Friday, October 30, 2015

Cryptowall 3 defense and mitigation tactics

This seems to be a popular subject lately. Especially with the latest report on how cryptowall is possibly tied to one threat actor group. The first defense you need to take on not becoming a victim of cryptowall is understand the methods of infection that leads to the compromise.

Below is one of the most common ways a cryptowall infection starts. It starts with a zip file.
When working with email it's important to understand that you should never open attachments from people you don't know. More importantly you should be cautious opening attachments from people you do know.

Common files attachments you should avoid in email.
.zip
.exe
.scr
.docxm
.xlsm
.scr
.pdf
.docx
.xlsx
.doc
.xls
.ppt
.pptx

If you receive an email from anyone with the following extensions immediately delete it and do not open.

Angler is probably the number one crime kit to distribute cryptowall 3. Angler works by injecting its payload directly in memory and doesn't write malware to the disk. In memory exploits are very tricky in terms of detection but they can also be prevented. If you have a vulnerable browser that is not patched and running third party plugins such as Java, Silverlight, or flash. It can lead to compromise very quickly. Infected ads using flash are a pretty popular method to distribute.

So how should you prevent? If you are running Windows 7, 8 or 10. Uninstall Silverlight and Java. So what about flash? You can uninstall on Win7. Unfortunately Win 8 and 10 it's baked into the OS. However there is an easy setting change to prevent running flash content in IE. It's called Active X filtering and one day it may save you from a serious compromise:

1. Open Internet Explorer by clicking the Start button Picture of the Start button. In the search box, type Internet Explorer, and then, in the list of results, click Internet Explorer.

2. Click the Tools button Tools button, point to Safety, and then click ActiveX Filtering.

What else should you do on top of these simple countermeasures?
Run a Microsoft tool called EMET. You can download it here.

EMET is an enhanced mitigation utility designed to hook into processes and prevent to exploitation. Most of the time the defaults will work out ok for everyone. You may have to manually tweak depending what all types of add-ins you are running in IE.

Another countermeasure to do is limit your browsing activity to an unprivileged account. You should be browsing under an account that does not have administrator privileges.

Always...always make backups of your data. Offsite...... Cloud storage often gets a bad name. Cloud storage is not a bad thing if you know how to protect your data before you send to a cloud storage location. I use Microsoft's One Drive. It's baked into Windows 8.1 and Windows 10. I used pkware product called viivo to encrypt my data before it gets sent to the microsoft cloud. I also two factor my Microsoft account for added protection. I don't really browse to websites or do much with my windows box. I store data and bounce it to the cloud. That's about it.

I do stuff mostly on Linux virtual machines or Chrome OS. Chrome OS on a chromebook has been my go to choice lately for about everything.



Sunday, October 25, 2015

Pass the hash security templates

If you haven't done so and want some quick wins for a Win 8.1 or 7 environment. Head over here to download the Windows 8.1 security baseline zip file and extract the contents.

http://blogs.technet.com/b/secguide/archive/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final.aspx

After Extracting navigate to the following area. (I extracted the contents to temp)

C:\temp\Desktop\Win81-WS2012R2-IE11-Baselines-FINAL\Win81-WS2012R2-IE11-Baselines\Administrative Template\PolicyDefinitions

Copy the pth.admx and the pth.adm file in the en-US folder to their respective locations in the policy definitions on the domain controller. When you go into your group policy editor on your domain controller you will notice some Pass the hash mitigations available.


Set 'Apply UAC restrictions to local accounts on network logons' to 'Enabled'

This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk.

Set 'WDigest Authentication' to 'Disabled'

When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.

Enjoy.

Saturday, October 24, 2015

Windows 10 Security Baselines

For those that use Microsoft Security Compliance manager as a baseline tool. There is now DRAFT security guidance for Windows 10.

http://blogs.technet.com/b/secguide/archive/2015/10/08/security-baseline-for-windows-10-draft.aspx

Download the zip. Extract it... and you are good to go.


There is also a folder called Local_Script if you want to do this on your computer without the need for a domain controller. Run the script and reboot. Test it with a non admin account.

Enjoy.

Sunday, October 11, 2015

Hardening Windows Virtual Machine OS Clients

This is just a running list of how I harden my Microsoft virtual OS's.

1. Stand up a Windows 2012 R2 domain controller that is on a internal network only vnic. 
2. Stand up a Windows 8.1 OS client on a internal network only vnic. Inside the OS set up Microsoft security compliance manager. Once you download all security baselines. Upload the following baselines to the domain controller or use RSAT and import the baselines in group policy management.

Some important policies to import. 

Windows 8.1 computer security compliance
Windows 8.1 user security compliance
Windows 8.1 bitlocker policies
IE 11 Security policies. 

Change the bitlocker policy around where it supports clients without TPM chips. Since your virtual machine doesn't have a TPM chip it's not necessary to have. All virtual OS's should be encrypted. Even the domain controller you set up. 

3. Encrypt all your virtual OS's with pre-boot authentication. 
4. Setup another Windows 8.1 client and move it to an area in active directory that has your computer and IE 11 policies. 
5. Create a standard user in your domain and give them the user security compliance to Win 8.1. 
6. Your standard user should not have admin rights to your Windows 8.1 client. 
7. Make sure EMET is set up as well. Enable the defaults and test all your applications to ensure they work properly after words. 
8. Disconnect your Windows 8.1 client from the internal network and set it to NAT or Bridge so its gets an IP to the internet. 
9. Fully patch your Windows 8.1 device. 
10. Install an AV client on it. I recommend panda av cloud. It has some excellent ratings in av-test.org website. 

This is pretty much my process when I make a Microsoft based virtual os in my lab environments.

Some may ask why Windows 8.1 and not Windows 10. Until an official security compliance guide is out for that OS I'd avoid hardening one on your own without some guidance. 

Sunday, October 4, 2015

Adding Two factor Auth to Fedora 22

This works with other distro's with a little tweaking. If you are interested in two factor authentication on your Linux login here are the steps. I am going to assume you are using full disk encryption with your Fedora installation. If not... then you really should.

1. Open Terminal with root privileges.
2. yum install google-authenticator

Once installed you will need to configure google authenticator. Run the following command in terminal. This can be run without root privileges. 

google-authenticator

You will be prompted to scan the QR code or you can enter in the secret key into the google authenticator app on your mobile phone. Once you are finished configuring your google app. Make sure you save and encrypt your emergency scratch codes should you ever lose your mobile phone. 

When presented with installation questions. Just choose Y for them unless you have a reason to deviate from the defaults. 

Once you are finished you will need to edit the following. I edited mine with vi. 

/etc/pam.d/gdm-password


Add the following line to gdm-password:

auth required pam_google_authenticator.so


if you are editing the file with vi. After you are finished. Hit the ESC button following by this

:x

This will save your config. Once done reboot your fedora install. With luck you will type in your password to your linux account and then asked for a verification code as shown below. 




Update1:
Good point from a fellow twitter follower. Two factor auth is not present if you do a ctrl + alt + F3 and log in under terminal if you account is compromised. Will put a fix for that up later. Enjoy!

Update2:
Lets say you want to add this for secure shell host. Easy enough to do. I disable SSH on my fedora box since I am using it for desktop functions and not server class functions

Edit in VI:
/etc/pam.d/sshd

Add the following line. 
auth required pam_google_authenticator.so

Edit in VI:
/etc/ssh/sshd_config 

Add the following line.
ChallengeResponseAuthentication yes

Restart the box. 










Trusted CA Security Issues

Some of the more interesting CA's on a 2012 R2 server that has yet to touch an internet for an update.

Versign Class 3 Public Primary Certificate with MD2 hashing and RSA 1024 bit key. Cert is good until 8/2028. It's present even on an up to date Win 10 machine. This is a good example on why CA models are just broken.