As I sit here on the nice shady patio enjoying my morning coffee, I figured I should probably post up my slide deck from my first official talk. First of all BSidesCT was great! The organizers made some classy laser cut badges this year and the CTF was a good time (actually got 4th in it!). Will I submit another? Who knows? I think I will build on it a bit and learn more about ASP.NET in the process. Ok, on to the side deck as my yard work is calling (thought I took Friday off for fun?)
Of Course My Cloud App is Secure, It’s in Azure
Some notes to add to the deck when it comes to the logging Azure Websites:
- Azure has added the ability to bring log files down via FTP/FTPS.
- They have added other log tools such as Log Stream which lets you watch your application and web log activity.
- Azure PowerShell can do it using get-azurewebsitelog –name <appname> -Tail
- Azure Powershell can do it with save-azurewebsitelog. Saves to zip in directory you run the command from.
Other items to note when moving to any cloud solution:
- Many security features are not enabled by default, though Microsoft does notify you of certain ones to turn on through Security Center
- You can encrypt your Azure SQL Databases!
- You can enable 2FA for your Azure/Live Account as well as implementing it within Azure for Azure AD or Web Apps.
- Review your SLAs!!!
- And of course way the risks of any cloud service. Not all data is created equal and some of it is better off staying on-premise.
OK the temp is rising and it isn’t even noon yet, the yard awaits!
So one of your users got an email from a supposed vendor with an attached invoice. The invoice wasn’t a PDF, word doc, or even an excel sheet. It was a zip file, and the user opened it as well as opening the “.js” attachment. Now they called you explaining that they can no longer open any files on their computer or their network share. The files have all been renamed and the user has no idea what the heck happened. You already have a good idea that they downloaded some type of crypto ransomware. But how did it get through?? You thought you had adequate protection with antivirus as well as web/email filtering. After chatting with the user, you were able to obtain the original email that she opened unfortunately there wasn’t much you could get from it. The email address it came from was most likely compromised, so you added it to your anti-spam black list. You noticed a bunch of files in the zip but when you tried to look at them in notepad it was just a big blob of code that didn’t make sense.
Fig. 2 JSDetox Startup
Fig. 3 JSDetox Dashboard
Fig. 4 Reformatted
Fig 6. Instructions
At this point you can examine other systems for possible infection by looking for the executable file in the temp directory. You can also take the URL and add it to your web filter block list. You should also check your email service to ensure you can block such files from making it to your users. Google Apps does a pretty good job at blocking these types of messages. Microsoft Exchange requires a bit of magic with Transport rules as it’s default Exchange Online Protection service doesn’t block .js files nor does it look inside zip files. If you have some form of anti-spam or email gateway security solution in place, it should prevent these as well. But if you are a small business, you may not be so lucky to have a budget for such things. Good luck and happy hunting!!
Apologies for not posting anything in a while. Hopefully that will change over the next couple weeks. We will keep it simple and this will just be a simple events posting…
Source Conference Boston 2016
May 18-19th with training on the 16-17th. Timing is great as this rolls right into…
Training on May 20th, conference on May 21st. Tickets are almost sold out!
Further down the line in July, BSidesCT comes back! CFP is open and it will once again be held at Quinnipiac University’s Rocky Top Student Center.
First of all read up on the details over at Krebs On Security. He has a pretty good explanation as to what Dell did as well as additional reference sites on the matter. The Reddit discussion in the reference section has some good technical details. But what does all this mean to the regular folks out there who buy their Dell laptops and like to enjoy their drink while using the free wi-fi at the local coffee shop? Continue reading
So this is the Boston Application Security Conference. More information can be found here.
Watched this video this morning and it reminded me of a time when I went to visit a relative in the hospital. I noticed the hallway had a number of small antennas sticking out of the ceiling every few feet. I figured “Hey that’s some pretty extreme wi-fi coverage!” A few minutes later an automated medicine cabinet came rolling down the hallway. It stopped at every room and dispensed meds to the patients. If you stood in front of it, it would wait for you to move before continuing. And this was probably over 5 years ago! So yes the age of automation is clearly underway.
So this post may not be very security focused, but it will apply to us just as much as it applies to the nurse or pharmacy tech that was replaced by that robot. As costs go down to utilize automated bots (both software and hardware) so does the need for humans in those positions. The video covers it well, so take the 15 minutes to watch. In IT we are seeing this happen on a regular basis, hell some of us probably wrote some nifty scheduled tasks to free us up from doing all those repetitive sys admin jobs. We may have even written someone out of a job by automating the management of users. And we certainly should because that frees us up for concentrating on more long term goals, upgrade plans, new hardening techniques… etc. Heck, back in the day, it would take us weeks to bring a new server online, fully patched, hardened and tested. Now I can log into AWS or Azure and spin entire remote AD environment up in a couple hours (depending on specs). That includes a site-to-site VPN with the virtual network I just setup as well. All that could even be automated as all of it can be done through Powershell. As for testing the systems, well that is also being automated more and more. Netflix employs their Chaos Monkey to bring systems down during business hours so that they can make sure their apps continue running if such a thing happens when no one is around to fix.
So the days of clicking “Next.. Next.. Next… Finish” are over. If you are not picking up a scripting language to help with your job or learning to make LEDs blink on the breadboard, you may become obsolete. If you have kids, it would be wise to push them towards the math and sciences. Get them Lego Mindstorm sets! Show them Codecademy! Bring them to a maker fair and let them see the cool things done with 3D printers, laser-cutters, and robots! We once taught a bunch of kids how to pick locks, don’t worry we told their parents that locks don’t work anyway.
So the bots are coming, you could either be the one creating them or the one being replaced by them. Either way, the years to come will be interesting!
Due to some issues with time, availability and overall meetup participation, I have chosen to close out the meetup site. At the end of September it will be shutdown. From this point on any Nutmeg InfoSec activities will be announced here and on the twitter page.
I still believe there are people out there who enjoy discussing and collaborating on InfoSec and hackery. If you need your fix of hacking and geeking out head over to NESIT Hackerspace. They typically have public nights on Monday/Wednesday. Activities include hardware hacking, 3D printing, woodworking, and even cooking. I once learned to make LEDs blink using Arduino!
So keep an eye out here for any possible meetups or events. Until then check out Security BSides for upcoming local events. These are a great events to meet others in the InfoSec community, not to mention the talks are top notch and you usually don’t have to wade through thousands of people to get into. They also cost very little to attend.
Recently I was going through my vulnerability scan report and noticed one of the top 5 plugins was in regards to MS15-011. Reading through the report it mentioned that the patch KB3000483 was installed but UNC Hardened Access was not enabled via Group Policy. After further reading of the KB article, I realized what needed to be done. Microsoft was nice to give some recommendations and such. So I enabled the UNC Hardened Access on the SYSVOL and NETLOGON shares for the domain. I did not do it for the file shares as we tend to use multiple OS platforms. Though I would recommend doing so if you are running in a single platform environment (All Windows).
March is finally here! The walls of snow are melting down quickly here in New England. I can finally see grass! Well ok… it is more like torn up chunks of sod from completely missing the side walk with the snow blower, but it has remnants of grass.
During my hibernation, I remembered some conversations from the past. Mainly they had to do with “discussions” with users about their needs on their systems. They commonly revolved around the requirement of administrative rights on their local workstations. Which of course lead them to believe their current user account was the one that needed those rights. Well most of us in security, as well as many others in the Systems Admin side of things, know that this is bad and should never be granted without a really good reason. But does this mean it isn’t possible to grant these users their wishes? Continue reading
Head over to the meetup page for full details: http://www.meetup.com/Nutmeg-InfoSec/events/220164972/
Nothing special is scheduled so we may look at doing some planning for the future or have some open discussion.