SamSa Ransomware – Blog Week 12

For the final week, the suggestion topic was kind of the same as the topic for the Final Reflection for the course so I decided to write something different.  The topic for week 12 that I would like to write is about the SamSa Ransomware.

The SamSa Ransomware was also known as MSIL/Samas.A.  SamSa Ransomware happened in the middle of the year 2016.  It hit different businesses, such as healthcare, industrial control, and government.  SamSa Ransomware had exploited the vulnerabilities of the Remote Desktop Protocol (RDP) connection and JBoss systems to carry out its infections.  The majority of the victims are in the United States and some internationally.

This is how the SamSa Ransomware worked.  It exploited Windows servers to gain persistent access to a victim’s network and infect all reachable hosts by using the JexBoss Exploit Kit to access vulnerable JBoss applications and RDP to gain access to victims’ networks.  The main method that the hackers used was the brute force attacks or stolen login credentials, which “cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces” (US-CERT, 2018).  After having access to the network, the hackers escalated privileges for administrator rights, dropped malware onto the server, and ran an executable file.  The actions were performed without victims’ notice or authorization.  SamSa Ransomware was very dangerous ransomware.  It is because it did not relied on any victim completing the action, such as opening an email, clicking on a link, or visiting a compromised website.

SamSa Ransomware targets are big organizations.  The “Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms”(US-CERT, 2018).  SamSa Ransomware often leaves ransom notes on infected computers.  If a victim wants to gain the control back on the computers/servers, they have to follow the instruction, which directs the victims to establish contact through a hidden service site to pay the ransom.  The hackers want to have the ransom in Bitcoin.  After the victim pays the ransom, the hacker sends a link for the victim to download cryptographic keys and tools to decrypt their computers/servers.

To me, the ransomware is the warfare between the White Hat hackers and the Black Hat hackers.  The Black Hat hackers often are criminals performing illegal activities for personal gain and attacking others.  They often violate computers/servers/network security for personal benefit, such as stealing credit card numbers, social security numbers, bank accounts, or harvesting personal data for sale.   On the other hand, White Hat hackers are the opposite of the Black Hat hackers and they are often known as “ethical hackers”.  They are the ones that have the roles to play against the Black Hat hackers and finding security holes via hacking methods like the Black Hat hackers, performing penetration testing, testing in-place security systems and performing vulnerability assessments for companies with permission from the companies.

The warfare between the Black Hat hackers and White Hat hackers would never end.  It’s because both Black Hat hackers and White Hat hackers are living by hacking.  One main difference between them is one is doing the hacking with good purpose and the other one with bad purpose.  I always have questions for the Black Hat hackers.  Black Hat hackers have good computer skills and I am sure that their skill can qualify for many security positions for any organizations.  Why do the Black Hat hackers not choose the legal ways and jobs, but go with the illegal ways?  Why can’t they become a White Hat team while they are doing pretty much the same task as the White Hat team?

I read the article “Black-hat hackers more daring and experienced than white-hat hackers” that was written by Steve Morgan. The article shocked me by indicating “Sixty-five percent of respondents to a poll say black hats are more experienced than white hats” (Morgan, 2017).  If this is the true case, then there will be more viruses, ransomware, cyber-attacks, and more security breaches happening in the future.  Perhaps, the only way to help reduce those security issues is to have a strong White Hat team, which has more experience than the Black Hat group.  The White Hat team must be smart and at least one step ahead of Black Hat hackers to predict and know the methods of hacking from the Black Hat so that they can prevent it.  It’s just a hypothesis and I would never think the world could stop the Black Hat hackers.  It’s the nature of law.  There are always two things that go against each other.  They are good and bad, negative and positive, hot and cold, etc.  

Reference:

Morgan, S.  (2017, Mar 29).  Black-hat hackers more daring and experienced than white-hat hackers.  Retrieved from https://www.csoonline.com/article/3186225/leadership-management/black-hat-hackers-more-daring-and-experienced-than-white-hat-hackers.html

US-CERT.  (2018, Dec 3).  SamSam Ransomware.  Retrieved from https://www.us-cert.gov/ncas/alerts/AA18-337A

Action Plan – Week 10

In the week 9 and week 10 assignments, I had a chance to learn and work on the Action Plan.  It was a step further after the Threat Analysis that was completed from the week 7 and 8 assignments.  Without the Action Plan, I think the Threat Analysis was an incomplete document for the company to mitigate the risks.  The Action Plan is an add-on task to the Threat Analysis to make the whole document complete.

When working on the Action Plan, the most difficult part was how the format of the Action Plan looks.  What needed to be included in the Action Plan?  I had to do some research and through the study, it helped me to have a much better understanding of the Action Plan.   The Action Plan is a “sequence of steps that must be taken or activities that must be performed well, for a strategy to succeed. An action plan has three major elements (1) Specific tasks: what will be done and by whom. (2) Time horizon: when will it be done. (3) Resource allocation: what specific funds are available for specific activities” (BusinessDictionary, 2019). 

To be more detailed, a good Action Plan consists of many steps, but each step should include the following information:

1.      Actions

2.      Responsible groups

3.      Timeline

4.      Resources, such as money and staff for making the changes

5.      Communication

The good Action Plan should include three main elements above, which are listing out specific tasks, timelines, and resource allocation.  The specific tasks for the case study of the class were to be able to identify all the assets, then recognize the threats, vulnerabilities, and risks associated with each asset.  In addition, one of the most important tasks is to provide recommendations to fix the security issues with detail actions.  Without recommendations and detail actions, the company would not know how to fix their security problems.  Providing the timeline for each task is also an important factor within the Action Plan.  The timeline will show when the task should be started and when the task should be done.  This will help both management and technical groups to know when to start the tasks and when the tasks should be completed.  It especially helps the management group to allocate the time, budgets, and resources.  The last important element of the Action Plan is resource allocation.  In this step, it helps management groups to be able to plan for the funds and assign the task to the right groups or person to work on each task. 

When we have a good Action Plan, it will help the organization improve security greatly.  It is because the Action Plan lists out the assets for the company.  It evaluates the threat and vulnerability of the assets.  It then analyzes the risks and potential impact on the company.  After that, it provides recommendations and solutions to fix the security issue.  “An action plan is a way to make sure your organization's vision is made concrete.  It describes the way your group will use its strategies to meet its objectives” (CommunityToolBox, 2019). 

So how we can make a good Action Plan?  There are three criteria that help us to make a good Action Plan.  They are: complete, clear, and current (CommunityToolBox, 2019).  For the completeness, it indicates that all the action steps to be sought in all relevant parts of the community.  For clearness, it indicates if the Action Plan is clear, easy to understand, and clearly indicates the who, what, and when to perform the task.  For the current point, it indicates if the action plan reflects the current work.

The assignments for the last four weeks were very practical and I valued them a lot.  They are all new concepts and ideas to me so I love to learn them and I am sure they will benefit me for my future work.  I have learned much from the classes for the Cybersecurity program and I could tell that the Current Trend in CyberSecurity class is one of the most practical classes that I have had.  It is good information and very practical. 

References:

BsinessDictionnary.  (2019).  Action Plan.  Retrieved from http://www.businessdictionary.com/definition/action-plan.html

CommunityToolBox.  (2019).  Developing an Action Plan.  Retrieved from https://ctb.ku.edu/en/table-of-contents/structure/strategic-planning/develop-action-plans/main

Apple FaceTime Vulnerability – Week 9

The last couple of days, the tv and newspaper talked about the Apple FaceTime Vulnerability.  It was one of the security holes that Apple has on their products, such as iPhone, iPads, and Mac computers.  A vulnerability happened in Apple FaceTime application.  It allows someone to access audio and video on another Apple device even when the recipient does not answer the call. This vulnerability applies to Apple iOS users who have Group FaceTime capability on iOS 12.1 or later.

This was how the vulnerability actually happens:

When user #1 starts a FaceTime call with user #2, while the call is processing, the user #1 adds a person and then enters their own phone number.  The user #1 can then hear the audio from the user #2, even when user #2 hasn’t answered.  “The problem was the result of a bug and involves Apple’s FaceTime app for placing video and audio calls over an internet connection. The bug could also give caller access to a live feed of the recipient’s camera” (Chen, 2018).

For now, Apple has disabled the Group FaceTime feature and has tried to fix the bug.  I hope that Apple could fix the bug as soon as possible and resume the Group FaceTime feature for the users.  I am not a big fan of Apple, but I am a big of Android.  I have a small business and I use Messenger for group chat.  Messenger has similar features as Group FaceTime and I love to use this feature to have a meeting with my employees when I am away from the office.

I came from a software development background and when I heard about this security bug, I could tell that Apple needs to update their software development life cycle (SDLC) as soon as possible.  Their SDLC has a serious bug.  It’s either their employees not performing the tasks correctly within the SDLC or the SDLC missed important steps to verify the quality and security of the software.   As a big and well-known company like Apple, they should not have this kind of bug that leads to a huge vulnerability to the customers.  Here is what I could tell Apple needs to do with the SDLC.

First, they need to create a design (general design and detail design) with a flow diagram for the Group FaceTime feature.  With a flow diagram, it should give senior developers, security software developers, and architect software engineers the ability to review the whole process and catch any security issue.

Second, when the developers write the code, they would be able to understand the whole process before coding.  They should be able to catch the security issue when coding and especially testing.  The testing from the developer is considered a unit test, but it could catch great defective errors.

Last, Apple Quality Control (QA) team did a bad job.  Their testing scripts, testing different cases, and different groups of users were not throughout.  QA plays a very important role.  They need to work with senior developers to come up with different test cases and make sure the product is free from error in terms of logical errors and security errors.

Depending on the products, each company will have a different rating level for the defective acceptance.  For example, if a system (software and hardware) is written for a hospital to distribute medicine to the patient, the required defective acceptance level would be - 0.00001% or +0.00001%.  It is because if the system distributes 1mg less or more of medicine this could cause a serious problem to the patients.  If a system (software and hardware) is written for distributing food for the pets, the required defective acceptancy level could be -10% or +10%.  In this case, the defective level could be large and it is still acceptable because it won’t hurt the pets when the system distributes a bit more or less food for the pet. 

Back to the Apple FaceTime system.  It’s a security issue and the product serves the whole world.  Therefore, it is critical for Apple to not have this security problem.  The issue did not only hurt the customers, but it also hurt Apple itself financially (the stock market went down) and Apple’s reputation.

Reference:

Chen, B.  (2018, Jan 28).  FaceTime Bug Lets iPhone Users Eavesdrop, in a Stumble for Apple.  Retrieved from https://www.nytimes.com/2019/01/28/technology/personaltech/facetime-bug-iphone-hack.html