Category Archives: Info Security

KRACK WPA2 Wi-Fi Vulnerability

A serious security vulnerability in wireless (Wi-Fi) protocol has been identified: KRACK, short for Key Reinstallation Attack. Comprehensive details on the vulnerability and proof-of-concept exploitation video can be found on vulnerability’s official website:  https://www.krackattacks.com/

Great vulnerability summary and what to do:

Monitor & Remediate: 

Assigned CVEs:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the four-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the four-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the four-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) while processing a Wireless Network Management (WNM) Sleep Mode Response frame.

List of Affected Vendors:

*Nix Distributions:

Additional References:

 

Tagged , ,

Petya Response Summary

Wanted to share a quick response plan for the recent Petya ransomware breakout:

  • Apply Microsoft security updates released in March 2017 bulletin: MS17-010
  • Most Firewall and IDS/IPS vendors have released signatures for the SMB vulnerability exploit, however, if you do not have auto-updates enabled you to want to do a manual update
  • Disable the support of SMBv1 protocol. A detailed write-up here: https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
  • Some variants of Petya have been reported to use WMIC & Microsoft PSExec to laterally move within the environment.
    • Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on the system hosting the share.
    • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
    • Blocking ADMIN$ share via GPO should address lateral movement concerns
  • If you cannot block, monitor ingress/egress traffic on 455/137/138/139
  • If you use tax accounting software, MEDoc read this: http://www.bbc.co.uk/news/technology-40428967

Most of the recent ransomware campaigns are taking advantage of vulnerabilities disclosed by the Shadow Brokers in April 2017. In addition to MS17-010 (EternalBlue), all of the related vulnerabilities should be patched as soon as possible:

  • Code Name: Solution
    • “EternalBlue” : Addressed by MS17-010
    • “EmeraldThread” : Addressed by MS10-061
    • “EternalChampion” : Addressed by CVE-2017-0146 & CVE-2017-0147
    • “ErraticGopher” : Addressed prior to the release of Windows Vista 
    • “EsikmoRoll” : Addressed by MS14-068 
    • “EternalRomance” : Addressed by MS17-010 
    • “EducatedScholar” : Addressed by MS09-050 
    • “EternalSynergy” : Addressed by MS17-010 
    • “EclipsedWing” : Addressed by MS08-067

Petya campaign is still developing and it is important to monitor the developments. One of the best ways to monitor the situation is via Twitter under the following hashtags: #Petya #NotPetya #Ransomware

References:

Tagged , ,

Cellebrite BlackLight Forensics Review

BlackBag BlackLight

I had no idea just how tightly BlackLight would grab my attention and then keep its hold. Yet, here I am. While I’ve heard positive feedback from people in the information security community regarding BlackBag’s forensic software products, I have not had the opportunity to use one of their products on my own. Thus, I was thrilled to review BlackBag’s BlackLight product.

For those who are not familiar, Cellebrite BlackBag’s BlackLight is a piece of comprehensive forensics analysis software that supports all major platforms, including Windows, Android, iPhone, iPad, and Mac. In addition to analysis, it can logically acquire Android and iPhone/iPad devices. You can also run the software on both Windows and Mac OS X.

In this particular review, I used the latest version of BlackLight (2016 release 3). I decided to use it on Mac. The main reason I chose Mac was that most of the analysis that I have performed thus far has been with the traditional Windows Forensic Recovery of Evidence Device (FRED) and I figured this would be a great opportunity to try something different.

Installing BlackLight on Mac was a breeze. I simply downloaded the installation file from BlackBag’s website and entered the license key upon initial file execution. The single installation file took care of all of the dependencies needed for the software, which I was glad to see.

blackbag blacklight

BlackLight Actionable Intel

Here were the configurations for my Mac: MacBook Pro running Sierra OS version 10.12.2. The hardware included Intel Core i7 with 2.5 GHz with 16GB memory and a standard hard disk drive.

With the review, I wanted to make a use-case in which I would perform basic processing and analysis of a traditional disk image using BlackLight running on Mac. Without any real experience with BlackLight, I focused on usability and intuitiveness.

Processing

For this review, I used a 15GB physical image of Windows XP SP3 E01 Disk. I processed this image through BlackLight with all of the ingestion options available in the software and to my surprise, it took under 10 minutes to complete.

What was even more impressive was that it had a very little performance impact on my system. In fact, as the image was being processed in the background, I continued to perform normal operations such as browsing the web and using Open Office software with no problem. Continue reading at forensicfocus.com by clicking here!

Tagged , ,

FTK Forensics Bootcamp Review

For a few years, I had been using Access Data’s FTK (Forensic Toolkit) software without any formal training. I had managed to work my way through the fundamentals on my own, but I always sensed that there was much on which I was missing out.

emailvisualization

FTK  Email Analysis Visualization

It was only after I recently attended the Advance FTK class offered by AccessData (Syntricate) that I realized the enormity of what had been right under my nose the whole time.

You can read my complete review of this course at Forensic Focus or by clicking here.

Tagged , , ,
Advertisements