WanaCry Shows a Operational and Human Problem

This last couple of day the headline has been the WannaCry ransomeware worm. I have seen many discussion about the technical aspects of it, about the disclosure of the vulnerability and debates of who is at fault for its widespread effect (Microsoft, NSA, Shadow Brokers ..etc). Yet the big elephant in the room remains that this is history that will repeat it self. The main reason that it will repeat it self is the gap of knowledge of those using technology and the speed at which attacks and tools can spread in the internet.

In essence the vulnerability affect the SMBv1 protocol from Microsoft that is included with all versions of Windows and it is enabled. Microsoft released a patch for the vulnerability as MS17-010 ON March 14, 2017. The patch was marked as critical, remote code execution and it affected all version of Windows with a CVSS score of 9.3. I work for a security vendor and I manage a team of reverse engineers that write the remote checks, as soon as we saw this we started working on it and where able to reach the vulnerable sections in less that a week and got a check for it out the door, we quickly new this had the potential to be as big as MS08-67.  On April 7 Shadow Brokers releases a trove of tools from the NSA and they contain an exploit for this vulnerability among others called ETERNALBLUE, the tools where analyzed by researches that published tutorials on how to use the tools and expand upon them. Shortly after the release thousands of exposed boxes in the internet started to be compromised by the vulnerability. 

Read More

How Much Your Org Reaction to a Tweet Says?

Recently Tavis Ormandy a well known vulnerability researcher from Google made a tweet about a vulnerability he and researcher Natalie Silvanovich from Google Project Zero found on the Windows OS that could be wormable. 

The reaction from many organizations has been from one extreme all the way to the other side, where some are panicking and to the other side they simply take it as a nice to know heads up. So what is the difference between this different organizations? I would say a lot.

Read More

Home Lab - VPN

Since our lab is isolated from the home network behind the router we need a way to access the VM's inside from our research systems. To access the systems behind the router we can use a VPN. With VyOS we have 2 options:

  • L2TP/IPSec - Native support on Windows and OS X. Linux client support can be tricky.
  • OpenVPN - Requires third party client installed, works well on Windows, OS X and Linux.

Depending on your client machine the type of VPN solution will vary. In the case of Windows and OS X L2TP/IPSec works very well in my experience. When developing my tools on Linux, OpenVPN tends to be more stable. 

Read More

Posh-Sysmon Module for Creating Sysmon Configuration Files

Sysmon configuration can be complex in addition to hard to maintain by hand. For this purpose I created a module called Posh-Sysmon some time ago to aid in the creation and maintenance of configuration files. The module was initially written after the release of version 2.0 and has been maintained and expanded as new version have been released all the way to the current one at the time of this blog post being written with version 6.0. 

The module is written for PowerShell v3.0 and above and can be installed from the PowerShell Gallery if running version 5.0 or 5.1 using the cmdlet 

Read More

Home Lab - Networking

In this post I will cover the basic set up of the basic building block network which is a simple flat network behind a router acting as Firewall, NAT, DHCP and VPN for the network.

The first action is to create a Virtual Switch that will be connectivity for all the virtual machines in this flat network. Almost all virtual solutions support having a virtual switch under one name or another. Since I choose for my home lab ESXi the commands shown will be for this platform but in general terms can be done the same with Hyper-V or XenServer. 

The main reason why I'm showing all the steps via command line is so that they can be automated later in a script if this is a process that will be repeated several times.

Read More