Skip to main content

Posts

Avoiding Ransomware Payments: 4 Backup Fundamentals

Having access to backup copies of critical data is the only way to guarantee avoidance of costly ransomware payments, insurance claims, and extended downtime to business operations.  All too often this advice is heard only after experiencing an attack, and in hindsight these simple steps seem obvious. During ransomware incidents technology staff are commonly not aware of techniques used by these criminals to take advantage of ineffective backup routines.   In our experience conducting incident response recent ransomware events involve the targeting of backup processes.  Reconfiguration of backup technologies, deletion of cloud storage environments, and destruction of backup data discovered in their attack are all used to prevent you from a simple recovery. When you wake up to discover encrypted systems, there are literally no copies of your critical data left to be restored, your business operations are crippled, and the only path forward is negotiations with criminals.  This is, as te
Recent posts

The PhishSeine Advantage

Making improvements in our services is one of our top priorities.  The feedback we get from clients is invaluable in connecting with the needs of others and making sure our solutions remain effective. This is a great opportunity to share the feedback we've got on our PhishSeine service.  The social-engineering platform provides our clients with the ability to test their users susceptibility to phishing attacks and provide on-the-spot training to those users that need it. The first key difference in our service is the lack of a need for whitelisting.  Other vendor's solutions require you to whitelist their servers so that the messages bypass traditional spam and email filtering.  We feel that this is cheating, if our campaigns aren't good enough to bypass your spam filters, then either you have very effective filtering (whitelisting) or we're not good enough at our jobs. The second key difference is our ability to custom tailor the experience to your users, ea

ShellShock Basics - Updated Oct 1st

Update 2 - October 1st:  As expected still lots going on; As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done. Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems.  It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms. The bug:  One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed. Apparently introduced in the 1980's Initial NVD CVE - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 Followup NVD CVE (incomplete patch) - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 Exploitation:  By simply injecting extra cod

Testing the CVE2014-0160 HeartBleed Attack - Part I

This is part one of a multi-part series associated with the HeartBleed vulnerability.  This part deals with getting your environment setup with a vulnerable SSL webserver (using Kali Linux), and the client software used to test for and exploit it. Setup the vulnerable web server. Kali Linux already has apache installed, so simply enable the SSL mod, create a directory to hold the key material, generate the private key and ssl cert, and restart the server to sudo a2enmod ssl sudo mkdir /etc/apache2/ssl cd /etc/apache2/ssl sudo openssl req -x509 -nodes - days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt Then you'll need to edit the ssl site configuration to enable it for your ip address (not the one below). vi /etc/apache2/sites-available/default-ssl Add the information for your server. ServerName 192.168.4.134:443 and change the following lines to use the newly generated key material: SSLCertificateFile /etc/

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government. One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches. Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print. There are some limits to this, as there is likely only going to be one prin

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th