Tagged: Cyber Security

Opening an email using Outlook could let someone steal your Windows Login Password

You receive an email from what seems like a legitimate source. By openiing that email using Microsoft Outlook, you could be allowing a Hacker to gain your Windows Login Password.

If the received email contains say a UNC web link starting with \\, clicking on the link will start a SMB connection and the username and password hash data can be transferred without the users knowledge.

This is because Microsoft Outlook allows documents to contain embedded parts within a document. Microsoft allows the use of Rich Text Format (RTF) and Object Linking and Embedding (OLE). That can be exploited to get Outlook to “automatically” open an SMB connection to a remote SMB Server.

Will Dormann who is a Software Vulnerability Analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center (CERT/CC), had found the above vulnerability, Will Doorman reported the vulnerability to Microsoft in November of 2016.

Last Tuesday (Apr 10 2018) Microsoft released a fix for the above bug. Click on this link to visit Microsoft’s site with details of the bug fix: CVE-2018-0950 | Microsoft Office Information Disclosure Vulnerability – Security Vulnerability –
Published: 04/10/2018
MITRE CVE-2018-0950

The above Microsoft fix does address the “Automatic” opening of an SMB connection to a remote SMB Server. But, the user viewing said document can still click on a link embedded (via OLE) within the document and that will then initiate an SMB connection.

To check if your Windows systems has the update installed goto

For info on keeping your Microsoft Windows updated click on this link to visit the Windows Update: FAQ

The Microsoft Apr 10 Security update does not address the end user clicking on a link. To elminate an SMB session being established after an OLE Link has been clicked you need to block certain ports for incoming and outgoing SMB sessions. Block TCP/IP port 445 and port 137 and port 139. In addition, you need to block UDP port 137 and UDP port 139. That way no inbound or outbound SMB connections will be started.

You should also add a Windows Registry DWORD32 key named “EnterpriseAccountSSO” and then set that key to a value of “0”. How to do that is detailed below.

Click on the following link to visit the Microsoft Security Advisory page titled: ADV170014 | Optional Windows NTLM SSO authentication changes – Security Advisory – Published: 10/10/2017

The above link will discuss adding a registry entry which will block disable the NT Lan Manager . It’s a small simple addition:

Customers can add a DWORD32 key named “EnterpriseAccountSSO” to the Windows Registry location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 with the following options:

  • 2 – Always allow SSO. (This is the default state.)
  • 1 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Allow SSO if the resource is unspecified.
  • 0 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Deny SSO if the resource is unspecified.

You should set it to “0”, which would DENY SSO authentication requests.

References for more details:

 

Carnegie Mellon University – Software Engineering Institute – CERT/CC Blog post by Wll Doorman titled: Automatically Stealing Password Hashes with Microsoft Outlook and OLE Posted on by in

 

CVE page at Mitre.org: CVE-2018-0950

 

Microsoft’s page titled: Description of the security update for Word 2016: April 10, 2018

 

Advertisements

Petya Ransomware Major Global Attack

WannaCry Ransomware paved the way by showing how to quickly spread across the Global Internet. It focused on on a vulnerability with Windows SMB which had been there for years and only exploited by Nation State employed Hackers.

Petya Ransonware, as has been named by the Security Staff at Kaspersky Lab, learned much from the WannaCry outbreak. Petya Ransomware has spread to thousands of computers at major institutions across the Globe. Petya ransomware is just starting. This is a major Ransomware attack.

It is basically a Worm which was first spread by malicious XL spreadsheets. Once on a network it stays in memory and as such is no so easy to detect and protect against. It looks like it is also focusing on the Windows SMB protocol and the Ports which support SMB.No wonder the focus on SMB as Petya use EternalBlue code as did WannaCry

My big fear is that Banks and Financial Institution had been targeted by Petya Ransomware. If it infects a large number of Banks then we could possibly see a Major Banking Crisis. It might be an idea to keep some cash on hand, in a safe place. Because it operates as Worm Code it is hard to detect and eliminate.

I will prepare a full review later this week. In the meantime the following are links which will shed light on what is happening. Some of the protective measures which stopped WannaCry Ransomware in it’s tracks, like disabling SMB ports, could also work to stop or slow the spread of Petya Ransomware.

Click on this link to visit Krebs On Security to read their initial post about Petya.

Click on this link to visit the Kaspersky Lab post titled “Petya Ransomware eats your hard drives

Click on this link to visit the Securelist site to read their very detailed post about how Petya Ransomware functions.

Click on this link to visit the Check Point site to read their discussion of the Petya Ransomware worldwide outbreak.

Video is courtesy of the F-Secure YouTube channel

 Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

Analysis of PETYA Ransomware running live on a computer

Petya Ransomware could be called WannaCry V3 as it is using the same EternalBlue / DoublePulsar code. It starts running via a Windows DLL. In the video below Colin runs Petya on a computer to be able to study it.

Video is courtesy of the Colin Hardy YouTube channel

WannaKey along with WanaKiwi may help to decrypt your WannaCry encrypted files without having to pay the Ransom

WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.

When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.

Once you have the Private Key then you can use a different program called wanakiwi to decrypt the files on the WannaCry encrypted PC.

The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive.  The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory.  With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.

Click on this Link to visit the GitHub page for Wannakey.

Click on thsLink to visit the

Click on this Link to visit the Comae Blog post by Matt Suiche titled “WannaCry — Decrypting files with WanaKiwi + Demos”. Matt goes thru the whole process along with screen shots.

Video is courtesy of the Vishnu Ava YouTube channel

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.

“Hack the Air Force” is a new White Hat Hacking contest. The United States Air Force is inviting vetted computer security specialists from across the U.S. and select partner nations to do their best to hack some of its key public websites.

Posted by Vincent Banial

The recent DOD ‘Hack the Pentagon’ contest was a success. That contest was limited to US based Cyber Security enthusiasts. The United States Air Force “Hack the Air Force” contest,  will be expanding the opportunity to join in the contest by allowing individuals and groups from the following countries to also participate (in addition to US Citizens): United Kingdom, Canada, Australia and New Zealand.

The Hack the Air Force contest is being run with the help of CyberSeurity Firm HackerOne. The HackerOne platform will help allows White Hat Hackers to submit their Security Holes in a safe and secure manner.

Video is courtesy of the HackerOne YouTube channel

On the HackerOne main website page they state :
“77% of Programs Find Security Vulnerabilities within 24 Hours.”.

This sounds like a great move by the Department of Defence and the US Air Force. The prior “hack the Pentagon” contest was a great success. This new Hack the Air Force contest will allow non-US based CyberSecurity Talent to participate. The more people joining the contest the more Security Vulnerabilities I suspect will be found.

This should be a win-win for bothe the Air Force and for the White Hat Hackers. The HackerOne facebook page states that $16 Million in bounties have been paid out in prior HackerOne coordinated White Hat Hacking events.

Registration for the ‘Hack the Air Force’ event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. Military members and government civilians are not eligible for compensation but can participate on-duty with supervisor approval. Mark your calendars and make sure that you register starting on May

Mark your calendars and make sure that you register starting on May 15 2017.

Click on this link to visit the official US Air Force site to read their news Release about this new “Hack the Air Foce” White Hat Hacking contest.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

 

“SysAdmin’s Essential Guide to Linux Workstation Security” free eBook from The Linux Foundation

artificial-intelligence-2167835_1920-Vince changed-640x480-web
Photo courtesy of Gerd Altmann  – CC0 License. Vincent Banial modified the look & feel.

The Linux Foundation is offering a free download eBook titled: “SysAdmin’s Essential Guide to Linux Workstation Security“.

The suggestions offered in their eBook, are based on 3 level levels of security which one would want. These are:

(ESSENTIAL) items, if “not implemented” could introduce high risks to your workstation security.

(NICE) to have items will increase the overall security, but may require learning new habits or unlearning old ones.

(PARANOID) items could significantly improve your workstation security but may require time to learn new ways of doing things.

Click on this link to visit The Linux Foundation website and download your own copy of their eBook titled:SysAdmin’s Essential Guide to Linux Workstation Security.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

Malware infected Android Apps discovered by Cybersecurity Researchers

HORNET, the alternative to Tor Network

When we think about surfing the Internet, most people are looking at just the top of the network iceberg. When in fact, the web actually holds a “Deep Web,” hidden from everyday users and ordinary browsers. This is due to the Deep Web continuously encrypting …

Source: HORNET, the alternative to Tor Network

 

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Next Suits and Spooks event to be held in London England on May 06 and 07 2015


Suits and Spooks Events are a bit like TED Talks, but focused on Cyber Security issues. From the Suites and Spooks webpage: “Each event draws thought leaders and decision makers from the public, private, defense, law enforcement and intelligence sectors who come to learn about and discuss some of the key security challenges which face our digitally connected nation and world

One unique aspect of the presentations made at Suits and Spooks is that after the first 10 minutes, the Audience can join in by asking questions or directly challenging the presenter. Audience participation resulting in Debate and Discussion is the cornerstone of these events.


The next Suits and Spooks Event will be held in London England on May 6th and 7th 2015.


Click on this line to view their prior events which were held in 2014 and to check out the agenda of presentations made.


Click on this line to visit the Registration page for the upcoming 2015 London Suites and Spooks Event.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial for Uniquely Toronto
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.