Saturday, July 29, 2017

Tabula Rosa Security Bulletin National Cyber Awareness System: TA17-181A: Petya Ransomware all You need To Know Or Do




Buy the books at

 www.amazon.com/author/paulbabicki
+++++++++++++++++++++++++++++++++++++++++++++++++++++===================================================







National Cyber Awareness System:


07/01/2017 01:41 AM EDT

Original release date: July 01, 2017 | Last revised: July 28, 2017

Systems Affected

Microsoft Windows operating systems

Overview

This Alert has been updated to reflect the National Cybersecurity and Communications Integration Center's (NCCIC) analysis of the "NotPetya" malware variant.
The scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout this Alert.
On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from a hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in its propagation methods. 
The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information sharing purposes.
Available Files:

Description

NotPetya leverages multiple propagation methods to spread within an infected network. According to malware analysis, NotPetya attempts the lateral movement techniques below:
  • PsExec - a legitimate Windows administration tool
  • WMI - Windows Management Instrumentation, a legitimate Windows component
  • EternalBlue - the same Windows SMBv1 exploit used by WannaCry
  • EternalRomance - another Windows SMBv1 exploit
Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.
Technical Details
NCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the analysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves more like destructive malware rather than ransomware.
NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods.
The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID.
The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development environment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious, and should examine these systems for additional malicious activity. [12]

Impact

According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors, including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:
  • those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145, and
  • those who operate on the  shared network of affected organizations.
Negative consequences of malware infection include:
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the sites listed below sites are used for payment in this activity. These sites are not included in the CSV package as IOCs.
hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

Network Signatures
NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya, many of the available rulesets can protect against both malware types when appropriately implemented. The following rulesets provided in publically available sources may help detect activity associated with these malware types:
  • sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
  • sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
  • sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]
  • sid:42944,"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"[11]
  • sid:42340,"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"[11]
  • sid:41984,"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"[11]
Recommended Steps for Prevention
Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6], and consider implementing the following best practices:
  • Ensure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
  • Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
  • Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
  • Secure use of WMI by authorizing WMI users and setting permissions.
  • Utilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.
  • Disable or limit remote WMI and file sharing.
  • Block remote execution through PSEXEC.
  • Segregate networks and functions.
  • Harden network devices and secure access to infrastructure devices.
  • Perform out-of-band network management.
  • Validate integrity of hardware and software.
  • Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.
Note: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.
Recommended Steps for Remediation
  • NCCIC strongly encourages organizations contact a local Federal Bureau of Investigation (FBI) field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement a security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 
Report Notice
DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.
+++++++++++++++++++++++++++++++++++++++++++       Good Netiquette And A Green Internet To All!  =====================================================================

Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting

We can be contacted at:

sales@tabularosa.net  or 609 818 1802.
 ===============================================================
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


Additionally, I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology market.

Friday, July 28, 2017

Tabula Rosa Systems Blog Of 728/2017 - Visual Analytics


Buy the books at

 www.amazon.com/author/paulbabicki
+++++++++++++++++++++++++++++++++++++++++++++++++++++
===================================================



Visual Analytics
Visual analytics is a form of inquiry in which data that provides insight into solving a problem is displayed in an interactive, graphical manner.
The approach uses data visualization technologies to help data scientists and other professionals identify trends, patterns and relationships in the data they are working with. Packaged visual analytics software tools make it easier for non-technical users to use by including drag-and-drop options for setting and modifying analytical parameters.
Like other types of business intelligence (BI) and business analytics (BA) initiatives, visual analytics applications must incorporate effective data management strategies in order to integrate, unify and standardize data coming from different source systems. Visual analytics is especially helpful in applications involving large, complex data sets and analytical processes that require a high degree of monitoring and interaction -- for example, big data analytics and data mining uses.
Opportunities for deploying visual analytics capabilities continue to evolve and grow with the broader adoption of technologies such as mobile business intelligence and location intelligence software.
++++++++++++++++++++++++++++++++++++++++++        
 Good Netiquette And A Green Internet To All!  =====================================================================

Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting

We can be contacted at:

sales@tabularosa.net  or 609 818 1802.
 ===============================================================
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


Additionally, I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology market.

Wednesday, July 26, 2017

Tabula Rosa Systems Blog Of 7/26/2017 - Algorithmic Transparency



Buy the books at

 www.amazon.com/author/paulbabicki
+++++++++++++++++++++++++++++++++++++++++++++++++++++
===================================================

Algorithmic Transparency from whatis.com
Algorithmic transparency is openness about the purpose, structure and underlying actions of the algorithms used to search for, process and deliver information. An algorithm is a set of steps that a computer program follows in order to make a decision about a particular course of action.
The question of whether or not algorithms that affect the general public should be made transparent is controversial. Take, for example, a program used to determine credit scores. Should someone be given a lower credit rating than they think they deserve, they have the right to appeal the score, but not the right to demand that algorithms used to determine the poor score be made public. This is because the company that determined the person's credit score also has rights -- in this case, the right to protect their intellectual property (IP).

A common method used to provide transparency and ensure algorithmic accountability is the use of third party audits. This approach is known as qualified transparency. After complaints were made to the Federal Trade Commission about the search giant Google, for example, watch-dog algorithms created by FTC staffers found that Google's search algorithms generally caused its own services to appear ahead of others in search results. To provide transparency, the criteria used in the evaluation, as well as the results, were publicly released and explained. Although the FTC decided Google's actions were not anti-competitive in nature, the negative publicity the investigation created inspired Google to make changes.

Decisions made by algorithms can be opaque because of technical and social reasons, in addition to being made purposely opaque to protect intellectual property. For example, the algorithms may be too complex to explain or efforts to explain the algorithms might require the use of data that violates a country's privacy regulations. Regardless of the reasons, governments, corporations and private organizations throughout the world are exploring ways to address the issue of algorithmic best practices and accountability and provide the general public with as much transparency as possible to build trust.
v++++++++++++++++++++++++++++++++++++++++++
     
   Good Netiquette And A Green Internet To All!  =====================================================================

Tabula Rosa Systems - Tabula Rosa Systems (TRS) is dedicated to providing Best of Breed Technology and Best of Class Professional Services to our Clients. We have a portfolio of products which we have selected for their capabilities, viability and value. TRS provides product, design, implementation and support services on all products that we represent. Additionally, TRS provides expertise in Network Analysis, eBusiness Application Profiling, ePolicy and eBusiness Troubleshooting

We can be contacted at:

sales@tabularosa.net  or 609 818 1802.
 ===============================================================
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:

 www.amazon.com/author/paulbabicki

Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.

In addition to this blog, I maintain a radio show on BlogtalkRadio  and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and  PSG of Mercer County, NJ.


Additionally, I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services.  Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.

Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology market.