Announcing CVE-2018-12076

I am announcing a vulnerability that I found in he UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer’s MarketCard balance, and also could lead to Customer Information Disclosure.

The data (as submitted to Mitre) is below:

Vulnerability Announcement

Suggested description

A vulnerability in the UPC bar code of the Avanti Markets MarketCard could  allow an unauthenticated, local attacker to access funds within the  customer’s MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar code present on the MarketCard. An attacker could exploit this vulnerability by generating a copy of a customer’s bar code. An exploit could allow the attacker to access all funds located within the MarketCard or allow unauthenticated disclosure of information.

Additional Information

This can be a serious vulnerability as it allows an attacker to directly steal funds from a MarketCard Customer. The fix for this vulnerability could be a simple dual authentication from the Customer at time of purchase from the Avanti Markets via Google Authenticator.

Vulnerability Type

Incorrect Access Control

Vendor of Product

Avanti Markets

Affected Product Code Base

Avanti MarketCard – All versions are affected

Affected Component

Avanti Markets MarketCard Authentication

Attack Type

Physical

Impact Information Disclosure

True

Attack Vectors

To exploit this vulnerability an attacker must generate a Bar-Code with the “UPC A” format of the Customer’s MarketCard.

Has vendor confirmed or acknowledged the vulnerability?

True

Discoverer

Trae Horton

Remediation

Avanti Market has implemented a pin to act with the MarketCard to successfully implement 2FA.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12076

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12076

 

PowerShell Anti-Virus with VirusTotal API

tl;dr We use PowerShell to continuously monitor any executed .exe files then get the file locations and pass it to the VirusTotal API to get a virus report. We use an “if else” statement to make a decision to alert our “Security Team” and to remove that file from Windows. The advantage of using this script allows the user to check with the vast amount of data in the VirusTotal database in an automated fashion. Make sure you change the variables in the Readme for PowerAV.ps1.

PowerAV is a PowerShell script designed to monitor your system processes and sends hash data to the VirusTotal cloud for analysis. This information can be very valuable/robust for your SOC (Security Operation Center), the idea would be to convert this PowerShell script to a thin client to run as a background process to monitor processes once they are triggered. This script would trip an email alert once malware was executed, see below for a screenshot of what a typical alert might look like.

Email sent from PowerAV

PowerShell — PowerAV.ps1

The PowerShell script is made of three major sections.

  1. Get-VirusTotalReport — Querying VirusTotal service using PowerShell
Get-VirusTotalReport from Microsoft

2. Setting PowerShell Variables

Setting PowerShell Variables

3. Execute the Alert

Execute the Alert

Limitations

As of right now the PowerShell Script only monitors .exe files, in the next version of PowerAV we would like to expand this to .dll, .doc, .ps1, etc. file formats. We would like to add the capability of information captured by the PowerAV script and send that data to a remote web application that would allow the SOC Analyst to log in and have a graphical representation of historical data captured by PowerAV. The last feature we will add to PowerAV is the “file Quarantine” option when the script detects a malicious file. Unfortunately, you cannot use this PowerShell Script in a corporate environment or to replace/harm the Anti-Virus industry, this is due to the Terms of Use in the VirusTotal API. This PowerShell script is strictly for educational purposes only, and we cannot tell you how to use this PowerShell script ?

Conclusion

Using PowerAV is huge when it comes to detecting malicious files on Windows hosts. This just scratches the surface on using PowerShell as a Blue Team tactic on monitoring users and systems process. More prominently is the ability to send information in a lightweight format to the VirusTotal Cloud. We would like to see more PowerShell scripts that integrate with Vulnerability research teams such as Talos, VirusTotal, FireEye, Unit 42, etc. Let me know your thoughts in the comments below.

Five Things to Know about Cryptomining

Does it feel like your computer is running (or rather, crawling) slowly? You may be a victim of cryptomining—cyber criminals’ latest tool du jour. A couple of weeks ago, Reuters reported that thousands of websites, including ones run by U.S. and UK government agencies, were infected with cryptomining code. As we covered recently, many enterprising hackers also use this attack method to take advantage of the surge in online viewing activity around high-profile events such as the 2018 Winter Olympics.

Cryptomining may be the latest cyber attack rising, but what is it, exactly? According to MIT Technology Review, “Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return.” In other words, “miners” work to solve complex mathematical problems in order to generate income in the form of digital currency, such as Bitcoin, Ethereum, Monero and others. This mining process requires serious hardware and significant CPU resources to “create” cryptocurrency.

To put this in perspective, a representative from Hitaveita Sudurnesja, an energy company in Iceland, said he expected “Iceland’s virtual currency mining to double its energy consumption to about 100 megawatts this year.” This is significantly more than what is used by the country’s entire population of 340,000.

Five Things to Know about Cryptomining:

  1. How Cryptomining Malware is Executed: Malicious cryptomining typically spreads in one of two ways. The first approach is by malware, delivered via a malicious email attachment or link. Researchers found that 23% of organizations globally were affected by Cryptomining malware, specifically the Coinhive variant, during January 2018. The second approach is to infect third-party content providers used by high trafficked sites. For example, an advertising provider might be targeted because of its access to thousands of websites reaching millions of people. This method can deliver more substantial return for the attacker. When users visit the site, they unknowingly “donate” their computing processing power to the attacker while they remain on the page. These attacks don’t require, or spread, malware on the user’s endpoint, so while users are impacted, they are not infected?
  2. How the Attacker Uses Power from your Device: By using crowd-sourced computing power, the attacker can scale up his/her mining efforts while eliminating the need to purchase expensive equipment as they “pan for digital gold.” The more collective power and speed the attacker can amass, the bigger the cryptocurrency payout.
  3. How to Tell If You’ve Been Hit: In most cases, you won’t find malware on your device, since this type of attack can run without it, so the only indication may be a visible slowdown in performance.
  4. Why It’s a Big Deal: What’s so concerning about this type of attack is that user computing power can now be hijacked by attackers just by visiting an infected site or a site that uses an infected third party.
  5. How to Protect Your Devices: Unfortunately, there is a little you and other end users can do but to monitor for abnormal utilization of browser process (not trivial for a non tech-savvy users) and higher than normal CPU usage. Instead, the responsibility should rely on those who own and maintain the website to routinely inspect all of their third-party providers.

Cyrptomining operations will continue and likely expand. We already see reports of mining of Monero using malware installed on internet-connected servers. Another reason to stay on top of vulnerabilities and the performance of your systems.

 

Source: https://www.cyberark.com/blog/five-things-know-cryptomining/

What Does It Really Take To Track A Million Cell Phones?

Let us clarify right away, we are not talking about how to track your own cell phone in case it’s lost or stolen. We are talking about tracking everyone that lives, breathes and wears a cell phone.

This is actually incredibly easy and we think that people should be aware of that.

If a representative of a phone service provider with 10 million customers came into my office and asked this question “What would it take to track every move of our 10 million customers?”. My answer would be “An intern and 6 months“. Then we’d insist the intern will need a desk, a computer, basic programming and algebra skills. That’s all it takes.

Imagine for a minute that you are the intern in question. Congratulations and welcome to our company! Your internship begins now, this document will introduce you to everything you need to know.

We’ll go over the basics of cellular networks, geolocation principles, technologies readily available in every cell phone and how to leverage all of that into a truly real-time planet-scale mass surveillance system.

Spoiler Alert: If you are scared of 1984 like scenarios, you may want to stop reading this and bounce to a video with Darth Vader playing the accordion.

A) Foreword

We are in a unique position with cross domain expertise. We combine experience in state-of-the-art tracking systems with past experience in the telecommunication industry.

Whether it’s locating an item in a warehouse, guiding people inside a shopping mall or
following stolen trucks. There are many legitimate use cases for tracking with as many constraints to satisfy: indoors, outdoors, with or without battery, variable precision, etc…

A phone itself comes with numerous technologies built-in: GPS, WiFi, accelerometer, compass, etc…

We’ll focus exclusively on what is needed to achieve easy, effective, reliable, mass-tracking.

B) Requirements

We want to track cell phones. Which one? ALL OF THEM.

Some constraints:

  • Cell phones are out of control
    • No physical access
    • Hardware cannot be modified
    • Software cannot be installed
  • Users are out of control
    • They will not perform any wanted action
    • They will not opt-in to anything
    • They will not consent to anything
  • Must be scalable to millions of cell phones
    • Self-explanatory

Better precision in time and position[1] is better but does not constitute a goal by itself. It has to be balanced against more important parameters like feasibility, scalability, reliability and costs of operation.

For the avoidance of doubt, we’ll call the project an utter success if we find ourselves able to pin point any cell phone being in a specific block inside a specific city, at a specific hour.

[1] A location is always a position AND a time together. It’s important to keep the two dimensions in mind.

C) Multilateration

Most systems work by “triangulation“. It’s possible to triangulate a specific position by comparing some measures to some points of reference. First things first, that’s actually called multilateration.

If you use a service like a GPS, it does all the work and gives out a position with a radius of error.

If you do the hard work yourself, either you are the guy making the GPS or you are trying to mix multiple sensors in a creative way, you need to do the hard work yourself.

Ultimately, it always comes down to 4 methods.

1) Power: Signal power

With information about the transmission power, the reception power and the medium. It’s possible to use physics wave propagation formulas to estimate the distance traveled.

In practice however, this method is extremely unreliable for radio waves, so you NEVER want to use that.

For instance, it’s typical for a long distance radio wave to go up and down 10 fold (+-10 dB) within a single second. It changes all the time and that’s when you are not moving. It gets worse when walls, windows and your head goes in and out of the track.

2) AoA: Angle of Arrival

Note: It’s called triangulation when using angles.

With the angle of a signal, it’s possible to determine that the source is within a line (or a cone). Obviously, it works better with highly directive signals.

You can surely picture a rotating radar like you’ve seen a thousand times in movies.

3) ToA: Time of Arrival

With the time and the speed of a signal, it’s easy to determine the distance. t = d/s.

Challenge: Radio waves travel at the speed of light 299 792 458 m/s.

To measure a distance with 30 cm accuracy requires to measure the time with +- 0.000000001 seconds (1 nanosecond). That is a hard problem.

4) TDoA: Time Difference of Arrival

Also based on time measurement.

It’s possible to use time differences instead of an absolute time.

time difference of arrival principles
The item to be tracked emits a pulse that is received by multiple receivers (Picture Source: Locating Lightning Strikes)

The item to be tracked emits a pulse that is received by multiple receivers. The receivers are at known locations and synchronized in time.

By measuring the time difference between the reception of the signal at the receivers, it’s possible to determine the relative distance of the source to the receivers.

Challenge: It doesn’t only require to measure time with crazy precision but also to synchronize clocks across systems.

D) Cellular Networks Principles

We’ll go through some basics about cellular networks.

1) Base Station (BTS)

A cell phones communicates with a base station.

There are two channels. One for emission (to the BTS), one for reception (from the BTS). They operate at different frequencies.

The emission channel (to the BTS) is shared by all devices. At any time, there can only be one device emitting.

2) Cellular Network

A BTS covers an area around it. Adjacent BTS form a cellular network.

Two adjacent BTS need to have different frequencies to avoid interference.

cellular network
Cellular Network

Each operator runs its own network. It may share or resell network service to other operators.

Some operators are virtual (called MVNO). They have no physical infrastructure, they exist on top of another provider. For example, giffgaff [1] runs on top of O2.

[1] Highly recommended provider in the UK.

3) Cell Density

A base station can only cover a limited amount of users. What happens when there are too many users, like in a city center instead of a village?

dense cellular network
Double the density. Quadruple the capacity.

Trivial, cells can be arranged more densely to increase the capacity.

E) Locating A Cell Phone

We saw the basics of cellular networks and the basics of multilateration.

1) Base Station

Your phone has to be in range of a BTS to work. By the simple virtue of having your phone “online“, the operator knows that you are within the range of his station.

As we said before, the density of towers can be adjusted to accommodate the density of users.

A tower has a theoretical range of up to 35 km radius. In a major city, there could be one every km; in the empty country side, there could be one every 10 km.

That’s enough to locate a phone down to one city.

BTS have to be located carefully to manage their coverage and not jam one another. An operation knows the locations of its BTS. They have to be registered officially to some sort of radio tower registry (the execution varies slightly by country).

P.S. We would like to give some free sites where you can see BTS but they tend to not live long. There is value in providing a good database so it’s never given for free (and if it does, someone will realize their mistake soon).

2) Base Stations x 6


Back to when we were in telecom, a long time ago, we had special test phones provided by the manufacturers.

Think of an old school Nokia phone, except it comes with build-in hardware and software for debugging purpose. One of the build-in tool shows detailed connectivity information, that are otherwise not available to consumers.

With that at hands, we can see that the cell phone, right in ours hands, is able to detect and maintain connectivity with 4 towers simultaneously, at all times.

Why 4? Because there are 4 in our area. The phone could do more!


A $50 cell phone, even one from a decade ago, can be simultaneously “connected” to 6 stations. This may include stations slightly beyond range, having a signal just strong enough to be detected but too weak to be used for actual communications.

As we like to illustrate nowadays in simple terms: Your phone is a wonder of technology, it will go above and beyond to keep the communication going no matter what. When you talk, one word can go to one tower and the next one to another tower, switching as often as necessary.

On a related topic, this is why you cannot find cheap jamming devices against mobiles. Phones are intended to operate in a hostile environment with thousands of phones competing for the air. A jamming device is like a garden hose in a hurricane. It’s physically impossible for any cheap pocket-size device powered by 2 AA batteries to out compete the hurricane.

To conclude this paragraph, your phone is constantly talking to multiple stations, not just one. Instead of being in a disk around a station, you can be located to the intersection of multiple disks. Handsome for tracking, not so much for your privacy.

More importantly, we need multiple points of reference to be able to perform multilateration. Here they are!

3) Angles

We said that a tower covers a radius around it. In practice, this is sub optimal so that’s not how it’s done.

Instead, a station is usually split in 3 independent beams of 120 degrees.

section antenna
A typical base station (Source: Wikipedia)

A typical BTS. Notice the triangle shape, each face covering 120 degrees.

base station setup
The arrangement of Tx and Tx. (Source: Kaithrein)

The technical setup, as recommended by a polish antenna manufacturer.

This allows to limit the positioning to 120 degrees. It’s actually very powerful, it just increased the accuracy a lot and allows for multilateration with only 2 BTS.

Geometry Trivia: The intersection of 2 circles gives 2 points (opposites to each other), it takes a third reference to find which point is the right one. Therefore multilateration always requires 3 references (e.g. the distances from 3 BTS). In practice, an angle is enough to do the distinction most of the time (e.g. angles and distances from 2 BTS).

This method requires information about antennas and directivity. We just checked one BTS database and it’s there so it looks like it’s not a problem to get. The precision will need to be tested in the wild (wave propagation and construction work are not perfect to the degree).

4) RSSI: Received Signal Strength Indicator

A phone emitter has a maximum power of 2 Watts (6 dB). A phone receiver has a typical sensitivity of 0.000000001 Watt (1 nW or -90 dB).

The air can attenuate a signal by a factor of 1 billion and your phone still works. Magic!

In a perfect world of undergraduate physics, the propagation loss in the air can be modeled with that equation.

propagation loss

With L the loss in dB, lambda is the wavelength and d is the distance, lambda and d in the same unit.

In the real world, this doesn’t apply at all. The air is not homogeneous and there are obstacles all over the place. The losses can vary by 2 orders of magnitude at any time (and it does). There is no meaningful value to be measured.

A good usage of Kalman filter may help to filter the samples but that’s both complicated and resource intensive for a mediocre result.

We’ve got much better to do than RSSI so let’s not our waste time discussing that.

5) Timing Advance

A channel is shared between many customers, each one gets very short periods of time allocated. You can read an introduction to GSM frames for details.

The time slot might be unusable in the event of an overlap with the previous or the next slot (dedicated to another phone). One thing that could cause unwanted overlap is the propagation delay from the phone to the station.

timing advance
The signal takes time to travel from a phone to the station. The delay depends how far the phone is.

Each bit is 3.69231 µs long in GSM, a radio wave can travel 1107 meters in that time. That means a phone located multiples of 1107 meters away will be multiple bits late… we don’t want that!

The propagation delay is accounted for and corrected by a mechanism called the timing advance.

The base station measures how late messages arrive and sends a correction parameter, the timing advance, back to the phone.

It’s a number between 0 and 63 indicating how much advance it should take, in multiple of 3.69231 µs.

For the purpose of geolocation, the timing advance allows to locate a cell phone within a 1107 meters annulus around the base station.

For the purpose of being a grammar nazi, the section of a disk inside a concentric disk is called an annulus.

Let’s see what this looks like if we put some circles on top of London.

london trilateration 1 crop
Timing Advance Annuluses

That’s the accuracy a single tower can give with just timing advance (ignoring angles).

 

Let’s see what the intersection of two stations looks like.

london trilateration 2 crop
Timing Advance with two stations.

That gives two possible areas. It takes a third measure to decide for sure (either an angle or a timing advance).

It’s intuitive enough. The more measures, the better.

Remember: Your cell phone is able to talk to 6 towers at all times, that can cooperate in tracking it.

It’s not always accurate but when it is, it can pinpoint you to the block you are walking in.

6) Geometry Quick Thoughts

Two dimensional intersections of disks[1] is high complexity both in terms of computational power and in terms of what a cheap intern might be able to understand.

Intersection of circles is a trivial problem though. There are known formulas that can be computed in constant time.

It can be generalized to N circles by simply applying the formula to each pair of circles. Filter out the points which are not within the intended angle and distance from the station (a basic comparison in constant time[2]).

The resulting points show something that is approximate but quick and easy to compute. Remember that we have millions of people to track in real-time and only an intern for that!

Call for comment: Dear mathematician reader, please comment if you have any advice on how to find the intersection of complex shapes. [3]

[1] Strictly speaking, this should be treated in 3D. The world is a sphere. There are variations in terrains that should be accounted for, especially in mountain regions.

[2] Angles are trivial to play with in polar coordinates (or spherical coordinates).

[3] We checked how design software handle 2D and 3D intersections (SolidWorks, Catia, AutoCad). Sadly, it is advanced mathematics AND it takes a lot of computational power.

7) Summary

Locating a cell phone:

  • A base station locates the phone inside its range (up to 35 km radius)
  • The timing advances locates the phone in a 1107 meter annulus
  • The angle splits locates the phones in a 120 degree section
  • There can be many stations participating in the process
  • They can be interpolated to improve the precision

8) Time

Remember that a position is always implicitly linked to a time. A phone is at a specific place at a specific time.

The phone wants to be connected in permanence. It is adjusting to the environment in real-time all the time. Typically, in a matter of seconds. It is mandatory for the phone to work (calls and messaging).

Being conservative, a phone should be able to be (re)located every minute.


Do the test.

Turn your phone off, send it a message, turn it on, how long to receive the message?

Put your phone in a tin box (to block signal), send it a message, take it out of the box, how long to receive the message?


F) Dependencies

There are some prerequisites to make that tracking system real and deploy it on a large-scale.

1) Base Station Database

The project requires a database of base stations.

Every provider know where they set up their stations, that’s part of the job of being a service provider. It’s a given if making the project as part of an ISP.

It should be easy enough to get a high quality database of base stations for anyone (not to confuse easy with inexpensive).

2) Logging BTS Information

The project requires access to BTS signal information.

First, there is an extensive authentication, roaming and payment system embedded in the network. This is necessary to provide service to the right user at the right time at the right price.

Second, almost every regulation in every country in the world require providers to save some usage information per user, for many years.

There is massive infrastructure already in place to log and audit accesses, down from the station, up to the high level customer subscription.

The values that are needed may or may not be saved already (Cell ID, TA, …), if they are not, they shouldn’t be very hard to add.

3) Matching Identities With Phones

Assuming that we track cell phones. The final step after a phone is located is to match that phone with the identity of a real person.

There is a whole authentication system made built-in the network. There are unique identifiers for customer contracts, sim cards, phones, etc…

Not sure the details of how this works and how this could be abused. Assume that an ISP can match any connected user with the subscriber.

G) The Known Unknown

We saw how to track every cell phone in service, easily done by the ISP of said customers (and by extension easily achieved by the NSA/GCHQ)

There are some unknowns that may affect the scale and the success of the operation. None that can impair it but some that can bring it up to a whole new level!

1) Near Range Tracking

A phone has to discover stations around it. It’s not possible to known which ones are right without trying.

Technically speaking, there is a possibility that the phone might have to broadcast and try to link to all stations in range [1].

If so, any station in an area would be able to follow any phone in proximity. National providers could track everyone everywhere since they are already cover the entire country. Rogue actors could setup dedicated networks for the sole purpose of tracking.

[1] It has to start with timing advance and authentication of the device, thus allowing for multilateration and user identity lookup right away.

2) Cross ISP Traffic

Have you ever been in an area with low reception where the phone displays “emergency services only“.

There is no reception to make regular calls, yet it can make emergency calls, probably by using other networks (read: not the one you subscribe to). This is a legal requirement, cell and service providers have to allow that.

Technically speaking, it means that there is something built-in to allow cell phones to connect to anything through any network and your phone is trying that automatically all the time. (This is similar to the previous point).

If so, it can be abused to track your phone.

3) International Roaming

Ever been to another country? Your phone work just fine, except you’re charged ten times more.

Again, this implies that the phone is connecting to anything. Better though, this implies that other providers are able to reach your current provider somehow, to confirm your access and incur your billing.

Depending on how it’s done in the details, there may or may not be an opportunity to link a cell phone back to its provider and its owner, anywhere in the world.

H) The Known Known

1) Retro and Forward Compatibility

This works on all cell phones and it worked for decades.

The technology has been out and part of every cell phone at least since the first edition of GSM, circa 1991.

There is no change with 3G, 3G+, LTE. Still works like a charm!

2) This Project Can Be Done By An Intern

The technology itself is within reach of a 15 years old. Any student who attends telecom 103 is taught enough to come up with that (if only they listened instead of playing on their phones!).

20 years ago, this might have gone unnoticed or ignored. There were only a few stations and a few users. Limited accuracy, limited user impact. It’s easy to imagine an early proof of concept that found it impossible at the time: “It’s gonna take an entire floppy disk to save the positions of 12000 customers! Oh my gosh. We’ll never have the budget for that.

Nowadays, it’s so trivial it’s frightening. Any cell provider could take an intern and make it happen in 6 months. Gotta save some signal information? It’s already done. Gotta do a bit of algebra? Nothing difficult.

3) Verizon Is Doing That Already

Feel free to read “Verizon” as any major phone provider.

Any service provider automatically gets incredible tracking capabilities and has to keep a history of it. It’s not optional. The first half comes with the phone’s infrastructure, the second half is mandated by regulations.

The core business of a provider is to provide phone service though, not to locate all customers in real-time down to the minute. There is no reason to perfect the techniques written in this document.

4) The NSA Is Doing That Already

Feel free to read the “NSA” as any state sponsored actor.

They want to track every people in the world. That’s one of their main goals. They have lots of resources dedicated to do just that. They have the ability to infiltrate providers and/or to deploy their own rogue infrastructure.

Ironically, the most awesome mass surveillance system ever invented is out there already and quite easy to use.

What are the odds that they figured it out? I’d say pretty high.

Conclusion



What’s the difference between a Nokia 3310 and an iPhone 7?

There isn’t any! As long as they are turned on, they can both locate you in real-time, 24/7, with a precision better than 1 square kilometer

 

 

 

mobile cellular subscriptions (per 100 people)
Mobile Cellular Subscriptions per 100 people (Source: The World Bank)

 

what if i told you it took 25 years to equip every human being with a personal tracking device

Source: https://thehftguy.com/2017/07/19/what-does-it-really-take-to-track-100-million-cell-phones/

Using Windows FSRM to build a Killswitch for Ransomware

Despite the number of $ in this image, this solution costs zero $.

When I sit across the table from CISOs and ask, “has your organization been affected by ransomware recently?” the answer is almost always “of course!” However, when asked on how they are handling it, they are typically looking to me for an answer. While I believe that training the human and having in-line security appliances are certainly important, I wanted to share a solution that uses resources already built into Windows. This solution utilizes PowerShell and Windows File Services Resource Manager to automatically lock out a user account when ransomware activities are detected.

Installing FSRM
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).

Install-WindowsFeature –Name FS-Resource-Manager 
–IncludeManagementTools

Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!

Get Email Alerts
In order to be emailed of the action our killswitch takes, we will need to set up the SMTP Server settings within FSRM. We don’t necessarily have to do this right now, but it saves us from seeing annoying prompts in the future steps.

Open up Server Manager > File and Storage Services > Right click on your server > File Server Resource Manager (this can also be accessed through Administrative Tools). Once opened, right click “File Server Resource Manager (Local)” in the left pane and select “Configure Options…” Go ahead and set up all your email settings, similar to below.

Set up Killswitch Directory
In your corporate file share(s), set up a directory that begins with an underscore. If the ransomware is encrypting alphabetically, this will ensure that it is tripped as soon as possible. Within that directory, we will place a text file called killswitch.txt.

Set Up the Killswitch
Many variants of ransomware look to find mapped drives and will begin encrypting data in an alphabetical order. Because of this, our killswitch is going to be a directory placed in the file shares that begins with an underscore.

Create a new File Group under File Screening Management that will look at all files except our killswitch.txt.

Next, we will create a File Screen Template utilizing the File Group we created call “All File Types”.

We will want to configure email alerts, so on the E-Mail Message tab, fill out the pertinent information.

We also want to automate the removal of the offending user in order to stop the ransomware from encrypting our entire file server. We will do this with some PowerShell. Copy the following and save it to your preferred location. In this example, I’m just saving it to C:\kickuser.ps1.

param( [string]$username = “” ) Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force }

On the Command Tab, check “Run this command or script:” and the following:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

For the command arguments, insert the following:

-Command "& {C:\smbblock.ps1 -username ‘[Source Io Owner]’}"

Set it to run as Local System.

Apply the File Screen
From within FSRM, Select File Screening Management > File Screens and create a new File Screen. Set the path to your underscore directory and use the “Detect Ransomware” File Screen template that we created earlier.

Testing
To test, I created a test account (test guy) and modified the file. I was instantly locked out of the share. The output of our PowerShell script, as well as the share permissions, show this:

Wrapping Up
This methodology should help mitigate some risk around ransomware attacks. In the future, it may also be beneficial to make the following changes:

  1. Create a secondary killswitch in a ZZZ_Killswitch directory in case a ransomware-variant starts in reverse-alphabetical order.
  2. Extend the PowerShell script to also lock out their AD account.
  3. Create more killswitch files and file screens due to newer ransomware variants focusing on document and image files (.doc, .docx, .pdf, .jpg, .png, etc.)

I believe in using the resources we already have available to us in helping secure our organizations, and hopefully this helps. Feel free to comment with any questions or suggestions.

Source = https://blog.savagesec.com/minimizing-ransomware-risk-with-fsrm-847d70f6212b

Written by – Kyle Bubp

L2L VPN ASA

!———–Core side/Static side
!
!–Crypto ACL referencing networks to be part of the VPN
!
access-list storenets extended permit ip object-group local_nets object-group remote_nets
!
!–Zero NAT or twice NAT for translating local VPN networks to remote VPN networks
!
nat (inside,outside) source static local_nat_nets local_nat_nets destination static remote_nets remote_nets no-proxy-arp route-lookup
!
!–NAT to the internet
!
nat (inside,outside) source dynamic any interface
!
!–Building IKEV V1 proposal/transform set
!
crypto ipsec ikev1 transform-set site2site esp-3des esp-sha-hmac
!
!–Building IKEV V1 Policy
!
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
!–The crypto map
!
crypto dynamic-map lab_dyn_vpn 10 match address storenets
crypto dynamic-map lab_dyn_vpn 10 set pfs group5
crypto dynamic-map lab_dyn_vpn 10 set ikev1 transform-set site2site
crypto dynamic-map lab_dyn_vpn 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic lab_dyn_vpn
crypto map outside_map interface outside
!
!–Enabling IKE V1 on outside interface
!
crypto ikev1 enable outside
!
!–Group policy
!
group-policy ELcorL2Lpolicy internal
group-policy ELcorL2Lpolicy attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev1
!
!–TunnelGroup referancing Group policy and ipsec pre-shared key
!
tunnel-group EngLab-L2L general-attributes
default-group-policy ELcorL2Lpolicy
tunnel-group EngLab-L2L ipsec-attributes
ikev1 pre-shared-key *****
!
end
!
!———-Spoke side/Dynamic side
!
!–Crypto ACL
!
access-list ipsec_to_epb extended permit ip 10.204.20.0 255.255.254.0 object-group vpn_nets
!
!–Static Crypto map
!
crypto map vpn_map 1 match address ipsec_to_epb
crypto map vpn_map 1 set pfs group5
crypto map vpn_map 1 set peer 74.221.180.62
crypto map vpn_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map vpn_map 1 set reverse-route
!
!
!
tunnel-group 74.221.180.62 type ipsec-l2l
tunnel-group 74.221.180.62 general-attributes
default-group-policy DefaultL2L-policy
tunnel-group 74.221.180.62 ipsec-attributes
ikev1 pre-shared-key *****
!
end

Ticking time-bomb fault will brick Cisco gear after 18 months

Updated Cisco has issued a warning that an electronic component used in versions of its routing, optical networking, security and switch products prior to November 16, 2016 is unreliable – and may fail in the next year and a half, rendering affected hardware permanently inoperable.

“Although the Cisco products with this component are currently performing normally, we expect product failures to increase over the years, beginning after the unit has been in operation for approximately 18 months,” Cisco said in its advisory.

“Once the component has failed, the system will stop functioning, will not boot, and is not recoverable.”

And without naming names, Cisco said that the clock-signal-generating component is also used by other companies. Expect further notices of this sort from other vendors shortly.

Cisco said it learned about the issue in late November and has worked with the component supplier to fix the faulty part. As a result, currently shipping products are not affected.

For customers with affected products under warranty or covered by service contracts through November 16, 2016, Cisco intends to provide replacement products. It is prioritizing replacements for those who have been operating the affected products the longest, because of the correlation between operation time and component failure.

Cisco insists this isn’t a recall; rather it’s a proactive replacement. The company also said that while the component maker indicated failures will become more likely after 18 months, it expects it will take three years of runtime before its products show a spike in failures.

In its advisory, Cisco specifically declines to identify the supplier that made the faulty part, or other affected vendors. And company declined to do so in response to a request from The Register for further information.

“Cisco strives to deliver technologies and services that exceed customers’ expectations, and meet rigorous quality and customer experience standards,” a company spokesperson told The Register in an email. “We became aware of an issue related to a clock signal component manufactured by one supplier. We have worked with the supplier to resolve the issue, and we’re providing information and support for our customers.”

Cisco’s advisory affects the following products:

Networking FN-64230 NCS1K-CNTLR
Routing FN-64231 NCS 5500 Line Cards
FN-64252 IR809/IR829 Industrial Integrated Services Routers
FN-64253 ISR4331, ISR4321, ISR4351 and UCS-E120
Security FN-64228 ASA 5506X, ASA 5506W, ASA 5506H, ASA 5508, and ASA 5516
FN-64250 Cisco ISA 3000 Industrial Security Appliance
Meraki Notification MX 84
Switches FN-64251 Nexus 9000 Series N9K-C9504-FM-E/N9K-C9508-FM-E/N9K-X9732C-EX
Meraki Notification MS350 Series

Network engineer Tony Mattke in a blog post said rumors about ISR 4331 router problems and a possible recall have been circulating for several months.

“Many of us have received phone calls at this time from our account managers … while some of us, myself included, have been left in the dark,” he wrote. “This is troubling considering how many products are out in the field.” ®

Updated to add

It looks like the dodgy electronic component at the heart of the matter is an Intel Atom C2000 system-on-chip Cisco uses in its gear. The processor can fail to produce a clock signal required to drive the whole device – see this rather worrying errata, specifically AVR54, on this Intel data sheet, dated January 2017:

Who Watches the Watchmen?

In the healthcare industry, those practicing in the field must take the Hippocratic oath and swear to uphold specific ethical standards. This standard helps promote the idea of “do no harm” and healthcare practitioners take this oath very seriously. But what about the Information Technology industry? How do we ensure that those we give ultimate power to in our organizations are not abusing their power and are acting in the best interest of the company?

There is nothing similar to the Hippocratic oath for systems administrators, network engineers, or security analysts. Although we would like to hope that throughout our interview processes and background checks, we are hiring morally upstanding folks, there really is no overall ethical oath that professionals in Information Technology subscribe to. The majority of us will respect ourselves enough to hold high ethical standards, but there is also a minority of those who won’t. So, how can we ensure that our employees are not abusing their access?

You may argue that you have logs, you have a SIEM, if anything were to happen, you could pour through your logs and build a forensic timeline to answer the who, what, when, where, and how. However, this is after the fact, after the damage has already been done. Wouldn’t it make more sense to put safeguards in place to prevent the damages from occurring in the first place?

Think of it in terms of your primary bank. You have both your checking and savings accounts in there. Maybe you have some CDs, a HELOC, and a mortgage with them as well. Would you be comfortable if any of the tellers could simply walk into the vault by themselves with no surveillance and no safeguards and do whatever they like under the presumption of trust? Would it be acceptable for the same teller to be able to modify your account information on your mortgage, HELOC, etc. without a second set of eyes and an approval process? I would hope your answer is a resounding “No.”

Thus, we need to start putting surveillance, approval processes, and alerting around our privileged access in our environments. Think about how many individuals in your environment have some type of elevated access. This is not only in the scope of your Domain Administrators, but also the DBAs in your environment that have access to the databases that hold your company’s most sensitive records. How do you know that none of the folks you’ve hired, and trust with your data, are not abusing their power? Especially when the same individual that could access that “Finance” directory on your file share can, at the same time, disable logging and remove all evidence of any nefarious activity?

Here’s an example of how abuse of privileged access could play out: ACME, Inc. just hired a brand new Systems Administrator and, as part of the onboarding process for that team, the new-hire has been given a secondary account with domain admin privileges. ACME has a SIEM, and all of their servers have agents on them to forward logs to the SIEM. One night, after a long troubleshooting session, the new hire feels under appreciated and wants to know the salaries of other employees at ACME. Knowing full well about the SIEM, they first stop the services of the log forwarding agents on the file servers and domain controllers. They then grant themselves access to the directory in which the salary data is stored and make a local copy to a USB. They then delete all logs on the fileserver(s) and domain controllers for the timeframe in which he was snooping. Finally, they enable the agents again and walk out the door with a USB full of ACME’s salary data. Honestly, are your SIEM administrators going to notice that the next day? More than likely not.

Imagine the same scenario, but with a Privileged Access Management (PAM) solution in place. The new Systems Administrator has no idea what their password is to their domain admin account, and they must check it out prior to escalating privileges. Once checked out, anything the Systems Administrator does with their RDP/SSH session is recorded and stored in an encrypted format. That alone would deter most from continuing with the efforts of scraping salary data; however, if one were feeling foolhardy and decided to continue, the session recording would have full evidence of everything they did. To take it a step further, one could even configure the PAM solution to require an approval for checkout. Thus, management would get a request for escalation of privilege and must approve before the new Systems Administrator can move forward. These policies would go a long way to deter privilege abuse, and the session recording features are just another tool in your forensics arsenal.

Think about how many admins you have in your organization who at any time could carry out the first scenario I described without any types of checks and balances. Is your corporate data and reputation something you are willing to risk on hopes that everyone will always be happy and always do right by the company? To take that a step further, do you trust the contractors and vendors that come in for one-time installs enough to not control and monitor their activity? It comes down to due diligence, and in the realm of privileged accounts, we need to control, verify, and monitor access to those accounts. Otherwise, at any moment, one of your employees could be wreaking havoc, planting logic bombs, or stealing sensitive company information, and you wouldn’t know until the damage has already been done. Source – https://kylebubp[dot]com/2016/07/who-watches-the-watchmen/

 

Remote console access and Remote reboot any modem

I have been in the IT Security field for about 5 years now, and starting with desktop support and administration we always needed a way to have console access to our Cisco equipment just in case the internet went down or there was a configuration issue with our equipment. With this solution it does just that, grants physical access to remote users. Required equipment to set up console access and remote reboot.

 

Raspberry Pi – https://www.amazon.com/Raspberry-Pi-RASP-PI-3-Model-Motherboard/dp/B01CD5VC92/ref=sr_1_sc_1?ie=UTF8&qid=1467990411&sr=8-1-spell&keywords=rapbery+pi

IoT Relay – https://www.amazon.com/Iot-Relay-Enclosed-High-power-Raspberry/dp/B00WV7GMA2/ref=sr_1_1?ie=UTF8&qid=1467990377&sr=8-1&keywords=IoT+relay

USB to 2-pin power cable – had to make this cable

USB to Console cable – https://www.amazon.com/CISCO-Console-Cable-Replaces-72-3383-01/dp/B00I8CT8YG/ref=sr_1_5?ie=UTF8&qid=1467991193&sr=8-5&keywords=USB+to+Console+cable

CradlePoint with 2 nic cards – https://www.amazon.com/Cradlepoint-Cellular-Broadband-multi-band-integrated/dp/B00X8D879C/ref=sr_1_10?ie=UTF8&qid=1467991271&sr=8-10&keywords=CradlePoint

Ethernet cable – https://www.amazon.com/Monoprice-2-Feet-Ethernet-Network-103419/dp/B002RBECAE/ref=sr_1_1?ie=UTF8&qid=1467991380&sr=8-1&keywords=2ft+ethernet+cable

 

To setup console access you must have a CradlePoint activated with a valid SIM card. Plug your Raspberry Pi into port 2 on the CradlePoint (port 1 is set to NAT by default) this will give you a public IP address. You should be able to SSH into your Raspberry Pi at this time, log into the pi and install picocom:

 

pi@raspberry:~ $ sudo apt-get install picocom

 

Now plug your serial cable into the raspberry pi. Change directories to the /dev and run the following command.

 

pi@raspberry:/dev $ sudo picocom ttyUSB0

 

Now you should have console access to your Cisco equipment.