Next Chapter in My Career…

Hello all. I have been super excited to post this – just waiting for it to be official. I will be starting with KPMG in their Advisory practice on August 14, 2017. I am looking forward to re-joining such a fabulous company. I am super thankful to Raytheon and Forcepoint for a great 2+ years running Product Security. I have had the opportunity to lead a fabulous team – @GSMcNamara and @peta_bread_, two fabulous human beings and super-smart guys. Will also miss all the great people in engineering at Forcepoint that I have had the opportunity to work with and call friends (way too numerous to list). I am hoping everyone will keep in touch. Forcepoint is a great company focusing on the human-side of security and will continue to be successful as they put out new products to protect organizations. For those who want to keep in touch, my personal e-mail is still the same. I also still on Twitter and LinkedIn using the same handles.

Petya…let us take a breath…

Hello All. So most of you know what is going on in the cyber security world…Petya. If you have no idea what I am talking about, then you may want to read a website or turn on the TV. Petya is a form of malware, more specifically ransomware. Although it has bubbled to the surface a few days a go, it has actually been around since 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.

As per Wikipedia, “Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, it is unable to actually revert its changes.”

Some further valuable analysis findings:

Distribution methods

The malware is distributed via phishing e-mails.
For further distribution within the network the malware uses:

  • MS17-10 vulnerability (like WannaCry).
  • Remote access to WMI (Windows Management Instrumentation)
  • Command line:
  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”.
  • The malware also uses «PSEXEC» toolkit or some similar tool (we are currently investigating this as well as the source of credentials used to infect remote systems via WMI).

Encryption

  • The malware clears system logs using the following command:
    «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» to make further analysis more difficult.
  • It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands).
  • After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted).
  • If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
  • In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

Recommendations

  • Recommendations that we have pulled together still indicate the same remediation as Wannacry, with the following:
  • Install required Windows updates (MS17-10): – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Turn off SMB1:
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • It is also advised to block the execution of «PSEXEC.EXE» software on potentially compromised machines and block remote access to WMI.

29th Annual FIRST Conference

Hello All. I would like to thank the organizers at @firstdotorg for inviting me to the 29th Annual FIRST Conference held between June 11-16, 2017 in San Juan, Puerto Rico. I had the opportunity to present twice, once on the best practices related to starting a product security team and the other on using honeypots to detect lateral movement.

Overall, it was a wonderful event. I got to catch up with colleagues from other PSIRTs, learn about the latest research into information security and listen to various industry panels and Q & As, all while in beautiful San Juan, Puerto Rico.

Be ready: Boards are now asking about cyber risks

Really great posting from my company Raytheon’s CEO, Tom Kennedy. Raytheon has made huge investments over the past few years into R&D on the cyber side. His posting really puts things into perspective.

“You know what keeps me up at night? Cyber risks. The endless stories of companies losing personal data, customer confidence, intellectual property, business continuity, market capitalization – not to mention facing hefty fines and settlements – read like a bad dream. But it’s not. Cybercrime is projected to cost businesses over $2 trillion by 2019*.”

He puts the focus on the board members who cannot bury their heads in the sand:

“Simply put, cybersecurity is now the responsibility of every board member, and savvy managers will not only have answers to board questions, but have well thought out cyber risk management programs developed in partnership with their boards. There is an opportunity here to strengthen board-management relationships. Cyber risks are a new area for most board members, and management can help the board understand the risks at their organizations, weigh investment options and establish cybersecurity goals, metrics and appropriate funding. Better alignment can also help with merger-and-acquisition cyber diligence, board policies for cyber risk, cyber crisis preparedness, and guide cyber business strategy.”

The full article is worth reading: https://www.linkedin.com/pulse/ready-boards-now-asking-cyber-risks-tom-kennedy

Do you need to be a DICK to be a successful leader?

Hello All. I wanted to share a really good docu-Youtube video produced by Max Joseph. The video called DICKS: Do you need to be one to be a successful leader?, documents Joseph’s quest to figure out whether being a successful film director requires you to be a tyrant, or as Joseph refers to it, a “Dick” to the people that work for you. Although his video is directed at the film industry, it is quite applicable to any type of leadership position. I personally enjoyed his unrelenting quest to interview director Peter Berg. I highly recommend the video. Great job @maxjoseph