Thursday, August 30, 2012

Who is next in the shamoon queue?

like a nightmare, i have this thought:
  1. Company "X" in Qatar got infected
  2. remote offices of company "X" in another GCC state "H" got infected
  3. Service provider "A" managing the remote office became infected
  4. Same Service provider "A" managing few of the GCC state  "H" government entities became infected then infect other gov entities.
Of course it will be a chain of infections and network shutdowns.

Seems crazy, but think about it as if you are another state has serious issues with GCC and you already has the technology, the skills and the code. if you can do it 2 times then hardly you will be stopped.

Have a nice weekend.

Who was next to ARAMCO?

Answer: It is RASGas in Qatar whom has experienced virus outbreak, the computers network has been taken off for 3 days ,so far, by unknown virus. but let me guess, it can be shamoon or one of his cousins.
ARAMCO at KSA, RASGas at Qatar, will UAE be the next ? specially with remote offices around the GCC ?

However stopping or reducing the impact can be done by applying basics of the IT security as listed in the following blogs:
Stop Shamoon before it is too late
Making Life Difficult for Malware


Wednesday, August 29, 2012

Making Life Difficult for Malware

Making Life Difficult for Malware is presentation by Jarno Niemelä from F-Secure, it is very practical and i highly recommend it.

Jarno listed recommendations based on a research of the behavior data of ~750000 known malware. Most of the recommendations cost zero dollar and can be implemented easily by any type of organizations using minimal resources.

Enjoy the reading:
Making Life Difficult for Malware

Stop Shamoon before it is too late

Shamoon is striking in the middle east, it is attacking oil and gas companies, one Saudi company was the first, others  most probable in the queue and there is a potential for other types of orgnizations to be attacked, it is matter of time.

In this blog i will list actions can be taken,based on the malware analysis done by AV companies, to stop shamoon or at least reduce its impact. However for more details you may browse the following
Shamoon the Wiper - Copycats at Work
Shamoon the Wiper in details
Shamoon, Saudi Aramco, And Targeted Destruction
The Shamoon Attacks
I am listing two plans, short term plan and long term plan which requires budget and time

Short Term (The foundation):
For IT employees
All must be non administrators.
Use Remote Access Server between the IT network and servers at Data Center.
Always use "rus as administrator" and stop login as administrator for day to day support, operations or tasks.
Reset all admins passwords for servers,applications,databases network and security devices.
Never use default passwords or top worst passwords.
No shared accounts or passwords.

For non IT employees and desktop/laptops
Reduce the user privileges if any has an administrator access.
Block the removable storage if no device control in place.
If device control in place, stop all executable file.

Proxy or content filtering
Block the download of executable files, inf, bin, dll, conf and config.
Block access to network related to botnets, C&C and suspicious web servers.

Use VLANs to segregate network based on floor or department or business unit.
Implement a separate isolated IT management. same applied to mission critical infrastructure.

Remote users using VPN
Allow remote users to access certain resources , stop IP Any Any rules.

Remote offices
Only allow remote offices to access the resources they need, stop IP Any Any rules.

Security monitoring
Install any open source log collection.
Establish daily monitoring and analyzing security logs.

Long term (must be business risk based)
Implement SIEM solution.
Implement device control solution.
Implement two factor authentication solution for servers, network devices and critical infrastructure.
Implement network monitoring and forensics solution.
Implement Malware network analysis solution.
Establish a process to analyze, identify and detect attacks and shall be integrated into a security incident process , NIST computer incident guide can be used.
Establish Cyber Security Intelligence framework.

Time is ticking, they are advanced and using unique techniques, but you can make their attacks fail if proper security controls in place.

Tuesday, August 21, 2012

Build a practical Cyber Security Intelligence- quick thought

Stuxnet, Guass, Flamer, other malicious codes and unknown malware attacking organizations of all types, some we knew about and some we do not. But who is the next organization.

Today where threats are more advanced and ahead of protection technologies and methodologies each organization has to build some kind of Cyber Security Intelligence capability to stop or at least detect (in near real time) advanced threats attacking the organization.
Building effective Cyber Security Intelligence, first organizations must have a working risk management process and once Cyber Security Intelligence is established then it must be integrated in the risk management process.

Risk management will help identifying the Cyber Security Intelligence framework that can meet your organization business requirements and protect valuable assets.

So what can a Cyber Security Intelligence framework consists of? The following lists the components of the framework; it is not a full list but can be used as starting point

1.      Establish security monitoring, alerting and reporting infrastructure.
2.      Establish a security analysis procedure.
3.      Establish non published cyber security information procedure
4.      Follow up latest security tools
5.      Follow up latest security news, alerts and analysis 
6.      Follow up linkedin groups either security or groups related to your business
    1. Information Security and Risk management experts
    2. Aurora Cyberconflict Research Group
    3. Information Security Community
    4. Information Security Network
    5. ISF - Information Security Forum
    6. Reverse Engineering and Malware Research
    7. Malware Analysis
7.      Build malware analyzing lab
8.      Follow up underground forums

Of course not the entire list is required based on your business type and requirements.
Also you may need to have basic knowledge of other languages such as Arabic, Chinese, Russian, Farsi and Hebrew.
I will keep the list updated and later will detail how to incorporate all the above components, others and risk management.

Security Tools Updates, Free courses and web security testing platform-July - August 2012


A derivative of Back | Track 5, based on Ubuntu 12.04. Designed for users who wish to use only free software.

NetworkMiner 1.4 released

Samurai Web Testing Framework 2

The Samurai Web Testing Framework is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Free Computer Science courses with Khan Academy

Khan Academy is a free online learning resource with more than 3000 educational videos. Everyone is welcome to join any course or lesson on the site.


PowerShell for Penetration Testing, a collection of security scripts, enabling the use of PowerShell post exploitation.

NOWASP (Mutillidae)

Improve your Web Pen-Test Application skills using a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a web server. It is already installed on Samurai WTF and Rapid7 Metasploitable-2