SamSa Ransomware – Blog Week 12

For the final week, the suggestion topic was kind of the same as the topic for the Final Reflection for the course so I decided to write something different.  The topic for week 12 that I would like to write is about the SamSa Ransomware.

The SamSa Ransomware was also known as MSIL/Samas.A.  SamSa Ransomware happened in the middle of the year 2016.  It hit different businesses, such as healthcare, industrial control, and government.  SamSa Ransomware had exploited the vulnerabilities of the Remote Desktop Protocol (RDP) connection and JBoss systems to carry out its infections.  The majority of the victims are in the United States and some internationally.

This is how the SamSa Ransomware worked.  It exploited Windows servers to gain persistent access to a victim’s network and infect all reachable hosts by using the JexBoss Exploit Kit to access vulnerable JBoss applications and RDP to gain access to victims’ networks.  The main method that the hackers used was the brute force attacks or stolen login credentials, which “cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces” (US-CERT, 2018).  After having access to the network, the hackers escalated privileges for administrator rights, dropped malware onto the server, and ran an executable file.  The actions were performed without victims’ notice or authorization.  SamSa Ransomware was very dangerous ransomware.  It is because it did not relied on any victim completing the action, such as opening an email, clicking on a link, or visiting a compromised website.

SamSa Ransomware targets are big organizations.  The “Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms”(US-CERT, 2018).  SamSa Ransomware often leaves ransom notes on infected computers.  If a victim wants to gain the control back on the computers/servers, they have to follow the instruction, which directs the victims to establish contact through a hidden service site to pay the ransom.  The hackers want to have the ransom in Bitcoin.  After the victim pays the ransom, the hacker sends a link for the victim to download cryptographic keys and tools to decrypt their computers/servers.

To me, the ransomware is the warfare between the White Hat hackers and the Black Hat hackers.  The Black Hat hackers often are criminals performing illegal activities for personal gain and attacking others.  They often violate computers/servers/network security for personal benefit, such as stealing credit card numbers, social security numbers, bank accounts, or harvesting personal data for sale.   On the other hand, White Hat hackers are the opposite of the Black Hat hackers and they are often known as “ethical hackers”.  They are the ones that have the roles to play against the Black Hat hackers and finding security holes via hacking methods like the Black Hat hackers, performing penetration testing, testing in-place security systems and performing vulnerability assessments for companies with permission from the companies.

The warfare between the Black Hat hackers and White Hat hackers would never end.  It’s because both Black Hat hackers and White Hat hackers are living by hacking.  One main difference between them is one is doing the hacking with good purpose and the other one with bad purpose.  I always have questions for the Black Hat hackers.  Black Hat hackers have good computer skills and I am sure that their skill can qualify for many security positions for any organizations.  Why do the Black Hat hackers not choose the legal ways and jobs, but go with the illegal ways?  Why can’t they become a White Hat team while they are doing pretty much the same task as the White Hat team?

I read the article “Black-hat hackers more daring and experienced than white-hat hackers” that was written by Steve Morgan. The article shocked me by indicating “Sixty-five percent of respondents to a poll say black hats are more experienced than white hats” (Morgan, 2017).  If this is the true case, then there will be more viruses, ransomware, cyber-attacks, and more security breaches happening in the future.  Perhaps, the only way to help reduce those security issues is to have a strong White Hat team, which has more experience than the Black Hat group.  The White Hat team must be smart and at least one step ahead of Black Hat hackers to predict and know the methods of hacking from the Black Hat so that they can prevent it.  It’s just a hypothesis and I would never think the world could stop the Black Hat hackers.  It’s the nature of law.  There are always two things that go against each other.  They are good and bad, negative and positive, hot and cold, etc.  

Reference:

Morgan, S.  (2017, Mar 29).  Black-hat hackers more daring and experienced than white-hat hackers.  Retrieved from https://www.csoonline.com/article/3186225/leadership-management/black-hat-hackers-more-daring-and-experienced-than-white-hat-hackers.html

US-CERT.  (2018, Dec 3).  SamSam Ransomware.  Retrieved from https://www.us-cert.gov/ncas/alerts/AA18-337A

Action Plan – Week 10

In the week 9 and week 10 assignments, I had a chance to learn and work on the Action Plan.  It was a step further after the Threat Analysis that was completed from the week 7 and 8 assignments.  Without the Action Plan, I think the Threat Analysis was an incomplete document for the company to mitigate the risks.  The Action Plan is an add-on task to the Threat Analysis to make the whole document complete.

When working on the Action Plan, the most difficult part was how the format of the Action Plan looks.  What needed to be included in the Action Plan?  I had to do some research and through the study, it helped me to have a much better understanding of the Action Plan.   The Action Plan is a “sequence of steps that must be taken or activities that must be performed well, for a strategy to succeed. An action plan has three major elements (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities” (BusinessDictionary, 2019). 

To be more detailed, a good Action Plan consists of many steps, but each step should include the following information:

1.      Actions

2.      Responsible groups

3.      Timeline

4.      Resources, such as money and staff for making the changes

5.      Communication

The good Action Plan should include three main elements above, which are listing out specific tasks, timelines, and resource allocation.  The specific tasks for the case study of the class were to be able to identify all the assets, then recognize the threats, vulnerabilities, and risks associated with each asset.  In addition, one of the most important tasks is to provide recommendations to fix the security issues with detail actions.  Without recommendations and detail actions, the company would not know how to fix their security problems.  Providing the timeline for each task is also an important factor within the Action Plan.  The timeline will show when the task should be started and when the task should be done.  This will help both management and technical groups to know when to start the tasks and when the tasks should be completed.  It especially helps the management group to allocate the time, budgets, and resources.  The last important element of the Action Plan is resource allocation.  In this step, it helps management groups to be able to plan for the funds and assign the task to the right groups or person to work on each task. 

When we have a good Action Plan, it will help the organization improve security greatly.  It is because the Action Plan lists out the assets for the company.  It evaluates the threat and vulnerability of the assets.  It then analyzes the risks and potential impact on the company.  After that, it provides recommendations and solutions to fix the security issue.  “An action plan is a way to make sure your organization's vision is made concrete.  It describes the way your group will use its strategies to meet its objectives” (CommunityToolBox, 2019). 

So how we can make a good Action Plan?  There are three criteria that help us to make a good Action Plan.  They are: complete, clear, and current (CommunityToolBox, 2019).  For the completeness, it indicates that all the action steps to be sought in all relevant parts of the community.  For clearness, it indicates if the Action Plan is clear, easy to understand, and clearly indicates the who, what, and when to perform the task.  For the current point, it indicates if the action plan reflects the current work.

The assignments for the last four weeks were very practical and I valued them a lot.  They are all new concepts and ideas to me so I love to learn them and I am sure they will benefit me for my future work.  I have learned much from the classes for the Cybersecurity program and I could tell that the Current Trend in CyberSecurity class is one of the most practical classes that I have had.  It is good information and very practical. 

References:

BsinessDictionnary.  (2019).  Action Plan.  Retrieved from http://www.businessdictionary.com/definition/action-plan.html

CommunityToolBox.  (2019).  Developing an Action Plan.  Retrieved from https://ctb.ku.edu/en/table-of-contents/structure/strategic-planning/develop-action-plans/main

Apple FaceTime Vulnerability – Week 9

The last couple of days, the tv and newspaper talked about the Apple FaceTime Vulnerability.  It was one of the security holes that Apple has on their products, such as iPhone, iPads, and Mac computers.  A vulnerability happened in Apple FaceTime application.  It allows someone to access audio and video on another Apple device even when the recipient does not answer the call. This vulnerability applies to Apple iOS users who have Group FaceTime capability on iOS 12.1 or later.

This was how the vulnerability actually happens:

When user #1 starts a FaceTime call with user #2, while the call is processing, the user #1 adds a person and then enters their own phone number.  The user #1 can then hear the audio from the user #2, even when user #2 hasn’t answered.  “The problem was the result of a bug and involves Apple’s FaceTime app for placing video and audio calls over an internet connection. The bug could also give caller access to a live feed of the recipient’s camera” (Chen, 2018).

For now, Apple has disabled the Group FaceTime feature and has tried to fix the bug.  I hope that Apple could fix the bug as soon as possible and resume the Group FaceTime feature for the users.  I am not a big fan of Apple, but I am a big of Android.  I have a small business and I use Messenger for group chat.  Messenger has similar features as Group FaceTime and I love to use this feature to have a meeting with my employees when I am away from the office.

I came from a software development background and when I heard about this security bug, I could tell that Apple needs to update their software development life cycle (SDLC) as soon as possible.  Their SDLC has a serious bug.  It’s either their employees not performing the tasks correctly within the SDLC or the SDLC missed important steps to verify the quality and security of the software.   As a big and well-known company like Apple, they should not have this kind of bug that leads to a huge vulnerability to the customers.  Here is what I could tell Apple needs to do with the SDLC.

First, they need to create a design (general design and detail design) with a flow diagram for the Group FaceTime feature.  With a flow diagram, it should give senior developers, security software developers, and architect software engineers the ability to review the whole process and catch any security issue.

Second, when the developers write the code, they would be able to understand the whole process before coding.  They should be able to catch the security issue when coding and especially testing.  The testing from the developer is considered a unit test, but it could catch great defective errors.

Last, Apple Quality Control (QA) team did a bad job.  Their testing scripts, testing different cases, and different groups of users were not throughout.  QA plays a very important role.  They need to work with senior developers to come up with different test cases and make sure the product is free from error in terms of logical errors and security errors.

Depending on the products, each company will have a different rating level for the defective acceptance.  For example, if a system (software and hardware) is written for a hospital to distribute medicine to the patient, the required defective acceptance level would be - 0.00001% or +0.00001%.  It is because if the system distributes 1mg less or more of medicine this could cause a serious problem to the patients.  If a system (software and hardware) is written for distributing food for the pets, the required defective acceptancy level could be -10% or +10%.  In this case, the defective level could be large and it is still acceptable because it won’t hurt the pets when the system distributes a bit more or less food for the pet. 

Back to the Apple FaceTime system.  It’s a security issue and the product serves the whole world.  Therefore, it is critical for Apple to not have this security problem.  The issue did not only hurt the customers, but it also hurt Apple itself financially (the stock market went down) and Apple’s reputation.

Reference:

Chen, B.  (2018, Jan 28).  FaceTime Bug Lets iPhone Users Eavesdrop, in a Stumble for Apple.  Retrieved from https://www.nytimes.com/2019/01/28/technology/personaltech/facetime-bug-iphone-hack.html

Dharma Ransomware Attack - Week 8

A ransomware attack is one of the most critical security breaches.  Here is some general information about the ransomware. 

• ·        It infects computers through clicking an unsafe link or downloading unsafe programs. These can come in e-mails, torrents, botnets, or other forms of transmission.
•       Ransomware can’t be removed even when the computer’s owner flashes the BIOS, wipes the drive, or attempts to return to a prior restore point.
• ·        A ransomware often locks down user files and the ransom demand is made, while a unique decryption key is created and stored on the hacker’s servers. “If the ransom is not paid in time, or if any attempt to alter the program directly is made, the decryption key is permanently deleted, rendering all encrypted files inaccessible. If the ransom is paid in time, the decryption key is transferred and the files will be decrypted” (Alvarez, 2019).

On December 2018, a Phobos ransomware exploited open or poorly secured remote desktop protocol (RDP) ports.  It snuck inside the networks, encrypted files, and demanded a ransom be paid in bitcoin for returning the files.  The ransomware was created by Dubbed Phobos, which people believe this group also the creators of the Dharma ransomware.  “Phobos also contains elements of CrySiS ransomware — also related to Dharma — with anti-virus software detecting Phobos as CrySiS. The ransomware's file markers also differentiate it from Dharma. However, the attack methods and threat remain the same” (Palmer, 2019).  With so many similar ways of an attack, the researchers believed that Phobos ransomware was just the modification of Dharma ransomware. 

The Dharma ransomware attack happened on September 3, 2018, which was about 3 months before the Phobos ransomware.  Dharma ransomware hit the Altus Baytown Hospital (ABH).  It snuck into the ABH network with malicious code and infected the hospital's systems.  The Dharma ransomware was able to encrypt files and then demanded a ransom payment in return for access.  The files “included files containing patient information such as names, home addresses, dates of birth, social security numbers, driver license numbers, credit card information, phone numbers, and medical data” (Osborne, 2018).

The world will continue to deal with more data breaches and cyber attacks.  Therefore, it is the businesses’ responsibility to prepare and prevent themselves from all the possible security issues.  Now, it would cost business quite a bit of money and effort to build and maintain a strong security network.  If companies don’t have enough funds for security, they can go with the following options:

1.    Cloud solution: There are the services that provide the computing resources for business.  It includes everything, such as from application to the data center and obviously, the security network with the cloud is designed and secured by the best security experts.  The service is mainly through the internet on a pay for use basis. 

2.    Pay-as-you-go model: “One major benefit of the pay-as-you-go method is that there are no wasted resources, since users only pay for services procured, rather than provisioning for a certain amount of resources that may or may not be used. With traditional enterprise design, users architect data storage to handle the maximum workload. But with the public cloud, the pay-as-you-go method allows you to be charged only for what you store” (Rouse, 2015)

Reference:

Alvarez.  (2019).  Ransomware – What Is It and What Is Its impact.  Retrieved from https://www.alvareztg.com/ransomware-what-is-it-and-what-is-its-impact/

Osborne, C.  (2018, Nov 19).  Texas hospital becomes victim of Dharma ransomware.  Retrieved from https://www.zdnet.com/article/texas-hospital-becomes-victim-of-ransomware-patient-data-potentially-leaked/

Palmer, D.  (2019, Jan 21).  New Phobos ransomware exploits weak security to hit targets around the world.  Retrieved from https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/

Rouse, M.  (2015).  Pay-as-you-go cloud computing (PAYG cloud computing).  Retrieved from https://searchstorage.techtarget.com/definition/pay-as-you-go-cloud-computing-PAYG-cloud-computing

Recap for the first half of the Class - Week 7

For the last six weeks, I have had a chance to learned real practical lessons from the cybersecurity.  The first two weeks, I learned how to create the Threat Model Process.  Then the next two weeks, I have learned how to use the Threat Modeling tool.  The last two weeks, I have learned how to perform the system analysis for a case study. 

For the Threat Model Process, I have no experiences on this.  Working on creating the Threat Model Process, I had a chance to study, do research, read other classmates’ work, and getting back the valuable feedback from the professors and classmates give me a good understanding about the Threat Model Process.  Each enterprise would have a different type of businesses and each business required different security controls.  I believe that if the company could come up with their own Threat Model Process, which could review by the experienced security experts, then the company can just use the Threat Model Process to verify all the threats, vulnerabilities, and risks within the organization and monitor then mitigate them.  Having a good Threat Model Process and seriously practice on it, companies would be able to have a low number of security issues.

For the Threat Modeling Tool, which is the tool that is used to perform a systematic analysis of attack vectors.  Through the homework and exercise for the class, I would be able to search, know, and learn many different Threat Modeling Tool, such as:

•    SecuriCad by Forseeti – It is the “is a threat modeling and risk management tool that enables you, the user, to get a holistic understanding of your IT infrastructure, incorporating risks from both structural and technical vulnerabilities” (Kumar, 2013)

•    ThreatModeler – It is the tool that helps to “Identify, predict and define threats across the entire attack surface to make proactive security decisions and minimize overall risk” (Threat Modeler, 2019)

•    Irius Risk – “this tool helps create a threat model and derive security requirements in no time using a straightforward questionnaire based system” (Kumar, 2013).

•    SD Elements by Security Compass – It is “An Advanced Automation Platform that Builds Security, Compliance, and Policy into Applications” (SecurityCompass, 2019)

•    Microsoft Threat Modeling Tool 2016 - is a free tool that was designed by Microsoft.  It is one of the best tools that can help any organization to create the threat modeling process.

For the system analysis, I have not had any experiences in performing any system analysis before.  I came from a software development background and I have done a lot of design documents for various projects.  However, system analysis is something that is a new concept for me.  Though the assignment for the last two weeks, I had a chance to perform the system analysis for a case study.  It was a good learning lesson.  Along with reading the assignment, reviewing other classmates’ work, and especially the feedback from the professor, I have a good understanding of how to perform a system analysis.  For example, when performing a system analysis for a company, I should identify all the current assets, processes, and policies within the current IT environment.  Explain their function and their effects if something bad happens to them.  A system analysis should be succinctly and all the complicated technical terms must be translated to the common business terms for the readers, mostly executives to understand. 

So far, I really enjoy this class.  It gives me a deeper knowledge and practical exercise for threats/vulnerabilities analysis.  I am looking forward to the other half of this class to continue to learn more about security and different aspects of the cybersecurity field. 

Reference:

Kumar, A.  (2013, Dec 7).  List of Threat Modeling Tools.  Retrieved from https://vitalflux.com/list-of-threat-modeling-tools/

Threat Modeler.  (2019).  An automated threat modeling solution that secures and scales the enterprise software development life cycle.  Retrieved from https://threatmodeler.com/

SecurityCompass.  (2019).  SD Element.  Retrieved from https://www.securitycompass.com/sdelements/

Aadhaar - Biggest Data Breach in 2018 - Week 6

Data breach is one of the security threats that will continue to grow in the future.  Hackers are trying to make money from the data that they steal.  This threat does not only hurt the businesses, but it also hurts the customers or the citizens.  Following was the biggest data breach that happened last year, which was 2018.

Aadhaar data breach happened in India.  It hit the Indian database that keeps identifying and biometric information of more than 1.1 billion registered Indian citizens (Whittaker, 2018).  The citizens who registered with the Indian government with their fingerprints and biometric data will have the benefit of opening the banks, buying a phone SIM card, enrolling utilities, using government basic services, and receiving state aid or financial assistance. 

According to ZDNet, hackers had “access to the Aadhaar database through an API, which the company relies on to check a customer's status and verify their identity” (Whittaker, 2018).  The API (Application Programming Interface) was not secure and had no access controls in place, which left a security hole that allow hackers to retrieve private data on each Aadhaar holder.  “The affected endpoint used a hardcoded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS,’ allowing anyone to query Aadhaar numbers against the database without any additional authentication” (Whittaker, 2018). 

Another security issue with the API was “the API didn't have any rate limiting in place, allowing an attacker to cycle through every permutation -- potentially trillions -- of Aadhaar numbers and obtain information each time a successful result is hit” (Whittaker, 2018).  This security hole allowed the attacker to send thousands of requests to the database each minute and get the information.  Therefore, this caused a huge number of data breaches, which impacted 1.1 billion people.

Not only hackers, but anyone with some knowledge and experience with the API can access the government’s database.  “The Tribune newspaper said its reporters were able to access names, email addresses, phone numbers, and postal codes by typing in 12-digit unique identification numbers of people in the government's database, after paying an individual about $8. For another $5, the newspaper said, the individual offered reporters software to print out unique identification cards, called Aadhaar cards, that can be used to access various government services including fuel subsidies and free school meals” (Doshi, 2018).

Regarding a data breach, each country and business might react and solve the problem differently.  I could tell that in the US, the government, businesses, and private sectors respond to the data breach very quickly and effectively.  In India, “the Indian authorities did nothing for weeks to fix the flaw” (Whittaker, 2018).  Why did the Indian government and authorities respond so slowly on the Aadhaar data breach?  Do you think it’s because the data breach happened to the public property, not a private sector? 

When it comes to the property of public or private, I often see people use it differently.  For public property, people often use it improperly, carelessly, and waste a lot.  For example, I have seen people who work for government office printed thousands of pages for a project when the document was not finally done yet.  A person later reprinted the document when it got fixed.  Now, I am working for a small private company.  My manager, the owner of the company, even suggested that I do not print any document if it can be shared through email.  Not only printing but any office equipment or office supplies the company uses them wisely. 

Back to the Aadhaar data breach, I think this security breach happened because the properties belong to the public.  People often don’t pay special attention to public property.  The way people handle and maintain public properties are often with less attention.  Aadhaar data breach was one of the clear examples.  “ZDNet spent more than a month trying to contact the Indian authorities -- including the Indian government's National Informatics Centre. Nobody responded to our repeated emails” (Whittaker, 2018). 

Here I have a couple of questions that I would like to ask the readers.  Do you have friends or relatives who are currently working for the City or State office in the US?  Do you think they have a lot of work to do?  Do you think they spend their time wisely at work?  Do you think they use public property correctly?

Reference:

Doshi, V.  (2018, Jan 4).  A security breach in India has left a billion people at risk of identity theft.  Retrieved from  https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billion-people-at-risk-of-identity-theft/?noredirect=on&utm_term=.8209a3b1185d

Whittaker, Z.  (2018, Mar 23).  A new data leak hits Aadhaar, India's national ID database.  Retrieved from  https://www.zdnet.com/article/another-data-leak-hits-india-aadhaar-biometric-database/  

Spoofing Threat - Week 5

From the readings and lessons of the last couple weeks, I had a chance to learn about the STRIDE model.  This model was developed by Microsoft in order to help security engineers understand and classify all possible threats.  Each letter of STRIDE represents one type of threat as follow:

S stands for Spoofing, which is an act of pretending to be something or someone you're not.

T stand for Tampering, which is an act of modifying something you're not supposed to modify.

R stands for Repudiation, which is an act of claiming you didn't do something.

I stands for Information Disclosure. It is the exposure information to people who are not authorized to see it.

D stands for Denial of Service.  It is one type of attack that prevents valid users from accessing the system due to the system being flooded and running into a very low or critical resource that can't validate valid or invalid users anymore.

E stands for Escalation of privilege.  It is a threat related to either a program or any operation within the company doing things that they are not supposed to do.

In this particular post, I am going to talk about the first threat, which is the Spoofing threat.  As I have mentioned above, Spoofing is the threat of someone pretending to be something or someone they are not.  Most security systems rely on the identification and authentication of users.  How can the security system could tell if a user is a valid user?  For example, when student A using the login credentials of student B to log into the class website, the security system would not be able to identify the valid user in this case.  I would say the security system would fail.

We are living in the age of technology now, and this helps many businesses be able to expand their businesses, services, and increase the number of customers so quickly and successfully.  For example, we see so many companies taking advantage of technology to shop online.   Amazon is one of the most successful examples.  Almost every other big brands have also expanded their business and services through online service as well, such as BestBuy, Walmart, Target, Sears, and many universities too.  Twenty years ago, online classes might not have been available but now, it is common and helps both students and professors to learn and teach at their most convenient time.  Now, here is a different type of Spoofing threat that I would like to bring up and challenge all the universities, including Bellevue University.

How are you going to know if the student who is taking an online class is really the one who does all the assignments, quizzes, and exams?  For example, a student can "hire" someone to do all the work for them, this includes the weekly posting, assignments, and tests.  When hiring someone to do the work for them, the students give their login credentials to the person who they hire to do their work to login into the class website and perform all the work.   In this case, how are the school, the security system, and the professors able to identify if the user is valid and authorized to log into the website and perform the work?    

I brought this concern up and ask you, as a reader a question.  Do think this is a Spoofing threat?  If you think it is a Spoofing threat, then what do you think the best ways to defend against for this threat?  When I was thinking about this threat, I had two different thoughts.  First, an online class might not reflect the best quality and value of the students.  Second, the online program has some security holes.  With that, how do you think to fix these security issues? 

Here is just one way to fix this security threat that I could think of.  Each week, a professor can schedule a 30 minutes online meeting face to face with students through webcam to review/test the student.  I personally like the SYNC & Telephone meeting option that the Writing Center has.  This option allows students and the Writing Center staffs talk face to face about the papers.  Bellevue University should also have this option available for professors and students to meet online face to face and review the material.  The professors can use SYNC & Telephone meeting option to test students on the lessons that he/she teaches the students.  When doing the exams, students also need to log into the SYNC & Telephone meeting to do the test with verification from the professor or any staffs from the school.

Above is one specific Spoofing threat, which might be very different from the Spoofing threats of information technology. Do you think it is a Spoofing threat? It could be one threat that I am not sure if the school and professors ever thought about.  I hope this threat never happens, but if it happens, how the school could handle this threat? 

Reference:

Shostack, Adam. Threat Modeling: Designing for Security (p. 10). Wiley. Kindle Edition.