WannaCry - Executive summary

Conclusion

1. Windows – patch management for EOF is vital.
2. Antivirus – as always didn’t detect anything. Not sure they can by design.
3. Hots with open SMB to the internet by the millions  
4. Internal networks are very vulnerable.

Security product failing at money time 

deatils: 

•       Few month ago - Microsoft identifyee MS17-010 – affecting ALL MS versions

•       March 2017 - Patch was publicly released

•       April 2017 – Shadow Broker leak MS17-010

•       12 May 2017 ~ (two month later) a massive ransomware  attack was identified – WannaCry

•       The ransomware apparently utilize few know weakness including  MS17-010

•       Microsoft also update to unsupported versions. Also published work around 

Impact 

•       Telefonica – Spain

•       Sever damage according to ww cert’s

•       Fedex –USA

•       NHS – UK

•       Prime minister called the public to not arrive at the hospitals

•       World wide news publications

•       Very bad publicity to NSA and Microsoft

•       Microsoft had to issue a fix for un supported versions - XP and Windows server 2003

Vulnerability

•       Ransom ware – files are encrypted unless bitcoin payment is done

•       Attack apparently start with spear phishing emails contains attachments

•       The exploit was installed in the windows OS as the results of user opening the attachments (activating it)

•       Then the exploit code start looking for random internet IP’s and try to infect them.

•       It is then looks at the internal IP range and trying to infect the local PC’s

•       Attack vector  was SMB v1 – used for internal file sharing services thus targeting the internal networks

•       The ransom ware is then encrypt files of various types (list in the following pages)   

•       Kill switch was discovered:

•       The ransom ware is trying to access a unique domain name in the internet.

•       if it doesn’t exists it start encrypting the files.

•       If the domain exists the encryption doesn't start. A new versions without kill switch released 

Prevention recommendation

•       Recommendation to not block port 80 access to the following sites:

                www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com                  www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

*Note the this is outbound connection.

•       If proxied browser then allow this traffic out

•       Firewall should block any traffic from the internet on TCP445, TCP139, UDP137, UDP138

•       Patch ASAP 

•       Is not a zero day – was know 3 month ago

•       Any un patched MS box is at risk

•       NSA can hack almost anything but also can cause damage if they leak tools and vulnerabilities

•       Ransomware was 300 600- $ with bit coins

•       TechNet notification by Microsoft

•       Patching old systems / versions is critical

•       Ignoring patching even when challenging cost money

•       Security incident on massive scales happens

•       Internal networks are expose to exploit (not just web sites)

•       Any system should have emergency plan to patch unsupported versions 

Why the web app security problem exists ?

Complexity – did you wrote a code for an app and saw how many items needed to be addressed before even talking about security ?

Non standard – write code is based on the developer knowledge and experience. There are many ways to implement even a simple concept like salt password.  There are no standards or guide lines that every web developer is committed to.

3^rd party – developers must rely on 3^rd part library servers and have no way to verify that they are all secure.

Design - Web app are design to server client with various content and the goal is to sell or market them  self or just share information. It means that security comes as a secondary goal at the best case and that make total sense.

Easy – due to the comply of web apps it is not that difficult to find holes or take advantage of innocent users and trick them to install a male ware.

Heard to deal with - Organizations are struggling to secure all their customer information and try to stay above water. The reason is they have so many security concerns, product, procedure, logs, tasks, and much more which makes it almost un manageable.  

Genesis – web application security is still not a fully solid process and some of the basics are still not decided and adopted as best practices within the industry 

2017 - The return of the WAF. why WAF are back ?

 It’s out there
  • Web application are the highest targeted and they are open 24/7 for attack
  • Web application have complexity hence more security concerns
  • No one sees the big picture in terms of security

 Security:
  • Virtual patching is good remediation
  • There are still SQLi vulnerability
  • The ultimate forensics tools
  • The only way to know if someone try to hack or already hacked you
  • WAF sees the big security picture while apps are not design for security
  • Bots are a change to any web site owner, WAF can deal with bots

New technology
  • New environment: Cloud technology takes us to the old days of unsecured web sites with the same problems but just a little more sophisticated.
  • New protocols: web socket is underlying protocol and enable the implementation for various usage that should take care of the same old security attack vectors: session management, scrubbing user input and more.
  • There are more challenges to the application than ever. Scarping , DoSing Bots and much more business problem with security orientation that should be detected and mitigated.

And there is more…

SEA ? Security Exposure Analysis

a post from 4.5 years.
"
Every time I go to one of the dozens of Security conference I like to go to vendors booth and ask them the following  questions:

1.       Which attack vector your product detects and or mitigate?

2.       What is the amount (ratio/ percentage) of you false positive and false negative? 

3.       How much performance impact your product adds to the existing web application/ environment / system / network in terms of latency?

4.       How much time and human work it takes to deploy your product?

5.       How much human work needed to maintain your product?

6.       How many customer using your product ?

7.       What is your road map ?

    why asking ? 

    

  few  years ago I spoke to a guy who introduce himself as a security expert. and he told me about a concept called Security Exposure Analysis. when I asked him what it means he told me the above questions.  then he told me, if you are talking to a vendor ask him those questions, then you will know if you need to buy their product or not. ever since i'm asking it and it does help. 

   

    which  question you ask before you buy a security product ? "

   

Cyber , yes !

Cyber, I remember very clearly that few years ago the term cyber was mostly related sex. When someone said cyber you immediately understood that he talks about cyber sex which was something very new to the world. Cyber then become a name to people who don't do real sex, they do cyber. That wasn't very long time ago however times are changing and familiar words get new meaning. Today when you say cyber most of the people understand your talking about cyber security unless they still do the other cyber which btw is known for a fact that sex made the internet so big.

It is even more crazy because everyone that I talk to lately is in cyber.  A sales guy whom I know and who know nothing about computers and used to sell mobile just told me he decide to go to cyber, he didn't even say cyber security , just cyber. A girl who used to work in my regular bar told me a week ago that she wants to go to cyber as a product manager, re he he ly ??  yes ! Cyber, scary word that means money ! and security is great cuz we Israeli knows all about security, we live and breathe  security from childhood.

And ! we are also a startup nation which means that If you combine the natural security orientation we have with the startup nation fact, you will get a cyber security startup nation which means lots of Cyber startups. Cyber security not cyber sex startups.

LR