👨🏼‍🎓 Information Blog 👨🏼‍🎓: UofP

Showing posts with label UofP. Show all posts

Saturday, January 11, 2020

Cybersecurity - Informative Web Sites, Podcasts & Blogs

An Annotated Bibliography of useful and informative websites, podcasts and blogs about Cybersecurity.

Web Sites

NIST

The National Institute of Standards and Technology (NIST) provides useful information about cybersecurity, resources and policies.

NIST. (n.d.). Information Technology, Cybersecurity. National Institute of Standards and Technology. U.S. Department of Commerce. https://www.nist.gov/topics/cybersecurity

CISA

The US. Department of Homeland Security Cyber-Infrastructure Department provides information about High-Profile Activity, Vulnerabilities and other useful information.

CISA. (n.d.) Cyber-Infrastructure. High Profile Activity. US-CERT. https://www.us-cert.gov/

FTC

The Federal Trade Commission, Consumer Information Division provides useful information about frauds and scams.

FTC. (n.d.) Consumer Alerts. Federal Trade Commission. Consumer Information. https://www.consumer.ftc.gov/?utm_source=govdelivery

Podcasts

Security Now!

Cybersecurity Researcher Steve Gibson and podcast host Leo Laporte provide an informative weekly podcast with current news about cybersecurity issues.

Gibson, S. and LaPort, L. (2021). Security Now! https://www.grc.com/securitynow.htm

SANS Internet Stormcenter

Host Johannes B. Ullrich of SANS provides a useful recap of important cybersecurity events each day.

Ullrich, Johannes B. (2021). ISC Stormcast. Internet Storm Center Cyber Security Podcasts. https://isc.sans.edu/podcast.html

The Cyberwire

The Cyberwire is a cyber security-focused news service and an independent voice in the marketplace. They produce a daily podcast with very useful cybersecurity new and information.

Bittner, Dave. (2021). Daily Podcast. The Cyberwire. Fulton. MD. https://thecyberwire.com/podcasts/daily-podcast.html

The PRIVACY, SECURITY, & OSINT Show

This weekly podcast presents ideas to help you become digitally invisible, stay secure from cyber threats, and make you a better online investigator. If you are just starting to follow this podcast, consider episodes 174-178.

Bazzell, Michael. (2021). The PRIVACY, SECURITY, & OSINT Show. https://www.inteltechniques.com/podcast.html

Blog

Krebs on Security

Cybersecurity Reporter/Researcher Brian Krebs routinely breaks interesting stories from the dark underground of cybercrime.

Krebs, Brian. (2019). Krebs on Security. Blog. https://krebsonsecurity.com/

=-=-=-=-=-=

https://kardasz.blogspot.com/2020/01/useful-and-informative-websites.html

___________________________________________

Please buy a coffee at the link below for our excellent editor Ava Gozo

Monday, May 28, 2018

Cyberattacks - Reboot home routers - Attacks from foreign adversary - June 7, 2018

Update - June 7, 2018

The earlier recommendation to reboot routers may not entirely solve the problem.

From IC3/FBI:

May 25, 2018

The FBI recommends any owner of small office and home office routers power cycle (reboot) the devices. Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.

Reference:

IC3/FBI. (May 25, 2018). Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide. Public Service Announcement. Retrieved from https://www.ic3.gov/media/2018/180525.aspx

=-=-=-=-=-=

From Cisco via Talos:

The code of this malware overlaps with versions of the BlackEnergy malware — which was responsible for multiple large-scale attacks that targeted devices in Ukraine. While this isn’t definitive by any means, we have also observed VPNFilter, a potentially destructive malware, actively infecting Ukrainian hosts at an alarming rate, utilizing a command and control (C2) infrastructure dedicated to that country.

Reference:

Cisco Blogs. (May 23, 2018). New VPNFilter malware targets at least 500K networking devices worldwide. Threat Research. Talos Group. Retrieved from https://blogs.cisco.com/security/talos/vpnfilter

=-=-=-=-=-=

From US-CERT:

NCCIC is aware of a sophisticated modular malware system known as VPNFilter. Devices known to be affected by VPNFilter include Linksys, MikroTik, NETGEAR, and TP-Link networking equipment, as well as QNAP network-attached storage (NAS) devices. Devices compromised by VPNFilter may be vulnerable to the collection of network traffic (including website credentials), as well as the monitoring of Modbus supervisory control and data acquisition (SCADA) protocols

Reference:

US-CERT. (May 23, 2018). VPNFilter Destructive Malware. Retrieved from https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

=-=-=-=-=-=

From CNET:
June 2, 2018

"I'm concerned that the FBI gave people a false sense of security," Talos senior technology leader Craig Williams said in an interview with Ars Technica. "VPNFilter is still operational. It infects even more devices than we initially thought, and its capabilities are far in excess of what we initially thought. People need to get it off their network."

Reference:

Zhou, M. (June 6, 2018). That router botnet the FBI asked us to help kill? Yep, it's still alive. A report details new capabilities and devices targeted by the VPNFilter malware. Retrieved from https://www.cnet.com/news/that-vpnfilter-router-attack-the-fbi-wanted-us-to-kill-yep-its-still-alive/

=-=-=-=-=-=

Wednesday, March 21, 2018

Cyberattacks - Ongoing Threats

Interesting Links - Cyber attacks: Threats, Maps, and Current Events.

=-=-=-=-=-=

Computer Defense Network

Computer Network Defense Ltd. advertises itself as a “consultancy delivering all manner of cybersecurity services…”

They publish an informational website with items of interest to the IT community:

http://www.securitywizardry.com/radar.htm

=-=-=-=-=-=-=

Sonicwall

Sonicwall is a vendor of firewalls, advanced threat protection, remote access, and email security products (https://www.sonicwall.com/en-us/home).

Below are links to some interesting maps and data that SonicWall states display ongoing cyber-attacks.

Capture Labs Threat Metrics

https://securitycenter.sonicwall.com/m/page/attacks-by-type

Worldwide Attacks - Last 24 hours

https://securitycenter.sonicwall.com/m/page/live-attacks

Security News

https://securitycenter.sonicwall.com/m/page/security-news

=-=-=-=-=-=-=

https://kardasz.blogspot.com/2018/03/cyberattacks-ongoing-threats-and-news.html

Wednesday, November 29, 2017

Cybersecurity and DNS

Dr. Frank Kardasz

November 29, 2017

Domain Name System (DNS)

A typical Domain Name System (DNS) works behind the scenes though servers located throughout the world that translate (resolve) common website hostnames into the more complicated Internet protocol (IP) addresses required for cyberspace communications. Each DNS server contains a database of public IP addresses and their associated website hostnames. Most servers are free for public use and operate at various capabilities. The servers routinely perform their translation service and then communicate the information to and from senders and destinations.

DNS servers operate with varying levels of efficiency and security. A nice listing of various DNS servers, including a list of their features, is provided by Lifewire at: https://www.lifewire.com/free-and-public-dns-servers-2626062

Domain Name Spoofing

Domain name spoofing can occur when a malicious actor creates a website with a common name that is closely related to the name of a similar site. The intent of the malicious actor may be to impersonate the legitimate site and to attract unsuspecting users to the fake site. When the victim visits the fake site, the offender might then expose the victim to malware, phishing or other malicious activity.

Many of the public DNS servers contain the common names and IP addresses of both benign and malicious websites without any notifications to the users about whether or not a site is malicious. Many users' computers are configured by default to send web traffic through DNS servers that do provide filtering protections.

Quad9 - A Threat Mitigator

A free service known as Quad9, with the IP address of 9.9.9.9, purports to mitigate some of the threats from malicious websites. The DNS servers controlled by Quad9 contain the names and IP addresses of websites that are known to be malicious. Users of Quad9 are prevented from visiting known malicious websites.

For Quad9 to work, users must re-configure their computers' DNS settings to direct the computer web traffic through the Quad9 servers. The Quad9 servers act as filters and block traffic from known malicious sites. The reconfiguration process is a simple change of each computer's network settings and is nicely described in videos at the Quad9 web site: https://www.quad9.net/#/#setup-quad9

=-=-=-=-=-=

The following information is directly from the Quad9 Web Site at: https://www.quad9.net/#/about:

Quad9 is a free, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy.

Security: Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites. Whenever a Quad9 user clicks on a website link or types in an address into a web browser, Quad9 will check the site against the IBM X-Force threat intelligence database of over 40 billion analyzed web pages and images. Quad9 also taps feeds from 18 additional threat intelligence partners to block a large portion of the threats that present risk to end users and businesses alike.

Performance: Quad9 systems are distributed worldwide in more than 100 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution. These systems are distributed worldwide, not just in high-population areas, meaning users in less well-served areas can see significant improvements in speed on DNS lookups. The systems are “anycast” meaning that queries will automatically be routed to the closest operational system.

Privacy: No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS.

=-=-=-=-=-=

Conclusion

Quad9 appears to be a useful cybersecurity tool, and it is free. Obviously, the administrators at Quad9 must keep their service up-to-date as newly-created malicious web sites can appear at any time. Quad9 will need to quickly add malicious sites to their servers so that their service can remain relevant.

One might also expect that the Qua9 servers could be hit with DDos attacks at some point in the future, because no good cybersecurity deed goes unpunished, and hopefully they are prepared for such an attack.

=-=-=-=-=-=

Questions and reference information for cybersecurity students:

What is a DNS Server?

Fisher, T. (2017). What is a DNS Server? Lifewire. Retrieved from

https://www.lifewire.com/what-is-a-dns-server-2625854

How does DNS works?

Quad9 DNS. (Nov. 15, 2017). How DNS Works. Quad9DNS. Retrieved from https://www.youtube.com/watch?v=kURzoJ0Qj9o

What is a Domain Name System?

Beal, V. (2017). Domain Name System. Webopedia. IT Business Edge. Retrieved from https://www.webopedia.com/TERM/D/DNS.html

What is the list of free public Domain Name Systems?

Fisher, T. (2017). Free and Public DNS Servers. Lifewire. Retrieved from https://www.lifewire.com/free-and-public-dns-servers-2626062

What is an Internet Protocol (IP) address?

Beal, V. (2017). IP address - Internet Protocol (IP) address. Webopedia. IT Business Edge. Retrieved from https://www.webopedia.com/TERM/I/IP_address.html

What is Recursion?

Computer Science Wiki. (2016). Recursion (in Computer Science). Retrieved from https://computersciencewiki.org/index.php/Recursion

What is Anycast?

IT Business Edge. (2017). Anycast. Webopedia. Retrieved from https://www.webopedia.com/TERM/A/anycast.html

What is a DDOS attack?

Beal, V. (2017). DDoS attack - Distributed Denial of Service. Webopedia. IT Business Edge. Retrieved from https://www.webopedia.com/TERM/D/DDoS_attack.html

What is Quad9?

Quad9. (2017). Community-Driven Internet Security. Quad9. Berkley, CA. Retrieved from https://www.quad9.net/#/about

=-=-=-=-=-=

MCMP650, BCC395, CJ1500, AJS524, AJS572, BCC401, BCC403
=-=-=-=-=-=
https://kardasz.blogspot.com/2017/11/dns-and-cybersecurity.html
=-=-=-=-=-=

Monday, July 03, 2017

Cybersecurity - Malware Mitigation Tips for Ransomware

Dr. Frank Kardasz July 10, 2017. Editor: Ava Gozo.

The Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers excellent information and advice that explains various cyber threats and methods to mitigate threats.

ICS alert 17-181-01A regarding the Petya Ransomware Malware threat against computers with Microsoft Windows Operating Systems can be found at the ICS-CERT web page:

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A

A second alert was posted here:

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B

A third update was posted here: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C

According to the ICS bulletins, the malware is someHelvetica also known as “NotPetya,” “Petrwrap,” “GoldenEye,” and “Nyetya.” It is described as a self-propogating worm that moves through a network, steals user credentials and exploits server message block (SMB) vulnerabilities. It uses the Windows Management Instrumentation Command-line tool and PSExec Network Management to assist in scanning for additional systems to infect. The attack uses ports 139/TCP and 445/TCP and overwrites the Master Boot Record (MBR) or wipes sectors of the drive.

An interesting analysis of the threat is also provided by the Guardian at:

https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how

Although the malware is characterized as ransomware, the Cyberwire reported that persons who pay the Bitcoin ransom are not subsequently able to retrieve their data. Possible motives for the malware attack may be political, involving Russia vs the Ukraine or involving rival business operations.

See: The Cyberwire Daily Podcast:

https://www.thecyberwire.com/podcasts/

Security expert Bruce Schneier believes that the malware is better characterized as a data wiper and not ransomware. Schneier also discounts the attributions to government or big business sources. See: https://www.schneier.com/blog/archives/2017/07/goldeneye_malwa.html

Reports indicate that the source of Petya may be a supply chain attack against the accounting software MeDoc. MeDoc is reported by Fortune to be a Ukranian financial accounting firm that makes software that assists in tax preparation.

See: http://fortune.com/2017/06/27/petya-ransomware-ukraine-medoc/

In July 2017, The Register reported that a Twitter user known as Janus, issued a Master Decryption Key for Petya. Unfortunately, the key does not work for some of the other strains of the malware. See: https://www.theregister.co.uk/2017/06/29/petya_help/

Security Researcher Raul Alvarez from Fortinet provides an excellent technical analysis about the differences between Petya and NotPetya here: http://blog.fortinet.com/2017/07/08/key-differences-between-petya-and-notpetya

Information from ICS-CERT about how to mitigate the Petya Malware threat includes the following advice:(link is externaagainst accounting software MEDoc.

NotPetya is being placed in a new category called "ransomworm" because it increases automatic propagation of the malware across local and extended networks.

Backups are always a recommended part of the recovery process in most ransomware and malware situations. An informative discussion about backups can be found at the Society of Electrical Engineers web page:

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Patching Operating Systems is considered essential security hygiene. Microsoft patch MS17-010 is described at the following link:

https://technet.microsoft.com/library/security/MS17-010

How to block traffic at TCP port 139 (session services) is described my Microsoft at the following link: https://technet.microsoft.com/en-us/library/cc940063.aspx

How to block TCP port 445 is described by AOMEI at the following link: http://www.backup-utility.com/anti-ransomware/how-to-block-port-445-in-windows-3889.html

SMB1 – Audit Active Usage using Message Analyzer is described by Microsoft here:

https://blogs.technet.microsoft.com/ralphkyttle/2017/05/13/smb1-audit-active-usage-using-message-analyzer/

Knowbe4, a security awareness company, reports the following email subject lines as being frequently used for ransomware phishing purposes: