Bu günlüğün temel amacı bilgi güvenliği ile ilgili faydalı bilgileri paylaşmaktır. Günlüğün dili Türkçe ve İngilizce'dir.
The purpose of this blog is to share some useful information about information security. The languages used in this blog are Turkish and English.
It should be noted: if an Incident Response plan is not already in place, do not attempt to create one during an infection. Rather, remove the infected server from the network. Create a plan to systematically return the infected server to its pre-infected production condition before beginning the recovery process. Incident response is not a responsibility that a single person can handle. Recovering a compromised server in a haphazardly fashion can create more system issues and do more damage then the initial compromise.
...Incident Response Plans should not be created during a security incident nor should one person be assigned to develop an Incident Response Plan. Incident response should be the responsibility of different members from different groups in an organization...
...During an incident, panic will often set in. Do not let this happen...
---- Source: SANS Institute InfoSec Reading Room Source: Malware Analysis: An Introduction
30 years ago, it could sound like a science fiction scenario but today we are moving slowly towards that point. Today automotive cyber flaw concept is a threat. It is only not that much widdespread.
Anything which has an IP address (IoT) is a target candidate of hackers. Naturally the "connected cars" aren't exception for this concept. A car which is connected to internet or to an intranet is defined as "connected car".
Think of that you are the main character of the following scenario: You own a connected car. It's a brand new, smart car. You paid a lot of bucks to buy it.
One day in the morning you got into your car and turned the car key as usual. But... Hey! It's not working. You tried it a couple of times but the engine couldn't be started. During that confusion and anger suddenly you noticed a message on the screen of your car. "Your car is compromised. Don't go to the police. The data in your car is encrypted. If you pay us blah blah..."
"What? What the hell does it mean now?" After a couple of phone calls you solved the puzzle. Gosh! Yeah! It was your turn to become a carsomware (car + ransomware) victim. The hackers requested 1,000USD to unlock your car. You called your contracted car service and they told you that they have to change the "brain unit" of your car and it will cost you about 2,000USD.
Now... The question is: Which choice would you prefer? Hackers' bid or your car service's offer?
This seems to be like a movie scenario today but we are getting closer to such troubles day after day.
There can be much more dangerous scenarios in car hacking than not being able to start the engine. Think of what can happen if the brakes of your car suddenly malfunctioned while you were driving with a speed of 120km/h (~75mph) in a crowded traffic.
Remarkable expressions about Linıx-based malwares from SANS Institute Infosec Reading Room:
5. Conclusions Despite popular perception, Linux can be vulnerable to a variety of malware. Existing host-based defense such as antivirus software is marginal at detecting or preventing Linux malware threats. Based on organizational risk tolerance additional security controls may be required to prevent or identify Linux malware infections. Utilizing a combination of system hardening techniques and network based controls can provide an additional layer of security. Incident response capabilities may also require adjustment to detect and respond to the growing threat of Linux malware.
Well yes. They are not only composed of three rotating propellers and a very long white body as seen from outside. It can sound weird but they have also operating systems and they are connected to a central management system via a software. Oh! I am talking about wind farms.
Wind farms can be handled as IoT devices but because they generate electricity they can be also handled as critical infrastructure. These farms can be defined the less critical part of critical infrastructure concept.
It seems that wind farms are not so resistant against cyber attacks and which makes them vulnerable to ransomware attacks. They can be used as a part of DDoS attacks as poorly configured IoT devices or they can be shut down to prevent generating electricity which will cause critical financial loss. Their most important advantage against the cyber attacks is that most of the wind famrs are not connected to internet but there are ways to breach such systems.
Underlined exprerssios from the article above:
His team found that these massive devices run a variety of operating systems, some wildly out of date and susceptible to known vulnerabilities. This includes everything from embedded Windows CE, Windows 95, various flavors of Linux, and some real-time OSes.
"If you can own one of them you can own them all," said Staggs.
Staggs outlined not just a method for attack, but a monetization plan as well. Taking inspiration from ransomware attacks, he imagined a scenario whereby attackers shut down a wind farm and demand payment in order to return it to normal operation. At the current price of electricity, a wind farm loses $10,000 to $30,000 for every hour it's not in operation, he said.
Second, simple security measures would completely mitigate the attacks. "If you have something in place where you could VPN traffic between turbine and the substations, it prevents everything I just outlined," said Staggs."
According to the articles the security of the routers seems to be very very awful and manufacturers of these routers doesn't seem to be concerned about the vulnerabilities of their routers. This unconcerned behaviour and slow response to the vulnerabilities can trigger new DDoS attacks all around the World.
Underlined expressions from the articles:
"The November attack hijacked about 900,000 routers and briefly stopped their owners getting online, affecting about 1.25 million Deutsche Telekom customers."
"The man, who goes under the online pseudonym “Spiderman”, said he had taken on the commission for a fee of $10,000 (£7,700) because he wanted to marry his fiancee and needed money for a “good start into married life”."
"The man claimed he had only found out via the media that routers in Germany had switched themselves off after the attack."
"The 29-year-old, who grew up and went to high school in Israel, said he had merely done “a couple of programming courses” but not completed a degree on the subject."
Note: Market of lemons: In American slang, a lemon is a car that is found to be defective only after it has been bought.
ABD, 2016 başkanlık seçimlerinde, soğuk savaş sonrası Rusya'dan ilk büyük golünü yemişti. Rusya'nın ABD'deki elektronik seçimlere müdahale ettiği çokça konuşulmuştu. Obama "Bunun bedeli olacak. Bazılarını göreceksiniz. Fakat bazılarını göremeyeceksiniz." tarzında bir demeç de vermişti. Obama yönetimi, giderayak bu golü çıkarmaya uğraşmıştı ama maçta zaten uzatmalar oynandığı için, Obama'nın ve ekibinin buna pek de vakitleri olamamıştı.
Trump'ın, belli belirsiz birçok sebepten dolayı, Rusya'nın üzerine gitmeye pek niyeti yok ama ABD'nin devlet refleksi, Rusya'ya bu siber alanda bedel ödetmeye ciddi karar vermiş görünüyor. ABD yönetimi, Trump'a rağmen, Rusya aleyhine bazı adımlar atmaya başladı. Bu durumu tahmin etmek de zor değildi. Bekliyorduk böyle adımlar zaten. Daha da devam edeceğe benziyor.
ABD'nin, Genel Servis Yönetimi (General Services Administration) diye bir birimi varmış. Bu birim, hükümetin bilişim sistemleri konusundaki alımlarına tavsiye veren bir birimmiş özetle. İşte bu GSA, geçtiğimiz günlerde Rusya kaynaklı bir antivirüs yazılım firması olan Kaspersky'yi, "onaylanmış ürün liste"sinden (approved list) çıkardı.
Yani, Kaspersky'nin bundan sonra ABD yönetimine bağlı herhangi bir yerde kullanılması artık çok zor. Bu durumun, Kaspersky'nin ABD'deki diğer satışlarını da çok olumsuz etkileyeceği aşikar. Hatta ben, Kaspersky'nin dünya çapında da zarar edeceğini tahmin ediyorum. ABD'nin, dünyada bu şekilde bir etkisi olması gayet normal. (USA effect.)
He bizim ülke mi? Bizim ülkede herkes doğuştan şerbetli olduğu için bize bir şey olmaz. Bir bilgisayar virüsü ne yapacak lan bize? Vız gelir, tırıs gider. Yer mi lan böyle virüsleri, mirüsleri Anadolu evladı be? Malveyr olsanız, cirminiz kadar yer yakarsınız leyyn!!! İki hapşurukluk işiniz var zaten! Tükürüğümüzle boğarız! Hadi naş!!! (Hamaset mode ON for decades.)
ABD'nin Rus avı sürüyor. ABD'de yaşamaya başlayıp, daha sonra da ABD vatandaşı olmuş olan "Russian-born", Alexander Tverdokhlebov isimli bir eleman, "wire fraud" suçundan dolayı 110 ay ceza aldı geçtiğimiz hafta. Kopya çekerken yakalandı yani. (Bu, medyaya düşen. Medyaya düşmeyen birçok olay olduğunu tahmin ediyorum.)
Hollywood'a ilham veren, klasik ABD taktiği devreye giriyor burada. Rus elemana hemen bir itiraf anlaşması (plea agrrement) imzalatmışlar. Rus elemandan biraz daha ek bilgi ve PARA tırtıklamışlar yani. "Hacı 25 yıl mı yatmak istersin yoksa 10 yıl yatıp çıkmak mı? İkincisiyse ötmeye başla!" tarzı bir anlaşma oluyor bunlar sanırım filmlerden gördüğümüz kadarıyla.
Rus elemanın, sağa sola vermiş olduğu toplam zarar 9 ila 25 milyon dolar civarındaymış. (YUH BEA! Paraya gel!) Bitkoyin, mitkoyin falan abiden anca 5 küsür milyon dolar tırtıklayabilmiş Sam emmimiz.
Vaktiyle herifçioğlu 500,000 bilgisayarlık bir botnet ağına sahip olduğunu söyleyip, sağa-sola havasını atıyormuş.
Gerçi mevzu, herifçioğlunun "övüneceği" kadar var. "500,000 infected computers" iyi bir rakam tek bir kişi için.
Rusya'nın ABD seçimlerine müdahale etmiş olduğuna dair ortaya atılan iddiaların etkilerinin devam ettiğini görüyoruz. Her ne kadar Trump yönetimi, mevzuyu sulandırmak istese ve mevzunun üzerini örtmeye gayret etse de ABD devlet refleksi bu konuyu hemen bırakma niyetinde değil gibi anlaşılıyor. Tüm bunların sebebinin bu olduğunu düşünüyorum. Daha eğlenceli haberler duyabiliriz bundan sonra konuyla ilgili olarak.
"Federal authorities seized approximately $5 million in Bitcoin and $272,000 in cash from him. According to the plea agreement, victims' estimate losses totaled between $9.5 million to $25 million."
"Tverdokhlebov boasted he possessed 40,000 stolen credit card numbers and controlled as many as 500,000 infected computers for his botnets."
"At various times between 2009 and 2013, Tverdokhlebov claimed on the cybercrime forums that, among other things, he possessed 40,000 stolen credit card numbers and could control up to 500,000 infected computers."
Bizler, bayramda, tatillerde vakit geçirirken, "hekırcı" gençlik boş durmamış ve yeni bir fidye saldırısının (ransomware) fitilini tutuşturmuşlar.
"Hekırcı gençlik", bu yeni saldırıya Petya ismini vermiş:
Ukrayna kaynaklı bir saldırı olan Petya'nın dünyaya da etkisi oldu tabii. Özellikle Ukrayna'da ofisleri olan uluslararası firmalar bu saldırıdan nasiplerini aldılar. Ukrayna'dan sonra en çok etkilenen ülke de Almanya olmuş.
Petya'nın sebep olduğu tahribat WannaCry kadar olmadı. (Ağır hasar Ukrayna'da gerçekleşmiş durumda.)
Petya'nın kaynağı da oldukça ilginç. NSA'nın sağa-sola "bulaşmak", sağı-solu "mıncıklamak" için yazmış/yazdırmış olduğu siber saldırı araçları, yakın zamanda internete düşmüştü. "NSA'cı abiler", işbu mevzuda ifşa olmuş olmalarına ve iplikleri pazara çıkmış olmasına rağmen, henüz bu konuyla ilgili bir açıklama da yapmış değiller. Kulaklarının üstüne yatmayı tercih ediyorlar. Yüzsüzlük had safhada. İşte bu Petya denilen namert, nalçak yazılım da, NSA'nın "yumurtlamış" ya da "yumurtlatmış" olduğu zararlı yazılımlardan birisi olan "Eternal Blue" denilen yazılımın biraz değiştirilmiş haliymiş. (Gerçi "Şaşırdık mı?", "Nayır!")
Lessons learnt: 1) "In NSA we DON'T trust." 2) Rusya, büyük ihtimalle bilumum siber saldırı denemelerini Ukrayna üzerinde deniyor ve bu alanda gerçek sistemler ve insanlar üzerinde ciddi tecrübeler kazanıyor, kendisini geliştiriyor. Bunu şiddetle reddediyorlar normal olarak ama yer mi bunu Anadolu evladı üleyynnn? 3) Bizim ülke bu siber mevzular konusunda hala "Cafer bez getir." modunda. Sadece; "Yerli malı Türk'ün malı. Herkes onu kullanmalı." mottosono ağzımızdan eksik etmiyoruz. Siber güvenlik konusu üzerine toplantı üstüne toplantı yapmaya çalışıyoruz. Fayda olarak keçi boynuzu-bal ilişkisinden öteye geçemeyen siber etkinlikler düzenlemekten geri kalmıyoruz. Beylik lafların bini bir para. 4) Don't neglect to apply your Windows patches. 5) Kara günler için bir kenara birkaç bitcoin koymakta fayda var. Lazım olabilir. 1 bitcoin = 9,400TL (yazıyla dokuz bin dört yüz) Aranızda bityonerler varsa da özel görüşelim. =)))
Yukarıda bağlantısını vermiş olduğum
Reuters'in haberinden dikkatimi çeken bölümler:
"... and halting production at a chocolate factory in Australia." (Lan laan!! Çikolata fabrikasından ne istediniz bre melunlar?)
"Danish shipping giant A.P. Moller-Maersk said it was struggling to process orders and shift cargoes, congesting some of the 76 ports around the world run by its APM Terminals subsidiary."
"More than 30 victims paid up..."
"My sense is this starts to look like a state operating through a proxy... as a kind of experiment to see what happens," Lord told Reuters on Wednesday."
"While the malware seemed to be a variant of past campaigns, derived from code known as Eternal Blue believed to have been developed by the U.S. National Security Agency (NSA), experts said it was not as virulent as May's WannaCry attack."
"Businesses that installed Microsoft's latest security patches from earlier this year and turned off Windows file-sharing features appeared to be largely unaffected."
Rusya'nın Ukrayna'da yeni denemeler yapmasını ve bu denemelerin, Ukrayna'ya ve dünyaya olan etkisini görmeyi bekliyoruz.
Konuyla ilgili, ülke olarak da "magazin monitoring" modunda takibe devam. Cafer? Cafeeer?? Beezzz!!!? Nerdesin Cafeeeeerr???!!!
IoT devices are no more only targets of cyber attacks. They have evolved to an upper level where they can be used as a cyber attacking platform in DDoS attacks as Zombies.
As a normal but disturbing result because of these DDoS threats the importance of the security of the IoT devices became an important issue. There are many ways to secure the IoT devices. Below there are some important actions to make the IoT devices more secure:
1) Do change the default passwords of your IoT devices.
2) One of the very basic and important security rule: Disable TELNET and HTTP access to your IoT devices. Use SSH and HTTPS instead of them.
3) If you don't need to connect your IoT devices remotely then DO disable remote access to your IoT devices. (Yes, disable even SSH and HTTPS.)
4) Put your IoT devices into another segment in your LAN and restrict accesses to your IoT devices with firewall rules or ACLs if possible.
5) Use WPA2 encryption for the wireless connection of your IoT devices. Try to not choose easily predictable passwords.
6) Expose your IoT devices to penetration tests. Let also your IoT devices be included in your penetration test scope. Do not neglect them.
A short introduction of what is BroIDS (or shortly with general use Bro):
Bro Intrusion Detection System
BroIDS is an open-source, Unix-based, network-based IDS. It was developed by Vern Paxson at Lawrence Berkeley National Lab and the International Computer Science Institute. As all NIDS, BroIDS monitors the network traffic to look for any suspicious activity. It parses the network traffic to dig out its application-level semantics and then executes event-oriented analyzers to compare the activities with patterns (whenever a suspicious activity is found on the network, IDS logs them, and those activities are used as patterns to check for similar activities). (1)
BroIDS is an open-source network security monitor which inspects network traffic looking for suspicious activity. The BroIDS framework provides an extensible scripting language that allows an analysis of application to protocol level traffic. All built-in and user added BroIDS scripts output data to log files which can be further analyzed to detect malicious activities. (2)
Features of BroIDS
custom scripting language,
pre-defined policy scripts,
snort signature compatibility support,
powerful signature matching facility,
different approach of network analysis,
detection follows an immediate action. (1)
BroIDS detects definite and abnormal activities, such as certain hosts connecting to certain services, using signatures and patterns of failed connection attempts. As BroIDS logs all activities in detail, it is most useful in network forensic investigations. BroIDS is popular, as it targets high speed, high volume intrusion, and detects using powerful packet filtering techniques to accomplish the essential performance. (1)
Bro is not:
an alerting system,
an awesome frontend,
a silver bullet, (3)
Analyzing the Traffic
First, BroIDS filters the network traffic and then the remaining information is sent to its event engine, where BroIDS interprets the structure of the network packets and abstracts them into higher-level events describing the activity. Lastly, BroIDS implements policy scripts against the events, looking for possible intrusions. (1)
BroIDS is an open-source network security monitor that has been in development since 1995. The power of BroIDS is in the extensible scripting engine that analyzes the packet data. There are a wide array of out-of-the-box, pre-written scripts that ship with BroIDS that analyze network traffic. These local scripts write to six different categories of logs; network protocols, files, detection, network observations, miscellaneous, and diagnostics. (2)
"Bro uses a specialized policy language that allows a site to tailor Bro's operation, both as site policies evolve and as new attacks are discovered.” These scripts are program written in BroIDS language and have all the rules describing the types of events which are potential intrusions and these policy scripts analyze the activities then initiate actions based on the analysis. It records the activities seen on the network as files and also generates alerts. It is a good idea to consider “Why Bro needs a special language?”, because this is a language which understands specific notions such as ports, IP addresses, connections etc. and has a different approach to analyze the network to make the task easy. Users of BroIDS need not to learn the BroIDS language to run it. (1)
These scripts take action such as follows:
generating output files which have recorded events on the monitored network,
generating alerts if it sees a problem,
terminating the existing connections,
blocking traffic by placing blocks in to router ACL,
sends e-mail messages to the user to report events. (1)
BroIDS can analyze the network with deep levels of abstraction and stores all the past activities and integrate with new ones. (1)
BroIDS can inspect network traffic in real-time or look into a packet capture file that was previously recorded. As part of the analysis, BroIDS looks for known attacks in the same way a typical intrusion detection system would. The benefit of BroIDS is that all connections, sessions, and application level data are written to an extensive set of log files for later review.(2)
From the White Paper of "McAfee Network Security Platform:
The Next-Generation Network IPS"
Requirements for next-generation network intrusion prevention
Gartner Research recently introduced several new criteria for “next-generation network intrusion
prevention” that, if adopted, will help organizations deal with the new threat landscape. The Gartner
definition for next-generation network intrusion prevention includes the following:
Standard first-generation IPS capabilities to support vulnerability-facing signatures and threat-facing
signatures: An IPS engine that can perform detection and blocking at wire speeds and rapidly develop
and deploy signatures, is a primary characteristic. Integration can include features such as providing
suggested blocking at the firewall, based on IPS inspection.
Application awareness and full-stack visibility to identify applications and enforce network security policy: This needs to occur at the application layer, independent of the port and protocol, rather than only ports, protocols, and services. Examples include the ability to block families of attacks, based on identifying hostile applications.
Context awareness to bring information from sources outside the IPS to make improved blocking decisions or to modify the blocking rule base: Examples include using directory integration to tie decisions to user identities and using vulnerability, patching state and geolocation information (such as where the source is from or where it should be from) to make more effective blocking decisions. It could also include integrating reputation feeds, such as blacklists and whitelists of addresses.
Content awareness of various file types and communications: It should be able to inspect and classify inbound executables and other similar file types, such as PDF and Microsoft Office files (which have already passed through antivirus screening), as well as outbound communications. In addition, it should make pass, quarantine, or drop decisions in near real time.
Agile engine: It should support upgrade paths for the integration of new information feeds and new techniques to address future threats, including hitless upgrades, global threat intelligence integration, scalable hardware, signature updates, Snort-capable), packet capture, and complementary solutions (Source: Gartner, Defining Next-Generation Network Intrusion Prevention, 2011)