Skip to content

Buckhacker – Search Amazon Server Data

A search tool that can look for specific files on Amazon Web Service servers has been released by a group whose identity is unknown.

https://www.buckhacker.com/

The tool, Buckhacker, gets its name from the fact that AWS Simple Storage Servers (S3) are known as buckets.

It will make searches for data leaks much easier than in the past.

Buckhacker released an alpha version of the search engine on Wednesday which was noticed by UK security researcher Kevin Beaumont.

He tweeted: “In case you missed it, for the very first time there’s now a Google for Amazon S3 buckets – a full search engine called Buckhacker. This is page 400 of results for *.sql in S3. This is a game changer.”

The search engine has now been taken offline, with the people behind Buckhacker saying on Twitter: “Sorry guys, we are going offline for maintenance. We went online with the alpha version too early.”

Apparently, there were some cache issues in the alpha release, according to the Buckhacker Twitter feed.

Plenty of sensitive data has been found lying unsecured in S3 buckets, with the security firm UpGuard finding such stashes quite often.

UpGuard releases details of its finds on the Web regularly. It has found misconfigured S3 buckets leaking data from Paris-based brand marketing company Octoly, California data analytics firm Alteryx, credit repair service National Credit Federation, the NSA, the Pentagon, global corporate consulting and management firm Accenture, publisher Dow Jones, a Chicago voter database, a North Carolina security firm, and a contractor for the US National Republican Committee

Reference

https://www.itwire.com/security/81762-group-releases-search-tool-for-amazon-s3-buckets.html

Advertisements

Court Rules Facebook Violates Users’ Rights With Illegal Default Privacy Settings and Data Sharing

A German court has ruled that Facebook is breaching data protection rules with privacy settings that “over-share” by default and by requiring its users to give their real names, a consumer rights organization said, AFP reported.

According to German law, one’s own personal information can only be stored and used by a company who has an agreement from the individual.

However, Berlin judges ruled Facebook leaves many of its settings that may be seen as “privacy invasive” switched on by default, failing to offer users an essential choice about how their data is used by the company, plaintiffs for the Federation of German Consumer Organisations (VZBV) said.

“Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register,” VZBV legal expert Heiko Duenkel said.

The judges found that at least five different default privacy settings for Facebook were illegal, including sharing location data with its chat partners WhatsApp and Instagram or making user profiles available to external search engines, allowing anyone to search and find information on a person.

Facebook’s partners and subsidiaries collect data to enable hyper-targeted advertising on its users.

Additionally, the court ruled that eight paragraphs of Facebook’s terms of service were invalid, while one of the most significant requires people to use their real names on the social network which the court deemed was illegal.

The VZBV further stated that users were already paying to use Facebook—but with access to their data, instead of with cash.

Facebook could face fines of up to 250,000 euros ($306,000) per infraction if it does not fix its terms of conditions in Germany; however, Facebook said it would file an appeal to the ruling.

“Our products and terms of service have changed a lot since the beginning of the case, and we are making further changes this year to our terms of use and data protection guidelines, with a view to upcoming legal changes,” a spokeswoman told AFP.

Then there is the fact that Facebook plans to unveil a new facial recognition technology across the site which will use artificial intelligence to scan uploaded photos to analyze and recognize faces based on images previously uploaded to the site. This wasn’t even ruled on by the court; I can just imagine what the court decision would be if they ruled against requiring users to use their real names and Facebook selling user data to third party websites.

Besides the huge privacy concerns of Facebook, the company is admitted to have deliberately manipulated its users’ emotions.

Reference:

https://www.activistpost.com/2018/02/court-facebook-violates-users-illegal-default-privacy-settings-data-sharing.html

SANS Top 20 Critical Security Controls – 2017

Every year, SANS details the Top 20 critical security controls to be implemented.  GCHQ has listed the controls here:

GCHQ Top 20 Controls

GCHQ detail a list of quick wins to automate a lot of the top control measures – as a pdf to download.

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/2014-04-11-critical-security-controls.pdf

GCHQ’s 10 Steps to Cyber Security

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security

gchq 10 steps

NIST 800-53 version 4 – Security Controls for NIST Cyber Security Framework.

NIST offers a list of technical security controls to implement on a system, these are “Generic” controls, that can be implemented on multiple systems.  For Nist, they are classified as low medium or high.

nist 800-53

https://nvd.nist.gov/800-53/Rev4/impact/low

Just to be contrary to the importance of each control, we could start with a check list of those controls considered  “low” – which is shown below.  NIST gives a code to each control.  So Access control is AC and a number.  AC-19 details access control on mobile devices.

 

nist security controls low

 

Access control 7 or AC-7 relates to unsuccessful logon attempts.

The priority is P2. What does P2 mean?

NIST priorities are from P0 to P5, with P1 being the highest priority.  Generally 1-5 dictates the order in which the controls should be implemented.

There is a P0 – which is the lowest priority.

We can see that NIST considers Access control policies and Account management as top priority or a P1, and therefore should be the first technical controls to be implemented.  Account lockouts are a P2 control, which means they are important, and next to be implemented – after all the P1 controls are in place.

High Level controls

Under high level controls we see policies for the AC-5 Separation of Duties and another for AC-6 Least Privilege.  It’s important to separate out duties, so there person who raises a purchase order, is not the person who pays the invoice.  This is to prevent internal fraud.  Likewise, you always give the least amount of access rights to do the job, this is the concept behind “Least Privilege”.

nist controls high

These controls are well worth reading.

CRISC Maturity Models

There are 3 main Maturity Models.

CMMI – Capabilities Maturity Model – Levels 1 to 5

IDEAL – Initiating, Diagnosing, Establishing, Acting and Learning

PAM – Process Assessment Model

 

 

Why Use a Maturity model?

  1. They are proven, industry best practice.
  2. Set targets of improvement
  3. Compare what the organisation against the Maturity Model, to see where they are, based on evidence
  4. Audit tested organisation for contractual reasons

 

CMMI – 5 Levels

CMMI – Most organisations will be around Level 2 to 3.

http://cmmiinstitute.com/capability-maturity-model-integration

CRISC CMMI level 5

https://en.wikipedia.org/wiki/Capability_Maturity_Model

crisc maturity level 1

Level 1 = Ad hoc, chaotic.

Level 2 = The process is documented and repeatable.

Level 3  = Standard Business process

Level 4 = Capable – managed to agreed metrics

Level 5 – Deliberate process optimisation / Improvement

crisc cmmi wiki

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

CRISC Questions.

  1. Why would an organisation use a model?

crisc maturity leve 3 part of business

 

Ransomware as a service

Hunting on the dark web is interesting to find new malicious activities running in the background. Besides the classic sites where you can order drugs and all kind of counterfeited material, I discovered an interesting website which offers a service to create your own ransomware! The process is straightforward, you just have to:

  • specify your Bitcoin address to get the ransom,
  • select the amount (minimum amount is 0.01 BTC, max 1BTC)

and you get a nice malicious PE file delivered a few seconds later:

The business model behind the service is simple: the bad guys keep 10% of the ransom.

Based on the strange XMPP address provided on the webpage, I think that the service is not yet available or is just a proof of concept. However, it was really tempting so I generated my own ransomware sample. Note that a valid Bitcoin address must be provided. Thanks to Google, I found some “public” ones that I used for my test. The generated files is a 64bits PE file. I don’t know the reasons of this restriction.… 64 bits only is a real limitation to hit many victims.

+----------+----------------------------------------------------------------------------------------------------------------------------------+
| Key      | Value                                                                                                                            |
+----------+----------------------------------------------------------------------------------------------------------------------------------+
| Name     | YzBvIyROuOZGbcf6sFl8CKGQzqDgbb7Rzua.exe                                                                                          |
| Tags     | ransomware, isc                                                                                                                  |
| Path     | /home/nonroot/workdir/binaries/7/0/0/5/7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069                          |
| Size     | 5580288                                                                                                                          |
| Type     | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows                                                         |
| Mime     | application/x-dosexec                                                                                                            |
| MD5      | 493640f022a7ac07ad4e8d6f2cd3740e                                                                                                 |
| SHA1     | 4c4a1df308e415ab356d93ff4c5884f551e40cf5                                                                                         |
| SHA256   | 7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069                                                                 |
| SHA512   | d29b40298f00ba619a59f4aa7cec1bb1ec753df948b9fa50e7e158150ca21801783d701c8ed32a8e3811f138ad948b4077c8cf2b7da5b25917ec8eebe7435c26 |
| SSdeep   | 49152:U6q9fOpwcf1pHot9E4IaCf1kin7N0Iu1YES/N4ggvewaFSenC00qTQeVptYt1dmT:ofk3oC9n7N0Iu19SV4ISeLQevtYVmS                            |
| CRC32    | 29B4ED1C                                                                                                                         |
| Parent   |                                                                                                                                  |
| Children |                                                                                                                                  |
+----------+----------------------------------------------------------------------------------------------------------------------------------+

The file hash was of course unknown on VT. When I submitted it, the score was only 7/66[1]. This is quite good (from the attacker perspective). No big player was able to detect it.
I tested the ransomware in a sandbox running a Windows 7 64bits protected by the Microsoft AV and all security features enabled. A few minutes later, my files were encrypted.
The communication with the victim is performed via a file on the desktop:

When you click on the link to are redirected to a website which discloses more details:

The webpage proposes to downloaded a decryption tool:
+----------+----------------------------------------------------------------------------------------------------------------------------------+
| Key      | Value                                                                                                                            |
+----------+----------------------------------------------------------------------------------------------------------------------------------+
| Name     | decrypter.exe                                                                                                                    |
| Tags     | ransomware, isc                                                                                                                  |
| Path     | /home/nonroot/workdir/binaries/c/b/7/3/cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357                          |
| Size     | 5605888                                                                                                                          |
| Type     | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows                                                         |
| Mime     | application/x-dosexec                                                                                                            |
| MD5      | 3eadfae2ff4c4eb1c8e6ad48efdfff21                                                                                                 |
| SHA1     | 5845d32cfae8f554847fa95d28d5c6849c416b84                                                                                         |
| SHA256   | cb73927aa749f88134ab7874b15df898c014a35d519469f59b1c85d32fa69357                                                                 |
| SHA512   | 62efa2e1c8a8530b076b54e0e431492bf6a1d9d42addca8f95db1a1fce82e4288afe79a585d61831fc3d76f0d705b98324dc35e353cd19692779a3a8916f421f |
| SSdeep   | 49152:ymdRKnjBwhy1Bz/0RvVJr7eUBUr6DXxgqw5PgAXzzX691yW/0qTQN9sUL2z47tQ+:9RZaMoAxgqw5x691JQNmULd5L                                 |
| CRC32    | 9D8D2721                                                                                                                         |
| Parent   |                                                                                                                                  |
| Children |                                                                                                                                  |
+----------+----------------------------------------------------------------------------------------------------------------------------------+

Communications with the C2 server are performed via HTTPS: kdvm5fd6tn6jsbwh[.]onion[.]to (185[.]100[.]85[.]150) located in Romania.
The encryption key is downloaded and stored in %APPDATA%\encryption_key
Here is a dump of the file I received:

00000000: 2455 e231 0f56 cae2 3bad 8fe7 a116 3a67  $U.1.V..;.....:g
00000010: 50b7 f761 2bcb 237a 4634 6fbc fd01 12f0  P..a+.#zF4o.....
00000020: e38f 6bbf 7b74 46f1 6b4f 7235 a44e b1e1  ..k.{tF.kOr5.N..
00000030: 5ce7 51a1 8b46 22fc 3e45 9e68 cc35 2613  \.Q..F".>E.h.5&.
00000040: 78bc 2a60 071c 9955 7aa5 8bd5 3161 d86d  x.*`...Uz...1a.m
00000050: 5939 770a 2321 1815 4372 c307 5f6c e6c7  Y9w.#!..Cr.._l..
00000060: 0023 73e7 bcb6 2c08 545c 07c0 b5ce 437a  .#s...,.T\....Cz
00000070: 332c 4f48 88d8 62d7 771d 45ce c24c 230a  3,OH..b.w.E..L#.
00000080: 57e3 de14 bf83 4931 673f e47f 5f71 f337  W.....I1g?.._q.7
00000090: fd57 e3f7 99c0 7fad 31da 2965 e9a1 a993  .W......1.)e....
000000a0: 16de aca8 eae6 9003 d0b3 186c 45c6 bced  ...........lE...
000000b0: c10a 76ae aaa5 b699 8a1e fd51 bc06 993a  ..v........Q...:
000000c0: 9dda 14e7 cfe1 67f1 e135 c9ad 1f69 850e  ......g..5...i..
000000d0: 370c 0f50 16e6 8604 23bc fabb 6eee 3a1a  7..P....#...n.:.
000000e0: b3a5 655d 9327 2a4f fe75 c6d2 b2cb a192  ..e].'*O.u......
000000f0: ba87 6e06 02ca f460 8fbf ee4f 6ab4 f74c  ..n....`...Oj..L

The PE file is not obfuscated and interesting strings can be found like the list of file extensions that I scanned to be encrypted:

*.arw*.bay*.cdr*.cr2*.crw*.csv*.dcr*.dng*.doc*.dwg*.dxf*.erf*.jpg*.kdc*.mef*.mrw*.nef*.nrw*.orf*.pdf*.pef*.png*.ppt*.psd*.ptx*.r3d*.raf*.raw*.rtf*.rw2*.rwl*.sr2*.srf*.srw*.svg*.txt*.xls

The following drives are tested to find network shares:

K:, L:, M:, N:, O:, P:, Q:, R:, S:, T:, U:, V:, W:

Encrypted files have a new extension ‘.cypher’. Based on the strings present in the PE file, it has been written in Go. Do you have more information about this kind of ransomware? (“.cypher”), please share!

[1] https://www.virustotal.com/file/7005535e034576fdb66b5b32eb198b48d7755758e77bd66909f8dd7288c1e069/analysis/1516797003/

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

Reference

https://isc.sans.edu/forums/diary/Ransomware+as+a+Service/23277/

Framework for Improving Critical Infrastructure Cybersecurity Version 1

The NIST CSF was designed with the intent that individual businesses and other organisations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts: the Framework Core, Framework Implementation Tiers and Framework Profiles:

  • The Framework Core is a set of activities, outcomes and references that detail approaches to aspects of cyber security. The core comprises five functions, which are subdivided into 22 categories (groups of cyber security outcomes) and 98 subcategories (security controls).
  • Framework Implementation Tiers are used by an organisation to clarify for itself and its partners how it views cyber security risk and the degree of sophistication of its management approach.
  • Framework Profile is a list of outcomes that an organisation has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

nist framework colour coded

Core functions, categories, subcategories and informative references

The five Framework Core functions are:

  • Identify – Develop the organisational understanding to manage cyber security risk to systems, assets, data and capabilities.
  • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
  • Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event.
  • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cyber security event.

Each function is divided into categories – groups of cyber security outcomes that relate to particular activities. Examples include ‘Asset Management’, ‘Access Control’ and ‘Detection Processes’.

nist protect.gif

Subcategories further divide a category into specific outcomes of technical and/or management activities (security controls). Examples include ‘External information systems are catalogued’, ‘Data-at-rest is protected’ and ‘Notifications from detection systems are investigated’.

For each subcategory, the CSF provides informative resources that cite specific sections of a variety of information security standards, including ISO 27001, COBIT®, NIST SP 800-53, ISA 62443, and the Center for Internet Security’s 20 Critical Security Controls.

NIST Cybersecurity Framework version 1, 2014

https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

NIST Cybersecurity Draft Framework version 1.1, 2017

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft_roadmap-version-1-1.pdf

 

Draft NIST Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1 December 5, 2017

This companion Roadmap to the Framework for Improving Critical Infrastructure
Cybersecurity (Cybersecurity Framework or the Framework) describes plans for
advancing the Framework development process, discusses the National Institute of
Standards and Technology’s (NIST’s) next steps with the Framework, and identifies key
areas of development, alignment, and collaboration. This plan provides a description of
anticipated future activities related to the Framework and offers stakeholders another
opportunity to participate actively in the continuing Framework development process.
While the plan is focused on the Cybersecurity Framework, the results of work described
in this roadmap are expected to be useful to a much broader audience to improve
cybersecurity risk management in much the same way that the Framework itself is useful
to many sectors and organizations that are not strictly defined as part of the critical
infrastructure. This Roadmap reflects revisions to the original planning document
released in February 20141 when Version 1.0 of the Framework was released, and
contains updates corresponding with draft Version 1.1 of the Framework.

Reference

https://www.nist.gov/sites/default/files/documents/2017/12/05/draft_roadmap-version-1-1.pdf

Intel fix reduces server performance by 2% to 25% for large volumes of data

Intel says devices are rebooting more than usual after being patched with fixes it has issued to the Spectre and Meltdown security flaws in its chips.

The company said it had reproduced the problem and was “making progress toward identifying the root cause”.

It also shared information about how the patches might affect computer performance in data centres.

One financial industry expert told the BBC he was concerned about the numbers being quoted.

Intel said its tests showed a reduction in performance ranging from 2% to 25%.

The US company said it was working with partners and customers to find ways to “address” the issue.

In an update on its website, Intel said the reboot problem had been identified in its Ivy Bridge, Sandy Bridge and Skylake processors.

It also affected Kaby Lake chips – its most recent offering.

‘Initial analysis’

Two separate security flaws, known as Meltdown and Spectre, were publicly disclosed in January.

Researchers discovered gaps in security stemming from central processing units – better known as the chip or microchip – that could allow privately stored data in computers and networks to be hacked.

Experts suggested fixing the problem could reduce the performance of Intel chips significantly.

Intel said its “initial analysis” for business cases such as running website servers showed a slowdown of 2%.

But it added that when it simulated a stock brokerage making transactions, the chips saw a 4% reduction in performance.

One industry insider suggested that figure was more significant than it might seem at first glance.

“In a company like ours, 4% would be a massive difference,” said Alasdair Haynes from the stock exchange Aquis.

“We measure the time of trades in microseconds. Firms spend an enormous amount of time and money trying to get the fastest speed out of a server.”

The most significant reduction in performance involved computer servers that store and retrieve large volumes of data. For those, the slowdown could be as severe as 25%.

Reference

http://www.bbc.com/news/technology-42733032

The reluctant cyber hero: How a 22-year-old stumbled across the worst computer chip flaw in history while reading huge Intel processor manuals with thousands of pages – INTEL FLAW

In cybersecurity circles at least, the 22-year-old German shot to fame this month when he was revealed as the man who exposed the worst computer chip flaw ever.

In uncovering the fault, which has existed for more than two decades but went completely unnoticed, he beat teams of analysts working from years of research.

Even more incredibly, he stumbled across the defect by accident while reading through thousand-page processor manuals for a completely different project.

The flaw affects most processors manufactured by Intel since 1995 but went completely undiscovered until Horn happened upon it

Horn was actually trying to work out whether processors could handle an intense piece of number-crunching code he had devised when he began picking through the doorstop-sized manuals last year, Bloomberg reports.

His research led him to a process known as speculative execution – where a chip tries to guess what it might be asked to do next and starts performing that task ahead of time in order to increase speed.

In doing so it starts fetching data from various parts of the machine and storing that information in its memory.

Horn discovered that, even if the chip guessed wrong, the data it had retrieved would still be stored and could potentially be stolen by a clever hacker.

Working from Google’s Project Zero lab in Zurich, he compared notes with other researchers before making his discovery – chips could be tricked into retrieving data of a hacker’s choosing, which could then be stolen.

 

Reference

http://www.dailymail.co.uk/news/article-5283089/German-22-year-old-worst-computer-chip-flaw-ever.html

%d bloggers like this: