Internet of Things (IOT) Working Group Provides Easily Understandable Recommendations for Securely Implementing and Deploying IoT Solutions
Las Vegas, NV – CSA Congress 2016 — Sept 30, 2015 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced that its Internet of Things (IoT) Working Grouphas released a new summary guidance report titled Identity and Access Management for the Internet of Things. The Internet of Things (IoT) has been experiencing massive growth in both consumer and business environments. In response to this emerging market and the particular security requirements of these connected devices, The CSA established the IoT Working Group to focus on providing relevant guidance to its stakeholders who are implementing IoT solutions. To download a free copy of the guidance report, click here: https://cloudsecurityalliance.org/download/identity-and-access-management-for-the-iot/.
The IoT introduces the need to manage exponentially more identities than existing IAM systems are required to support. The security industry is seeing a paradigm shift whereby IAM is no longer solely concerned with managing people but also managing the hundreds of thousands of “things” that may be connected to a network. In many instances these things are connected intermittently and may be required to communicate with other things, mobile devices and the backend infrastructure.
“This document is the first in a series of summary guidance aimed at providing easily understandable recommendations to information technology staff charged with securely implementing and deploying IoT solutions,” said Brian Russell, co-chair of the Internet of Things Working Group for the Cloud Security Alliance. “With this guidance, the CSA’s IoT Working Group is seeking to provide prescriptive guidance to stakeholders detailing an easy-to-follow set of recommendations for establishing an IAM for IoT program within their organization.”
To help security practitioners ensure the integrity of their IoT deployments, the report details 23 recommendations for implementing IAM for IoT which are drawn from real-world best practices culled by CSA’s IoT Working Group along with guidance from a number of other organizations including the Kantara Initiative, FIDO, and the IETF.
Some of these recommendations include:
Integrate your IoT implementation into existing IAM and GRC governance frameworks in your organization.
Do not deploy IoT resources without changing default passwords for administrative access.
Evaluate a move to Identity Relationship Management (IRM) in place of traditional IAM.
Design your authentication and authorization schemes based on your system-level threat models.
About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
Contributions from Six Dedicated Individual CSA Volunteers Recognized in Honor of the Late CSA Member and Volunteer Contributor Ron Knode
LAS VEGAS, NV – CSA CONGRESS 2015 – September 30, 2015 – The Cloud Security Alliance (CSA) today announced the recipients of its fourth annual Ron Knode Service Award, recognizing six members from the Americas, Asia-Pacific and EMEA regions for their excellence in volunteerism. The honorees were selected by the CSA executive team and chosen based on their valuable contributions towards fulfilling CSA’s mission of promoting best practices to help ensure security in cloud computing and next-generation IT. This year’s recipients will be honored this week at the CSA Congress 2015 & IAPP Privacy Academy 2015.
Ron Knode was an information security expert and member of the CSA family who passed away in May 2012. He is remembered as an innovative thinker with endless energy and humor to guide his volunteer contributions. He also was the creator of the CSA Cloud Trust Protocol, which today remains an important asset for the continuous monitoring and auditing for cloud assurance and transparency certification.
Established in 2012, the Ron Knode Service Award is awarded to CSA members on an annual basis whose contributions reflect Ron’s passion for volunteerism and embody the spirit for which this award was established.
This year’s six recipients are:
Brian Russell, CSA Americas: Brian Russell is a Chief Engineer focused on Cyber Security Solutions for Leidos. He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers. Brian leads efforts that include security engineering for Unmanned Aerial Systems (UAS) and Connected Cars, the design of secure next-generation energy systems (microgrids) and the development of high assurance cryptographic key management systems. He supports the Center for Internet Security as a member of the 20 Critical Security Controls Editorial Panel and serves as Co-Chair of the Cloud Security Alliance (CSA) Internet of Things (IoT) Working Group. Brian also represents CSA in many IoT industry collaborations, including the FCC Technical Advisory Council.
Dr. Said Tabet, CSA Americas: Dr. Said Tabet is a Senior Technologist and Industry Standards Strategist in the Corporate Office of the CTO at EMC. He is a member of the Object Management Group Board of Directors and the principal EMC representative to the Industrial Internet Consortium. Said is the Chair of the INCITS CS1 Secure Cloud Computing Ad-Hoc Group, and a member of the US delegation to ISO SC27. He is also a member of the Cloud Security Alliance International Standardization Council, Co-Chair of the SME Council and the Cloud Security SLA working group. Said spent over two decades driving and contributing to various international standardization activities including ISO, RuleML, OMG standards, W3C Semantic Web and Rules, Risk and Compliance, GRC-XML, Regulatory Reporting and Supervision, Security and Data protection and Privacy. Said continues to work on challenges around Cloud Computing adoption, IoT, Cloud SLA and security SLA automation, Big Data Analytics and security, cyber security and best practices, Industrial Internet of Things, and Semantic Data Collaboration. He is a regular speaker and panelist at industry conferences and international standards meetings, authors and editor of book series and articles.
David Siah, CSA APAC: David Siah is actively involved in cyber security activities in Singapore. He is a member of Infocomm Development Authority of Singapore’s (IDA) Cyber Security Alliance as well as IDA’s working group on Cloud Outage Incidence Response. David is also a committee member on the Singapore Information Technology Federation’s Security and Governance Chapter and is the Country Manager of Trend Micro. In his capacity, he runs Trend Micro’s business operations in Singapore and is in charge of Trend Labs Singapore—responsible for malware analysis and response.
Benildus Nadar, CSA APAC: Benildus Nadar provides senior advisory services in area of Information Technology with a concentration on Information Security and Risk. Currently with Ericsson, he has worked with IBM, Fidelity Investment, and Comodo in a career spanning 14 Years. Benildus is the founder and chairperson of the CSA Bangalore Chapter, one of the biggest chapters for CSA worldwide.
Mariano Benito, CSA EMEA: Mariano J. Benito is CISO at GMV, a leading Spanish company in the cybersecurity field, and CSA Spanish Chapter task force (CSA-ES CTO). Along his twenty-year long career, he has contributed to the development and implementation of international standards, including ISO 27001 & 22031 at GMV. Mariano J. Benito has also developed a specific focus also on Cloud Computing, Compliance & Governance, being the author of the first security analysis in Spain regarding cloud security (2009) and currently contributing to the deployment in Spain of CSA Guide, CCM, PLA and other local CSA initiatives.
Kai Roer, CSA EMEA: Kai Roer provides Fortune 1000 companies worldwide with expertise on how to build and maintain security culture based on his free and open Security Culture Framework. Roer is a bestselling author, speaker and security culture facilitator who believes in the power of volunteerism.
“We will always remember Ron’s humor, energy and incredible generosity. CSA is grateful for his hard work and dedication, and we continue to benefit from his commitment and passion,” said Jim Reavis, CEO of the CSA. “The six individuals we are recognizing today embody the spirit of Ron’s tireless efforts and commitment to volunteerism. In his honor, we congratulate and thank them for their deep commitment to promoting secure cloud computing globally.”
About the Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts.
If you’ve got your AWS re:Invent 2015 pass (Oct. 6–9, Las Vegas) and you’re building your schedule, be sure to set time aside to visit us at booth #331, where you can learn more about using our next-generation firewall and threat prevention features to protect your applications and data.
Common VM-Series for AWS deployment scenarios include using it as a firewall gateway and IPSec VPN termination point, allowing you to effectively extend your on-premises data center into AWS in a secure manner. A more involved scenario is to use it for VPC-to-VPC protection, controlling which applications can communicate with each other and blocking lateral threat movement. For employee remote access, we are seeing customers deploy GlobalProtect on the VM-Series for AWS – taking full advantage of the scalability and ubiquitous access that AWS brings to bear.
Can’t make it to AWS re:Invent? Then, check out these VM-Series for AWS resource to learn more:
While users and enterprises are becoming aware of the risk of mobile-based malware to the sensitive data stored on mobile devices, an often overlooked attack vector is attackers using a compromised mobile device to attack other devices on the network. Mobile devices, as their name implies, are upwardly mobile, often connecting to a plethora of different Wi-Fi networks as they accompany their owner to work, school, home, the coffee shop, the airport, etc. Each new platform is a gateway to a direct network connection to vulnerable systems.
Some penetration testers drop malicious devices that call home on a network as part of a physical access attack, simulating compromised devices on a network. This provides a pivot point to attack internal assets from the Internet. While this is a valid attack vector, what is being overlooked is that any of the mobile devices that are joining the network have this functionality by design, if they are compromised. Attached to the corporate network as well as the carrier mobile network, these devices are a natural pivot point.
Devices can become compromised while not on an enterprise’s watch. Users can download malicious applications or open malicious web pages. Mobile devices can be attacked on hostile networks they encounter as they travel outside the office with the user. Or, they could fall victim to remote code execution attacks, such as the recent Stagefright vulnerability that only required sending a malicious MMS (text message with media attachment) to a vulnerable phone.
When a compromised device attaches to an enterprise network, it can begin hunting for vulnerabilities in the internal network. As any penetration tester or security engineer will tell you, most networks are hard on the outside, but soft on the inside. Many corporations focus on their external, Internet-facing vulnerabilities, as naturally these are easier for attackers to exploit. To attack internal assets, an attacker will need to already be on the internal network by cracking a Wi-Fi password, phishing an employee at their workstation, etc. Penetration testers usually consider it trivial to find exploitable vulnerabilities on internal networks. The compromised mobile device has direct access to exploit those vulnerabilities.
Compromised mobile devices also provide a method of bypassing any data loss prevention mechanisms at the network perimeter. In the figure above, after the compromised mobile device has exploited a vulnerable local system, that system calls back to an attacker system on the Internet, just like in traditional compromise scenarios. Thus, security conscious enterprises are deploying technologies to notice malicious connections and sensitive data leaving the network and block these connections. Once again, it is the compromised mobile device to the rescue. That same pivot point that gave attackers access to the network in the first place through the carrier network connection can be used to infiltrate malicious connections as shown below. This will bypass any perimeter data loss prevention controls.
With mobile devices entering the enterprise en masse, it is important to recognize the unique threats these devices bring with them. Mobile devices default to being as connected as possible, often to multiple networks at a time (e.g., carrier mobile network and corporate Wi-Fi). This opens up a unique scenario for malicious attackers to use compromised devices as a pivot point to attack the internal network and bypass perimeter controls.
Georgia Weidman
Founder and CEO of Bulb Security, LLC
Georgia will be presenting Going from Practitioner to Entrepreneur at ISACA’s Inaugural CSX North America Conference, 19-21 October in Washington DC.
In recent years, ransomware families are often glamorized as being some of the most dangerous types of malware. They’ve certainly caused a wealth of damage to end users with some of the more prominent malware families, such as CryptoLocker, CryptoWall,TorrentLocker, and TeslaCrypt infecting millions of users overall.
For readers that might be unfamiliar with ransomware, it’s a type of malware that is responsible for encrypting a user’s files with a key known only to the attackers. Examples of files that might be encrypted include financial documents, home movies, photos, or business-related files. In order to decrypt these files, the victim must provide a ransom, or payment, to the attacker, often in the form of a digital currency.
While ransomware is often thought to be bullet-proof, it is certainly not always the case. In early 2015, Emnisoft identified a new family of malware named PClock. At the time, the malware was riddled with issues, specifically in the way it encrypted files. It used a simple XOR encryption routine with a static key, allowing victims to easily recover their files without paying a ransom.
In August, we started detecting updated copies of PClock, which has been improved upon by the malware author. We set out to determine if this updated version of PClock holds up to some of the more prominent families. For the sake of clarity, I will refer to this newer version of PClock as PClock2 going forward.
PClock2 is written in Visual Basic. For a copy of this file’s IDA Pro database (idb), please referhere.
When initially executed, PClock2 performs a very simple anti-analysis check where it will sleep for a random amount of time and compare the time spent sleeping against a set value. This check is essentially looking for sandbox systems where the sleep function accelerates analysis.
Figure 2. Check by PClock2 for hooking of sleep function
A simple check is performed to determine if the malware is running with administrative privileges. Once completed, the malware sends the result via an HTTP POST request to a remote server. All data sent via HTTP POST requests is sent in the clear.
Figure 3. HTTP POST request containing administrative privileges
The ‘P0’ is statically set by the malware in the above request. The ‘1828’ represents the thread ID (TID) of the malware, while the ‘rnd’ GET variable is randomly generated.
Throughout the runtime of PClock2, it makes multiple HTTP POST requests to a remote server using the same characteristics, including the ‘PO[TID]’ and the current time. Additionally, the user-agent used by the entire PClock family, including PClock2, is consistent across samples.
PClock2 proceeds to copy itself with the name “winjab.exe” in the following path. While this particular sample is seen installing itself to the %ALLUSERSPROFILE% path, other samples have been witnessed using %APPDATA% instead.
%ALLUSERSPROFILE%\WinJab\winjab.exe
PClock2 also enables persistence by setting the following registry key. All instances of the entire PClock family have been found to use this particular registry key.
After installation is complete, the malware makes another HTTP POST containing the various file paths it used.
Figure 4. HTTP POST request containing file paths of malware
After installation, PClock2 will also set the following registry key with a value of ‘INSTALL_OK’.
HKCU\Software\VB and VBA Program Settings\CLOCK\SData\S
This particular registry key is used to hold the latest state of the malware. Other messages that might be present in this key include the following.
FSO object created
WALLET_OK
SCANNER_OK
EXPORTKEY_OK
CRYPTED_OK
SHADOWS_OK
EXPORTINFO_OK
PREPARE_OK
The following registry keys are also used within the CLOCK sub-path by PClock2:
Registry Path
Description
\BData\B
Holds current Bitcoin price
\CData\C
Holds key generated by PClock2 used in encryption
\EData\E
Date when key will be destroyed
\FData\F
The number of files identified for encryption
\WData\W
Unique bitcoin address used to forward payments to the attackers true bitcoin address
\PData\P
Version
PClock2 proceeds to use the API from blockchain.info to generate a unique Bitcoin (BTC) wallet identifier, which is configured to automatically forward payments to a hardcoded wallet identifier of ‘1MRfkK134ErfbcadUSoSUCBahngCqoBKju’. The following HTTPS request accomplishes this.
PClock2 will also make a request to the following blockchain.info address to determine the current value of BTC. This information is stored in the ‘\BData\B’ registry key as previously stated.
The malware proceeds to generate a unique key that will be used in subsequent file encryption using the following data:
Current Time
Process ID
Process Heap
Active Window
Clipboard Owner
Desktop Window
Foreground Window
Shell Window
This data is concatenated to form a string similar to the following:
Figure 5. Data collected to be used in formation of unique key
This data is then hashed using the SHA256 algorithm to generate a unique key. This key is stored in the ‘\CData\C’ registry key as previously stated. This key is also sent via a HTTP POST request.
Figure 6. HTTP POST request containing unique SHA256 key
PClock2 scans the file system of the victim in order to identify files that are to be encrypted. The following paths are ignored:
\AppData
\Application Data
\Boot
\Local Settings
\PerfLogs
\ProgramData
\Program Files
\AMD\
\Dell\
\HP\
\Intel\
\Norton\
Drivers
Microsoft
Setup
Windows
Games
iTunes
Sample Music
Sample Pictures
Steam
Additionally, for a list of targeted file types, please see the following link.
Once files are identified, PClock will begin encrypting them, one-by-one. Unlike the original version of PClock, this variant has forgone the simple XOR encryption routine in place of using RC4. The RC4 key is generated by concatenating the SHA256 value previously generated with the path to the file being encrypted.
250dd811187959220220574a185ccf669e06c0ee3926773a7cb94750c401812cC:\Documents and Settings\Administrator\Desktop\Form1.cs
It should be noted that PClock takes a very long time to encrypt these files. On a test sandbox, the malware took upwards of 20 minutes to complete encryption, which is less than ideal for an attacker as it gives the victim time to notice the infection and stop it. By comparison, the latest version of the CryptoWall malware family takes roughly 1-3 minutes to complete its encryption routine.
It’s also interesting to note that each time PClock2 scans a directory or encrypts a file, it makes an HTTP POST request to the C2 server.
Figure 7. HTTP POST request indicating a folder is being scanned
This resulted in over 1,000 requests being made on a sandbox machine, which contained little data of interest.
After it finished the encryption routine, PClock2 generates a VBScript file in the following directory:
%ALLUSERSPROFILE%\WinJab\tmp.vbs
This script file contains the following commands, which will delete shadow copies on the Windows operating system.
On Windows XP, the following dialog box appears to the victim when this script runs, making it fairly apparent that something suspicious is occurring:
Figure 8. Dialog box that appears to victim when VBS attempts to run
After running the clean up script the malware overwrites the ‘\CData\C’ registry key with a value of zero, which removes the unique SHA256 key. Finally, the malware changes the victim’s wallpaper and generates a GUI instructing the victim how they can provide payment and retrieve their files. This dialogue mimics the more-capable “CryptoLocker” malware family and provides instructions in both English and Spanish.
Figure 9. Ransom demand
Conclusion
I originally wished to determine if the new version of PClock, PClock 2, included enough improvements to compete with some of the larger ransomware malware families, such as CryptoWall, TeslaCrypt, or TorrentLocker. In truth, this version has made a number of improvements, such as adding more file types to target, ignoring certain directories, and using a better encryption routine.
However, a number of strong issues still plague this malware family, such as the following:
20+ minute runtime for the malware to complete
1000+ HTTP POST requests made
Dialog pop-ups to the victim requiring user input
While this version is an improvement, it still lacks many of the features and stealth that are currently present in the larger ransomware families. While ransomware is a large problem for users, it’s important to realize that not all malware families are created equal. Like most things in life, malware comes in many shapes and forms, from the more elegant and robust solutions, to those that come up lacking.
All PClock malware family samples are properly classified as malicious by WildFire. AutoFocususers can find more information on samples and indicators related to this attack by viewing the PClock tag.
