you better know you your onions or you might wannacry

You Better know you your Onions or you might Wannacry

Nicholas LewisNWSSP IT Security and Development

CISSP,CSSLP,MCSE,MCAD,CHECK QSTM

Introduction

• A Brief History Of Hacking

• The Story Of Wannacry

• Where do we go from here

• Live hack demo at lunchtime !

A Brief History Of HackingHow It All Began

1903 Magician and inventor Nevil Maskelyne disrupts John Ambrose Fleming's public demonstration of Guglielmo Marconi's purportedly secure wireless telegraphy technology, sending insulting Morse code messages through the auditorium's projector

1932Polish cryptologists Marian Rejewski, Henryk Zygalski and Jerzy Różyckibroke the Enigma machine code.

1939Alan Turing, Gordon Welchman and Harold Keen worked together to develop the Bombe (on the basis of Rejewski's works on Bomba). The Enigma machine's use of a reliably small key space makes it vulnerable to brute force.


1971

John T. Draper (later nicknamed Captain Crunch), his friend Joe Engressia, and blue box phone phreaking hit the news with an Esquire Magazine feature story.

1972

Before starting Apple, Steve Jobs and Steve Wozniak built and sold digital blue boxes, for around $100. One of their first calls they made using the blue box was to the Vatican with Wozniak pretending to be Henry Kissinger, they asked to talk to the pope. Without success.

1979

Kevin Mitnick breaks into his first major computer system, the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software.


1980The FBI investigates a breach of security at National CSS. The New York Times, reporting on the incident in 1981, describes hackers as “Technical experts; skilled, often young, computer programmers, who almost whimsically probe the defences of a computer system, searching out the limits and the possibilities of the machine. Despite their seemingly subversive role, hackers are a recognized asset in the computer industry, often highly prized”

The newspaper describes white hat activities as part of a "mischievous but perversely positive 'hacker' tradition". When a National CSS employee revealed the existence of his password cracker, which he had used on customer accounts, the company chastised him not for writing the software but for not disclosing it sooner. The letter of reprimand stated that "The Company realizes the benefit to NCSS and in fact encourages the efforts of employees to identify security weaknesses to the VP, the directory, and other sensitive software in files"

1981Ian Murphy aka Captain Zap, was the first cracker to be tried and convicted as a felon. Murphy broke into AT&T's computers in 1981 and changed the internal clocks that metered billing rates. People were getting late-night discount rates when they called at midday. Of course, the bargain-seekers who waited until midnight to call long distance were hit with high bills

1983The movie WarGames introduces the wider public to the phenomenon of hacking and creates a degree of mass paranoia of hackers and their supposed abilities to bring the world to a screeching halt by launching nuclear ICBMs


1986

After more and more break-ins to government and corporate computers, Congress passes the Computer Fraud and Abuse Act, which makes it a crime to break into computer systems. The law, however, does not cover juveniles

1986

Robert Schifreen and Stephen Gold are convicted of accessing the Telecom Gold account belonging to the Duke of Edinburgh under the Forgery and Counterfeiting Act 1981 in the United Kingdom, the first conviction for illegally accessing a computer system. On appeal, the conviction is overturned as hacking is not within the legal definition of forgery

1986

Arrest of a hacker who calls himself The Mentor. He published a now-famous treatise shortly after his arrest that came to be known as the Hacker's Manifesto in the e-zine Phrack. This still serves as the most famous piece of hacker literature and is frequently used to illustrate the mindset of hacker

A Brief History Of HackingThe Hacker Manifesto

This is our world now... the world of the electron and the switch, the

beauty of the baud. We make use of a service already existing without paying

for what could be dirt-cheap if it wasn't run by profiteering gluttons, and

you call us criminals. We explore... and you call us criminals. We seek

after knowledge... and you call us criminals. We exist without skin colour,

without nationality, without religious bias... and you call us criminals.

You build atomic bombs, you wage wars, you murder, cheat, and lie to us

and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is

that of judging people by what they say and think, not what they look like.

My crime is that of outsmarting you, something that you will never forgive me

for.

I am a hacker, and this is my manifesto. You may stop this individual,

but you can't stop us all... after all, we're all alike.


1990

The Computer Misuse Act 1990 is passed in the United Kingdom, criminalising any unauthorised access to computer system

1992

One of the first ISPs MindVox opens to the public

1993

The first DEF CON hacking conference takes place in Las Vegas. The conference is meant to be a one-time party to say good-bye to BBSs (now replaced by the Web), but the gathering was so popular it became an annual event

A Brief History Of HackingThe UK Computer Misuse Act 1990

The act created three categories of offence:

Unauthorised access to computer material:There must be intent to access a program or data stored on a computer, and the person must know that this access is not authorised. This is why login screens often carry a message saying that access is limited to authorised persons: this may notprevent a determined and ingenious hacker getting access to the system, but they will not be able to claim ignorance of committing an offence.

Unauthorised access with intent to commit a further offence: for instance accessing personal files or company records in order to commit fraud or blackmail.

Unauthorised modification of programs or data on a computer.Modification of a computer's contents under section 3 may consist of:

Altering dataAs in the case of a nurse who observed a doctor entering his password and used it to alter patients' drug dosages and treatment recordsRemoving dataFor instance to cover up evidence of wrongdoingAdding to the contents of a computerFor instance it has been held that sending an email under a false name results in unauthorised modifications to the content of the mail serverThe intent need not be directed at any particular computer, program or data, so this provision covers damage caused by computer viruses - even though the virus author need not have known or intended that any particular system would be affected


1994

Hacking Theft of $10 Million From Citibank Revealed

1996

Cryptovirology is born with the invention of the cryptoviral extortion protocol that would later form the basis of modern ransomware.

1999

Software security goes mainstream In the wake of Microsoft's Windows 98 release, 1999 becomes a banner year for security (and hacking). Hundreds of advisories and patches are released in response to newfound (and widely publicized) bugs in Windows and other commercial software products. A host of security software vendors release anti-hacking products for use on home computers.

A Brief History Of HackingCitibank

From a computer terminal in his apartment in St. Petersburg, Russia, a Russian software engineer broke into a Citibank computer system in New York and with several accomplices stole more than $10 million by wiring it to accounts around the world, according to court documents and the U.S. attorney's office.

Citibank said all but $400,000 of the stolen funds have been recovered. Six hacking suspects have been arrested, including the engineer, Vladimir Levin, who is being held in Britain and is fighting extradition to the United States.

The incident underscores the vulnerability of financial institutions as they come to increasingly rely on electronic transactions. But computer security experts say what is even more notable about the case is that it became public.

"Can it happen? Yes. Does it happen? Yes," said Eugene Schultz, a computer security expert at SRI International. "But we don't hear about it because financial institutions are afraid of adverse publicity." The Citibank case became public as a result of the extradition effort.


2001

Microsoft becomes the prominent victim of a new type of hack that attacks the domain name server. In these denial-of-service attacks, the DNS paths that take users to Microsoft's websites are corrupted.

A Dutch cracker releases the Anna Kournikova virus, initiating a wave of viruses that tempts users to open the infected attachment by promising a sexy picture of the Russian tennis star

2002

Bill Gates decrees that Microsoft will secure its products and services, and kicks off a massive internal training and quality control campaign.

2003

The hacktivist group Anonymous was formed.


2004

North Korea claims to have trained 500 hackers who successfully crack South Korean, Japanese, and their allies' computer systems

2006

The largest defacement in Web History as of that time is performed by the Turkish hacker iSKORPiTX who successfully hacked 21,549 websites in one shot.

2007

A spear phishing incident at the Office of the Secretary of Defense steals sensitive U.S. defenseinformation, leading to significant changes in identity and message-source verification at OSD.

2009

Conficker worm infiltrated millions of PCs worldwide including many government-level top-security computer networks


2010

The Stuxnet worm is found by VirusBlokAda. Stuxnet was unusual in that while it spread via Windows computers, its payload targeted just one specific model and type of SCADA systems. It slowly became clear that it was a cyber attack on Iran's nuclear facilities - with most experts believing that Israel was behind it - perhaps with US help

2011

The hacker group Lulz Security is formed.

Bangladeshi hacker TiGER-M@TE made a world record in defacement history by hacking 700,000 websites in a single shot

Iranian hackers retaliate against Stuxnet by releasing Shamoon, a virus that damages 35,000 Saudi AramCo computers and stops the company for a week

2012

The social networking website LinkedIn has been hacked and the passwords for nearly 6.5 million user accounts are stolen by cybercriminals. As a result, a United States grand jury indicted Nikulin and three unnamed co-conspirators on charges of aggravated identity theft and computer intrusion

Computer hacker sl1nk announced that he has hacked a total of 9 countries' SCADA systems. The proof includes 6 countries: France, Norway, Russia, Spain, Sweden and the United State


2013

The social networking website Tumblr is attacked by hackers. Consequently, 65,469,298 unique emails and passwords were leaked from Tumblr. The data breach's legitimacy is confirmed by computer security researcher Troy Hunt

2014

The bitcoin exchange Mt.Gox filed for bankruptcy after $460 million was apparently stolen by hackers due to "weaknesses in [their] system" and another $27.4 million went missing from its bank accounts

2015

Records of 21.5 million people, including social security numbers, dates of birth, addresses, fingerprints, and security-clearance-related information, are stolen from the United States Office of Personnel Management. Most of the victims are employees of the United States government and unsuccessful applicants to it. The Wall Street Journal and the Washington Post report that government sources believe the hacker is the government of China.

The servers of extramaritial affairs website Ashley Madison were breached.


2016

The 2016 Dyn cyberattack is being conducted with a botnet consisting of IOTs infected with Mirai by the hacktivist groups SpainSquad, Anonymous, and New World Hackers, reportedly in retaliation for Ecuador's rescinding Internet access to WikiLeaks founder Julian Assange at their embassy in London, where he has been granted asylum

2017

WannaCry ransomware attack started on Friday, 12 May 2017, and has been described as unprecedented in scale, infecting more than 230,000 computers in over 150 countries

Petya cyberattack

The Equifax breach

Deloitte breach

What’s Next ?

A Brief History Of HackingIt All Goes Around and Around

A Brief History Of HackingCurrent Attacks And Vulnerabilities

Malware

Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs. It can take the form of executable code, scripts, active content, and other software. Malware is defined by its malicious intent, acting against the requirements of the computer user — and so does not include software that causes unintentional harm due to some deficiency.

Programs supplied officially by companies can be considered malware if they secretly act against the interests of the computer user. An example is the Sony rootkit, a Trojan horse embedded into CDs sold by Sony, which silently installed and concealed itself on purchasers' computers with the intention of preventing illicit copying; it also reported on users' listening habits, and unintentionally created vulnerabilities that were exploited by unrelated malware.

Software such as anti-virus and firewalls are used to protect againstactivity identified as malicious, and to recover from attacks.


Phishing

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as US$5 billion

Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that are infected with malware.

Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in current web security. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.


Credential Stuffing and Reuse

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.


Advanced Persistent Threats and Nation States

An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry

Social Engineering

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called "bugs in the human hardware", are exploited in various combinations to create attack techniques. The attacks used in social engineering can be used to steal employees' confidential information. The most common type of social engineering happens over the phone. Other examples of social engineering attacks are criminals posing as exterminators, fire marshals and technicians to go unnoticed as they steal company secrets.



Norse - http://map.norsecorp.com/#/

http://map.norsecorp.com/#/


Shodan - https://www.shodan.io/

https://www.shodan.io/


Google Hacking Database - http://www.hackersforcharity.org/ghdb/

http://www.hackersforcharity.org/ghdb/


Leaked Database Search- https://leakbase.pw/dbs.php

The Story Of WannacryHow It All Began

Wikileaks - Vault 7 : CIA Hacking ToolsToday, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.

The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.


Microsoft Patching

Microsoft Security Bulletin MS17-010 - Critical

Security Update for Microsoft Windows SMB Server (4013389)

Published: March 14, 2017

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 4013389.


NSA and the shadow brokers – Fuzzy Bunch and Eternal Blue

Important Update 15th April 2017 None of the exploits reported below are, in fact, zero days that work against supported Microsoft products. Readers should read this update for further details. What follows is the post as it was originally reported.

The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency's weaponized software exploits—just published its most significant release yet. Friday's dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.The leak which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

The Story Of WannacryFriday, 12 May 2017 – Day 0

The first appearance of the cyberattack was registered in Europe at what would have been3:24 a.m. Eastern time, according to a report by The Financial Times.

Friday 12th May• One in five NHS trusts hit by the cyber attack.• More than 200,000 computers in 150 countries hit by the attack.

Saturday 13th May• A cybersecurity researcher, tweeting as @MalwareTech, found and accidentally activated a ‘kill switch’ in the malware code.• He warned users to update their systems, stating that, “This is not over. The attackers will realise how we stopped it, they’ll change the code and

then they’ll start again. Enable windows update, update and then reboot.”

Sunday 14th May• Patients are urged to avoid GPs on Monday as a result of the NHS cyber attack.• Dr Helen Stokes-Lampard, chairman of the Royal College of GPs, said the attacks have had an “extensive impact” on GP practices, adding that, “The

concern is that on Monday morning the appointment system may not be working, some places may not be able to access routine results, even the phone lines in some cases may not be working.”

• In the afternoon, several hospitals, including Barts, were forced to turn patients away from A&E while they battled the attack.

Monday 15th May• Seven of the 47 NHS trusts affected are still battling the attack – including Barts, which is continuing to turn patients away and is experiencing

‘significant delays’.• Patients are being warned of slow service at surgeries.• Health Secretary Jeremy Hunt has refused to answer any questions on whether or not he was warned about NHS IT security.

Tuesday 16th May • Patients are no longer being diverted from A&E units• National incident director Dr Anne Rainsberry said: “Patients are no longer being diverted away from hospital accident and emergency units and,

while there is still some disruption in a small number of areas, most patients are being treated as normal.”How NHS Wales Managed the incident

The Story Of WannacryNHS Wales Response

The Story Of WannacryLessons Learnt

Operating Systems Change for a Reason

This is probably the number one lesson from WannaCry: The disappointing thing is that is a very familiar lesson that every security experts know well. You have to keep updating your operating system, not just to keep up with the times, but also to protect your business data.

This advice is so common that the real problem is probably something more insidious: Business leaders refuse to take responsibility for the platforms and operating systems they are using. WannaCry is the consequence for that leadership failure, and the sooner organizations recognize that, the better they will be able to plan for the future. Windows XP was particularly vulnerable to WannaCry – that’s an operating system that’s 1)12 years old, 2)surpassed by 4 newer versions of the operating systems with far more advanced tools and integration, and 3)an OS that hasn’t had any support at all from Microsoft (outside of this emergency patch) for nearly three years.

The very common excuse that business makes here is that, “We can’t update because of this regulation, or that compliance issue, or the need to maintain services to our customers.” First, these are incredibly weak excuses. A full upgrade will always take time, resources, and careful planning to meet necessary regulations. That’s part of the process, not an excuse to avoid it. Second, many organizations don’t even realize these are poor excuses because they haven’t actually asked experts. The first thing an organization should do if they are worried about upgrading an older operating system is to bring in an IT expert that has experience in these types of upgrades and ask for a consultation, advice, and ultimately a game plan for the best possible outcome.


Patches Don’t Just Get in the Way – They Protect Against Threats

Close behind the lesson about upgrading to new versions of your operating system is the importance of patching. Let’s divided this into two steps. First, your company must be aware of available patches, as they come out, and what they do. This is really easy, even if you aren’t in IT. New patches are heralded by blogs, emails, tweets and many other sources of information explaining what they are and what they accomplish.

Second, give top priority to any patches that are designed to fix vulnerabilities and increase security. Require all employees to download that patch on all machines, that day. Period. You don’t even have to turn on automatic updates, just make sure those patches are downloaded. WannaCry was patched back in March, but guess what? A lot of organizations have no patch plan or requirements, so it didn’t matter.


Lack of Awareness is a Vulnerability

Combine both our first lessons, and you get a reminder worth noting – companies cannot claim ignorance here. We have to be aware of the current security dangers, and how to deal with them. That means paying attention to what IT says, understanding how the business systems work, and knowing when a new malware or virus attack hits. These days, no manager can say, “Well, it’s not my problem.” It is.


A Single Good Practice Can’t Protect You From All Malware

In the past, most ransomware like WannaCry was spread primarily through phishing emails, and strong anti-phishing strategy was very effective at dealing with the threat. But guess what? Things changes. Cyberattacks regularly evolve and find different, more insidious ways to locate new victims. You cannot count on a single strategy to prevent any particular threat.


Network Segmentation May Be Growing More Important

Network segmentation refers to devices that avoid connecting to the business network or connect only briefly in closely monitored situations to avoid data vulnerabilities and malware. Especially after WannaCry, this is looking like a good strategy for companies that handle a lot of sensitive information.


The Consequences Will Always Be Worse Than Necessary Preparation

Some of the organizations affected by WannaCry included the UK National Health Service, the South Korean and Chinese governments, and organizations in more than 150 countries.

Emergency health services were cancelled, governments were unable to offer services, factories were suddenly shut down, and much more. This led to tremendous losses, and will probably lead yet again to a whole lot of fines, firings, and the loss of contracts. It doesn’t matter how demanding security changes are, they are always easier than dealing with the aftermath of a bad attack.

Where do we go from here ?

GDPR

In December 2015 the long process of agreeing a new set of legislation designed to reform the legal framework for ensuring the rights of EU residents to a private life was completed. This was ratified in early 2016 and becomes widely enforceable on the 25th May 2018. Even with the implications of Brexit the UK government will be implementing GDPR in line with the EU.

The reforms consist of two instruments:

The General Data Protection Regulation (GDPR) which is designed to enable individuals to better control their personal data. It is hoped that these modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by reducing regulation and benefiting from reinforced consumer trust.

The Data Protection Directive: The police and criminal justice sectors will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.

What this means to us

• GDPR applies to all• The GDPR widens the definition of personal data• The GDPR tightens the rules for obtaining valid consent to using personal information• The GDPR makes the appointment of a DPO mandatory for certain organisations• The GDPR introduces mandatory Privacy Impact Assessments• The GDPR introduces a common data breach notification requirement• The GDPR introduces the right to be forgotten• The GDPR expands liability beyond data controllers• The GDPR requires privacy by design


Social engineering Social engineering is one of the most common types of cyber security attacks. As social engineering can take on any form, including phone calls, emails, text messages, social media, or in person it is important that you remain vigilant

Email, Phishing, and MessagingPhishing is a cyber security attack that can be used to target many people at once or a small group, which is known as spear phishing.

Browsing SafelyBrowsers are the primary tool people use to access the Internet. As a result, browsers and their plugins are a common target for attackers. You must learn how to browse safely, including keeping the browser and plugins updated, using HTTPS, and scanning what you download.

Social NetworksSocial networking sites are a primary communication tool where people freely share information but they also increase the risks of sharing information online leading to identity theft, spreading malware, scams, and targeted attacks.

Mobile Device SecurityMobile devices today have the same functionality, complexity, and risks as a computer, but with the additional risk of being highly mobile and easy to lose. You must learn how to keep their mobile devices safe and secure, including keeping them physically secure, using strong passcodes, and keeping the devices updated.


PasswordsStrong passwords and their safe use are some of the most effective ways to keep online accounts and information safe. You must be aware of how to create a strong password using passphrases, and how two-step verification, combined with a password, increases security. You must be aware of the risk of sharing passwords, having a unique password for each account, and why using public computers for email, work accounts, and financial information is not safe.

EncryptionEncryption is a security control that protects the confidentiality and integrity of information.

Data Security Safe data handling practices are critical at each step of accessing, sharing, transmitting, retaining, and destroying data. It is important to only use authorized systems and only allow authorized personnel access to data. Your organisation must also have policy and processes to securely store or process sensitive information, restrictions on transferring or sharing information, ways to manage data retention, and how to destroy data securely.

Data DestructionPeople mistakenly believe that when they delete data it is gone for good. They are unaware that it can be easily retrieved from almost any device.

Any Questions

you better know you your onions or you might wannacry

Documents