Quantum Crypto Chaos, Cloud Vulnerabilities, Turkish RATs and Julian Assange. – SWN #13

 

 

Quantum Crypto Chaos, IBM Cloud Vulnerabilities in CICS, Crowded Flounder and Hacking Back, Turkish RATs and Julian Assange.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

Quantum Crypto Chaos, Cloud Vulnerabilities, Turkish RATs and Julian Assange.

Security Weekly News — Week of 18 — February — 2020

  1. Perfect Secrecy Cryptography with Chaos.
  2. IBM Cloud Vulnerabilities.
  3. US Cybercommand publicly blames North Korea for a number of attacks.
  4. Crowded Flounder.
  5. UK threatens to name and shame foreign states who hire hackers.
  6. The UK releases a review of the Computer Misuse Act.
  7. Israeli soldiers catfished by HAMAS.
  8. ADwind RAT targets Turkish Businesses.
  9. Phishing scam extorts money with threats of flooding Google AdSense with bots.
  10. Julian Assange Trial: Australian PMs trying to prevent extradition to the United States.
  11. Wikileaks video that got Assange hit with 17 counts of Espionage.
  12. Bracelet of Silence will prevent Alexa from Eavesdropping on you.

Expert Commentary: Jason Wood

Malware and HTTPS – a growing love affair

We’ve talked a number of times about browsers encouraging everyone to use HTTPS for all their web sites. This “encouragement” became more aggressive when they started labeling sites using HTTP as “insecure”. As a result, most of the sites that I find myself on are using HTTPS. Malware authors have now decided that maybe using HTTPS is a good thing for them too. The Naked Security blog released a post and report on the growing usage of HTTPS by malware that is worth a read.

The TLDR is that the usage of HTTPS is increasing for malware. According to Sophos, roughly 23% of all malware now uses encrypted HTTP. This has an obvious impact on security monitoring and the data we capture using our tools. We may find that the tools we are mainly depending on may not provide the data we expect or need. As malware authors change their tactics, we need to evaluate our defenses and respond. It’s just not acceptable to lose capability because we don’t change our practices.

For example, network IDS is one of the first security tools that I deployed, but the data it captures is now less rich because of encryption. Does that mean I should no longer use network security tools? No, I do not believe so, though it does change some of the priority that I place on network IDS. It still has very valuable information for me when I’m performing analysis on traffic, but it’s not unusual to not be able to extract a payload due to encryption. So instead, I tend to use network tools to analyze what IP addresses are talking to each other, what ports they use and monitor for patterns of traffic emerging across the network.

Endpoint security tools, DNS monitoring, and other tools become more important as network encryption increases. I find now that my analysis focuses more on execution behavior, such as why did that Word document open a command prompt, which then executed PowerShell, and then started talking to a server I’ve never seen before.

At the moment, we are in a transition state. According to Sophos, 77% of the malware being used is still using HTTP. They correctly point out that web traffic using plain old HTTP is now more unusual and may be an anomaly worth investigating. There is still a ton of bad stuff to be caught using HTTP, but we need to start preparing for when HTTPS eventually becomes the primary mode of network communication.

Some defenses can include the use of proxy servers that perform traffic inspection of decrypted HTTP traffic. That requires implementing a proxy with a certificate authority certificate that is recognized for all your systems. Then you can require all traffic using HTTP and HTTPS to only be allowed out of your network using the proxy. There are some potential legal and privacy ramifications due to the data being decrypted, analyzed, and then re-encrypted to the destination site. You’ll want to avoid performing this activity on banking sites, for example. Work with your legal and HR departments before implementing something like this. Make sure you are authorized to perform this type of monitoring. If allowed, it can really save you some grief.

There are definitely tools out there that can help deal with malware changing their tactics. If someone says we are all doomed due to encryption, they are not correct and probably want to sell you something or have some other agenda. We can continue to perform effective monitoring, but we have to adapt. And it’s always better to start making those changes early on in the process rather than waiting until you are reacting to a malware outbreak that you can’t detect.

Hosts

Doug White
Doug White – Professor
Jason Wood
Jason Wood – Founder; Primary Consultant

Guests

Announcements

  • Join us at InfoSecWorld 2020 – March 30 – April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
  • Attend RSA Conference 2020, February 24-28 in San Francisco, CA! Visit securityweekly.com/rsac2020 to sponsor an interview with us on-site at the conference or register using our code to save $150!
  • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!