British Airways Data Breach Likely The First GDPR Rollback Test.

On 08/21/18 British Airways (BA) suffered the start of a data breach which ended on or about 09/05/18. A UPS (uninterruptible power supply) failure and subsequent power surge was partly how the breach was exacerbated. It was also indicated that a third party (vendor) was involved in some way which complicates liability and brings supply chain security more into scope.

The breach allowed cyber criminals to steal personal and financial information from about 380,000 customers who booked directly with the airline in the preceding two weeks (Ivana Kottasová, CNN, 09/07/18). When a passenger makes a booking through the BA website, they must submit their name, e-mail address, address, and credit or debit card details including: the number, expiration date, date, and the security code or “Card Verification Value” (CVV) — all of this was compromised.

BA Breach
Photo: Steve Parsons/PA.

Yet most interestingly, this is one of the first major data breaches since GDPR came into effect in May this year, Walters said (Samuel Gibbs, the Guardian, 09/07/18). “It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours but the breach will now be investigated and the company could be penalized if it did not take all the necessary measures to protect customer data” (Samuel Gibbs, the Guardian, 09/07/18).

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues. For British Airways’ this amounts to about $630 million dollars based on last years revenue (Gwyn Topham, the Guardian, 09/06/18).

Yet many observers see fines this hefty as counterproductive and the catalyst to push business outside of the EU. Moreover, many international law firms and economists have doubts about the applicability of the GDRP outside of the EU, citing state sovereignty, and free enterprise protection in the United States, etc. The courts will likely further define the context of GRPRs applicability and may roll its reach back some. It is way to early to know what GDPR means in practicality but pushback is coming from well funded, well organized, well researched powerful law and business interest groups. GDPR is dangerously overbroad and ambiguous as echoed in this law firm newsletter (Wendy Butler Curtis and Jeffrey McKenn, Orrick, Herrington & Sutcliffe LLP, 09/09/18). We welcome the debate for a better more modern GDPR.

6 Pronged Approach to Data Exfiltration Detection

The best way to detect precursors to data exfiltration is to employ a six-prong detection approach applied to all risk areas as practicable. Figure 1. shows the six-pronged detection approach.

Figure 1. Six-Pronged Data Exfiltration Precursor Detection Approach [1] [2].

1) Signature Based.

Characteristics: 1) Uses known pattern matching to signify attack; 2) Former zero days, known exploits, etc.

Advantages: 1) Widely available; 2) Most antivirus is based heavily on this; 3) Fairly fast; 4) Easy to implement; 5) Easy to update.

Disadvantages: 1) Cannot detect attacks for which it has no signature – Zero days; 2) Insider threat.

2) Host Based.

Characteristics: 1) Runs on a single host; 2) Can analyze audit-trails, logs, the integrity of files and directories, etc.

Advantages: 1) More accurate than NIDS; 2) Less volume of traffic so less overhead.

Disadvantages: 1) Deployment is expensive; 2) No plan for if the host gets compromised – Real risk for organizations with more than 10 thousand employees.

3) Human Based [2].

Characteristics: 1) Has the unique experience set deriving intuition; 2) Has five senses.

Advantages: 1) Has the ability to learn multiple tools and connect the dots; 2) Can set team direction and inspire people; 3) Can think creatively; 4) Can think with the voice of the customer or recipient of a phishing e-mail.

Disadvantages: 1) Bias and ego; 2) Cannot calculate large numbers fast.

4) Anomaly Based.

Characteristics: 1) Uses statistical model or machine learning engine to characterize normal usage behaviors; 2) Requires big data and other software tools; 3) Recognizes departures from normal as potential intrusions.

Advantages: 1) Can detect attempts to exploit new and unforeseen vulnerabilities; 2) Can recognize authorized usage that falls outside the normal pattern.

Disadvantages: 1) Generally slower, more resource intensive compared to signature-based tools; 2) Greater complexity, difficult to configure; 3) Higher percentages of false alerts.

5) Network Based.

Characteristics: 1) NIDS (network intrusion detection system) examine raw packets in the network passively and triggers alerts.

Advantages 1) Easy deployment; 2) Unobtrusive; 3) Difficult to evade if done at the low level of network operation.

Disadvantages: 1) Fail Open; 2) Different hosts process packets differently; 3) NIDS needs to create traffic seen at the end host; 4) Need to have the complete network topology and complete host behavior; 5) Highly unlikely.

6) Externally Based.

Characteristics: 1) Studies show there are 258 externally measurable characteristics about network infrastructure (without any inside info).

Advantages: 1) Beaching marking – identifying mismanagement symptoms such as poorly configured DNS or BGN networks; 2) Beaching marking – identifying malicious activity which mostly includes SPAM, phishing, and port scanning; 3) One study found it to be highly reliable in predicting breaches (90% true positives in a closed limited test) [3].

Disadvantages: 1) Its low hanging fruit – easy weaknesses to spot; 2) Good I.T. audits and red teaming is similar.

[1] Dash, Debabrata. “Introduction to Network Security”. PowerPoint presentation. 2017.
[2] Photo of public figure Bruce Schneier by Per Ervland. https://www.schneier.com/ 2018.
[3] Liu, Yang; Sarabi, Armin; Zhang, Jing; Naghizadeh, Parinaz; Karir, Manish; Bailey, Michael; and Liu, Mingyan. “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents” 2015. Pg. 1.

Decryption Options For 3 Ransomware Types

ransomware-main.pngRansomware is on the rise and is going after more victims with little to no defenses, small to medium-small sized businesses and even quiet non-profits. Here are a few tools with a valid track record of stopping and removing 3 common types of ransomware.
1) LockCrypt is a ransomware discovered in June 2017 but is still active in various mutations. It spreads by brute forcing Remote Desktop Protocol credentials – a key port (3389) that should be obviously locked. A prominent example of this exploit occurred in December 2017 when an employee opened an email which was maliciously sent from another co-worker’s account. This was merely an attempt to trick the person to click on the malicious attachment which was appended to the letter. Once it was opened, the ransomware download began after which 48 out of 500 servers of North Carolina County were compromised with LockCrypt (Ugnius Kiguolis, Spyware.com, 12/11/17).

As per Bitdefender, this ransomware family has several sub-variants with the following specific extensions, the first (.1btc) is decryptable with this free Bitdefender tool and the others may be decryptable with the free Trend Micro Malwarebytes Ransomware File Decryptor tool (check for updates).

  1. .1btc (decryptable and included in this version of the tool)
  2. .lock (decryptable, not included in our tool)
  3. .2018 (decryptable, not included in our tool)
  4. .bi_d (not decryptable)
  5. .mich (decryptable, not included in our tool)

2) The five-year-old ransomware Trojan-Ransom.Win32.Rakhni has received a facelift recently which now allows it to decide whether or not to install its traditional ransomware or to drop a cryptominer.

The malware is delivered through spam campaigns where the email comes with a PDF attached which the receiver is prompted to save and then enable editing. When the victim attempts to open the document he or she is presented with an executable that portrays itself as an Adobe Reader plugin and it asks the person to allow it to make changes to their computer (Doug Olenick, SC Magazine, 07/06/18).

According the Kaspersky labs, the current injection chain on this newer exploit is largely the same as before. However, the malware moves along a rather complex path before it decides which form it will take. During the process it will check to make sure the device is not a virtual machine, it will check for and disarm an AV software and also Widows Defender and finally erase most of the footprints made during the malware installation.

The executable, which is written in Delphi and has its strings encrypted, then presents a message box that states the PDF could not be opened, basically to keep the victim from thinking anything negative is about to happen (Doug Olenick, SC Magazine, 07/06/18).

It first checks that the device has one of the substrings:

  1. \TEMP
  2. \TMP
  3. \STARTUP
  4. \CONTENT.IE
  5. Registry check

It then checks to see if the registry contains checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and if it finds this is so it creates HKCU\Software\Adobe\DAVersion = True (Doug Olenick, SC Magazine, 07/06/18). As of Feb 2018 Kaspersky Labs has a free decryption tool (since updated) to get rid of most variations of this infection.

3) Thousands of LabCorp’s servers were impacted by the SamSam ransomware attack on 07/13/18, a CSO online report confirmed (Steve Ragan, 07/19/18). Early information indicates that the company contained the spread of the infection and neutralized the attack within 50 minutes – great. However, before the attack was fully contained, 7,000 systems and 1,900 servers were negatively impacted; 350 were production servers (Steve Ragan, CSO Online, 07/19/18. This is a growing trend in the healthcare sector that reached 15% in 2016 (Fig1. Greg Slabodkin, Health Data Management, 04/11/18).

Fig. 1.
Ransomeware Health.pngAs per Jessica Davis of HealthcareITnews, “SamSam is the virus that shut down the Allscripts platform for about a week in January 2017 and is known to use brute force RDP (remote desktop protocol) attacks to breach a system and spread. The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta — among a host of others” (HealthcareITNews.com, 07/20/18).

The ransom note it displays is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment (Christopher Boyd, Malwarebytes Labs, 05/01/18).

Fig 2.
samsam-ransomware-infected-file-sensorstechforum-com-sorry-for-files-html-virus
The virus has been updated a couple of times. Currently, it appends one of the following file extensions (Julie Splinters, spyware.com, 06/23/18):

  1. .weapologize;
  2. .AreYouLoveMyRansFile;
  3. .breeding123;
  4. .country82000;
  5. .disposed2017;
  6. .fucku;
  7. .happenencedfiles;
  8. .helpmeencedfiles;
  9. .howcanihelpusir;
  10. .iaufkakfhsaraf;
  11. .mention9823;
  12. .myransext2017;
  13. .noproblemwedecfiles;
  14. .notfoundrans;
  15. .prosperous666;
  16. .powerfulldecryp;
  17. .supported2017;
  18. .suppose666;
  19. .VforVendetta
  20. .Whereisyourfiles;
  21. .wowreadfordecryp;
  22. .wowwhereismyfiles;
  23. .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment victims might receive one of these ransom notes in:

  1. 0009-SORRY-FOR-FILES.html,
  2. IF_WANT_FILES_BACK_PLS_READ.html,
  3. 000-PLEASE-READ-WE-HELP.html,
  4. 000-No-PROBLEM-WE-DEC-FILES.html,
  5. READ-FOR-DECCCC-FILESSS.html,
  6. HELP_DECRYPT_YOUR_FILES.HTML,
  7. 001-HELP_FOR_DECRYPT_FILE.html,
  8. 006-READ-FOR-HELLPP.html,
  9. PLEASE_READ_FOR_DECRYPT_FILES_[Number].html,
  10. PLEASE-README -AFFECTED-FILES.html.

SamSam is the newest and most powerful of the three types of ransomeware mentioned above. There is no known decryption tool or fix for data that you don’t already have your data backed up. Yet it is known to uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and similar tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through the network and do damage (Dark Reading, 06/20/18, Ajit Sancheti). Stay tuned here for updates regarding a stable decryption tool for SamSam.

Review of the 2018 Verizon Data Breach Report

The 11th edition of the DBIR (Data Breach Investigation Report) was released this month. It analyzed more than 53,000 cybersecurity incidents and over 2,200 data breaches across the globe. Here is a summary of its key findings:
Ransomware continues to be a top cybersecurity threat, according to the report. Ransomware is found in almost 39 % of malware attacks – double the amount in last year’s analysis. “Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.” This comes as no surprise to many city and state officials that have battled with ransomware takeovers recently. Systems in the city of Atlanta were offline for several days last month following a ransomware attack. Government offices and municipal systems have also been targeted in Baltimore, North Carolina, San Francisco, and others yet to come forward – the government does not like to admit their errors.

The report also shows that attacks on public sector organizations continue to focus on espionage. 43 % of public sector attacks were motivated by espionage. Of those attacks, 61 % were carried out by state-affiliated actors. Privilege misuse and error by insiders account for a third of breaches. Small businesses represent 58 percent of data breach victims. Over 50% of the attacks on public sector organizations were accomplished using backdoors in software, which arguably makes the case for why putting backdoors in software is a bad idea even if a government plans to use it for its own purposes – the government is far behind the private sector in incubating innovation here. Using phishing techniques to get data from individuals remains the most popular method as individuals continue to be the weakest link when it comes to security.

Fig 1. Data Breach Causes, Verzion 2018
Using stolen credentials topped the list of causes for data breaches (See Fig 1. for the other top causes). A common saying is “it’s easier to ask the employee for their password than try to guess it”, so social engineering continues to be a very useful tactic for hackers. For most employees, the only security protection system is their password. If a cyber-criminal obtains it, they can easily bypass most of the company’s security controls.

Attribution is probably one of the most difficult tasks in cyber-crime which already has more challenges than most people realize, with misdirection and lack of digital footprints to help lead to the cyber-criminal. This is likely due to several virtual machines and botnets used to facilitate the attack across several nations – all of which are likely unfriendly to the United States. Specifically, 73% of cyber-attackwere caused by outsiders. Organized crime rings are very likely using hackers as a service because 50% of cyber-attacks were attributed to organized crime. 12% was attributed to nation-states – APT (advanced persistent threats) who have unlimited funds.

Specific to Healthcare: The healthcare industry is rife with error and misuse. In fact, it is the only industry that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry—it accounts for 85 % of all malware in healthcare.

In total, there were 750 incidents and 536 with confirmed data disclosed. The top three patterns include: miscellaneous errors, crimeware, privilege misuse – 63 % of all incidents within healthcare. Breach threat actors breakdown: 56 % internal, 43 % external, 4 % partner, 2 % multiple parties. Breach actor motives are: 75 % financial, 13 % fun, 5 % convenience, Data compromised: 79 % medical, 37 % personal, 4 % payment.

The full report is available here.

Abstract Forward Consulting can help you review the issues in this report to build stronger security and process controls. Contact us here to learn more.

Jeremy Swenson, MBA, MSST

AbstractFwdHzTag300

Abstract Forward Consulting Now Open For Business!

AbstractFwdHzTag300

In 2016 Mr. Swenson decided to go back to graduate school to pursue a second masters degree in Security Technologies at the University of MN’s renowned Technological Leadership Institute to position himself to launch a technology leadership consulting firm. This degree was completed in 2017 and positions Swenson as a creative and security savvy Sr. consultant to CIOs, CTOs, CEOs, and other business line leaders. His capstone was on “pre-cursor detection of data exfiltration” and included input from many of the regions CIOs, CISOs, CEOs, and state government leaders. His capstone advisor was technology and security pioneer Brian Isle of Adventium Labs.

Over 14 years, Mr. Swenson had the honor and privilege of consulting at 10 organizations in 7 industries on progressively complex and difficult problems in I.T. including: security, proj. mgmt., business analysis, data archival and governance, audit, web application launch and decommission, strategy, information security, data loss prevention, communication, and even board of directors governance. From governments, banks, insurance companies, minority-owned small businesses, marketing companies, technology companies, and healthcare companies, he has a wealth of abstract experience backed up by the knowledge from his 4 degrees and validated by his 40,000 followers (from LinkedIn, Twitter, and his blog). Impressively, the results are double-digit risk reductions, huge vetted process improvements, and $25+ million on average or more in savings per project!

As the desire for his contract consulting work has increased, he has continued to write and speak on how to achieve such great results. Often, he has been called upon to explain his process and style to organizations and people. While most accept it and get on board fast, some aren’t ready, mostly because they are stuck in the past and are afraid to admit their own errors due to confirmation bias. Two great technology leaders, Steve Jobs (Apple) and Carly Fiorina (HP) often described how doing things differently would have its detractors. Yet that is exactly why there is a need for Abstract Forward Consulting.

With the wind at our backs, we will press on because the world requires better results and we have higher standards (if you want to know more reach out below). With a heart to serve many organizations and people, we have synergized a hybrid blend of this process and experience to form a new consulting firm, one that puts abstract thinking first to reduce risk, improve security, and enhance business technology.

Proudly announcing: Abstract Forward Consulting, LLC.

Company Mission Statement: We use abstract thinking on security, risk, and technology problems to move business forward!

Company Vision: To be the premier provider of technology and security consulting services while making the world a better and safer place.

Main service offerings for I.T. and business leaders:

1) Management Consulting

2) Cyber Security Consulting

3) Risk Management Consulting

4) Data Governance Consulting

5) Enterprise Collaboration Tools Consulting

6) Process Improvement Consulting

If you want to have a free exploratory conversation on how we can help your organization please contact us here or inbox me. As our business grows, we will announce more people and tactics to build a tidal wave to make your organization the best it can be!

Thanks to the community for your support!

Founder and CEO: Abstract Forward Consulting, LLC.

Jeremy Swenson, MBA MSST (Master of Science In Security Technologies)

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.