button to assign color coded tags to denote different things. For example, I’ve used these to denote the audience type, the continent, country, state/province where the event is located, and whether or not travel and expenses (T&E) are covered. These are really just informational to help you prioritize events.

Click the ‘X’ at the top right hand side of the card or click somewhere else on the board to close the card.

You now have your first conference CFP card that can be moved through the board calendar pipeline – something that I’ll discuss in my next blog post.

RSAC 2017 Ransomware Summit

RansomwareNobody likes to think about their company’s critical data being compromised and held for ransom. Unfortunately, this type of threat, dubbed ransomware, cannot be ignored. In the first quarter of 2016 alone, CNN projected that cybercriminals collected more than $200 million through ransomware attacks.

 

This would make ransomware a nearly $1 billion business annually, and it is growing quickly. This scale can be difficult to grasp, so how about an example that’s easier to identify with? In February of 2016, Los Angeles’s Hollywood Presbyterian Medical Center was hit with a ransomware attack. The attack lasted for four days before the hospital finally paid the ransom of $17,000 to get its network back. You may think, “$17,000? That doesn’t sound so bad.” Of course, the actual cost – downtime, delays, lost customers, etc. – was much worse: an estimated $11 million. Do I have your attention now?

 

When I approached the RSA Conference program team with the idea of holding a one day summit on ransomware at this year’s event, they jumped at the opportunity. As the result of long hours, careful planning, and a highly selective abstract review process, we have locked in our inaugural RSAC 2017 Ransomware Summit. With yours truly Andrew Hay as the host, attendees can expect a full day all about ransomware and its multifaceted implications across technical, policy, compliance and financial response. Sessions will discuss innovative research, present case studies on response and recovery to ransomware, explore combatting ransomware, and debate if — and when — you should pay the ransom. Speakers at the summit include:

 

  • Andrei Barysevich, Director of Advanced Collection, Recorded Future
  • Christiaan Beek, Head of Strategic Threat research, Intel Security
  • Michael Duff, CISO, Stanford University
  • David Formby, Ph.D. Candidate, Georgia Institute of Technology
  • Robert Gibbons, Chief Technology Officer, Datto
  • Jeremiah Grossman, Chief of Security Strategy, SentinelOne
  • Levi Gundert, Vice President of Intelligence and Strategy, Recorded Future
  • Anton Ivanov, Senior Malware Analyst in Kaspersky Lab, Kaspersky Lab
  • Neil Jenkins, Director of the Enterprise Performance Management Office (EPMO), Department of Homeland Security
  • Paula Long, CEO and Co-Founder, DataGravity
  • Raj Samani, CTO, EMEA, Intel Security
  • Joachim Suico, Threat Research Engineer, Trend Micro, Inc.
  • Candid Wüest, Threat Researcher, Symantec

 

Though I can’t detail every session, I do want to highlight a few of the sessions I feel attendees simply can’t miss. The first session of the day will be a panel entitled “Preparing for Ransomware” with Michael Duff of Stanford University, Adam Ely of Walmart, and Neil Jenkins from the Department of Homeland Security. This session will set the stage for the challenges of preparing for, and responding to, ransomware across various organizations and industry verticals.

 

A live hack will be demonstrated in “Out of Control: Ransomware for Industrial Control Systems” by Georgia Institute of Technology Ph.D. candidate David Formby. To illustrate the effects of ransomware on an industrial control system, this session will show the operational and physical harm implications resulting from the compromise of a popular programable logic controller (PLC). This may be the session that causes a restless sleep for some of our attendees.

 

Two important sessions will cover the underground economy that is actively being fueled by ransomware. In “Legitimate Business as Unwitting Accomplice of Underground Economy”, Andrei Barysevich and Levi Gundert of Recorded Future will explore the threat of encrypted data extortion from ransomware attacks and will quantify the extorted payment volume occurring on the Dark Web. In “A deep look into the Russian-speaking ransomware ecosystem”, Anton Ivanov from Kaspersky Lab will provide detailed analysis of the Russian-speaking criminal underground that empowers ransomware attacks all over the world.

 

The summit takes place on Monday, February 13, 2017 from 9:00 AM – 5:00 PM at Moscone West. Space will be limited so please reserve your seat as quickly as possible before it’s too late. In addition to learning from some of the best and brightest minds in the industry, I hope all attendees will share their own ransomware experiences, tips, and mitigation techniques with their peers throughout the day and the week of the RSA Conference.

 

I hope to see you at the summit!

Was it Korea? Probably Not…

So, was it North Korea that breached Sony Pictures Entertainment (SPE)? The FBI, Whitehouse, and a pile of other people are telling you it is. But if you were to ask me my position on the matter…simple answer, unlikely

4615968575_hiddenTruth1_xlarge

  • This was a coordinated attack targeting Sony Pictures Entertainment (SPE) and utilized a Server Message Block (SMB) Worm Tool to conduct cyber exploitation.
  • This SMB Worm Tool is equipped with a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.
  • The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a command and control (C2) infrastructure.
  • The malware has the ability to propagate throughout the target network via built-in Windows shares – this is what makes it a worm. 
  • Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems.
  • There are no callback domains associated with this malware since connections are inbound only on a specified port number.
    • 203.131.222.102 / Thailand
    • 217.96.33.164 / Poland
    • 88.53.215.64 / Italy
    • 200.87.126.116 / Bolivia
    • 58.185.154.99 / Singapore
    • 212.31.102.100 / Cypress
    • 208.105.226.235 / United States
According to an FBI press release:
As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:
  • Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.
  • The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
  • Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.
Some items of note (provided without any tinfoil hat, partisanship, or prejudice):
  1. The wording is carefully and purposefully used:
    • “the FBI now has enough information to conclude that the North Korean government is responsible for these actions.” – note, this does not clarify whether the Republic of North Korea launched, ordered, encouraged, or simply commented on the action. The use of the word “responsible” is purposefully vague.
  2. Correlation forcing causation:
    • “there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.” – bad guys share code and are notoriously lazy. They will use whatever it takes to get the job done. As such, code is borrowed from other attackers, purchased in underground markets, etc.
    • “significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea.” – If you’ve ever seen a movie or television show where ‘hacking’ is depicted, you already know that attackers “hop” from server to server to conduct their nefarious activities. This is as much to hide their tracks as it is to leverage distributed resources.
    • “the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.” – again, similarities in tools and code are not enough to assign attribution.
The FBI, and other agencies, argue that the totality of the data is what makes them positive of the North Korean involvement.
In my opinion, the above components of the “total data” could be a false flag (http://en.wikipedia.org/wiki/False_flag) meant to push the investigation towards an uninvolved third-party. This would not be the first instance of false flag hacking attribution.
It is my recommendation that organizations make a conscious decision to refer to the breach simply as “The Sony Breach” and make no association to the Republic of North Korea, “cyberwar”, or “state sponsored attacks” when discussing this, and future breaches that may draw similarities.

The evidence provided thus far, or lack thereof, makes parroting and perpetuating this information irresponsible, at best, and potentially dangerous in extreme circumstances.

References:
Attack components:

SMB Worm Tool: 

This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

Listening Implant: 

During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase “National Football League.” Additionally, this implant listens for connections on TCP port 195 (for “sensvc.exe” and “msensvc.exe”) and TCP port 444 (for “netcfg.dll”). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, “HTTP/1.1 GET /dns?\x00.” The controller then responds with the string “200 www.yahoo.com!\x00″ (for “sensvc.exe” and “msensvc.exe”) or with the string “RESPONSE 200 OK!!” (for “netcfg.dll”). The controller sends the byte “!” (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

Lightweight Backdoor: 

This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.
Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

Destructive Hard Drive Tool: 

This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

Destructive Target Cleaning Tool: 

This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

Network Propagation Wiper: 

The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

Let’s Talk…

Social

Scroll to top