Secure Windows File Copy – Secure FTP

There are several solutions for copying files between Windows hosts, the protocol that most file transfers in the Windows world will default to is SMB (yes, thats the same protocol as used by Wannacry). What alternatives are available? The pre-requisites are

Audit and logging capabilities, each transfer should be logged; One central server where files get pushed to and pulled from; Authentication, before a file transfer can happen, the user should authenticate; Secure transfer ofRead more.

Mindmap for CRASHOVERRIDE

Both Dragos and ESET released two reports on the analysis of malware attacking power grids.

According to Dragos the adversary group labeled as ELECTRUM is responsible for the cyber attack on the Ukraine electric grid in 2016.

I created a mindmap based on the info in the Dragos document. It’s available on https://github.com/cudeso/tools/tree/master/CRASHOVERRIDE

https://www.us-cert.gov/ncas/alerts/TA17-163A https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf https://dragos.com/blog/crashoverride/

Kerberos made easy

Kerberos is an authentication protocol that works on the basis of tickets that allows clients to connect to services over an insecure network and still allow clients to prove their identity in a secure manner.

The steps described below are a compilation of what I found when reading on Kerberos. Feel free to share your comments!

These are the steps necessary for a client to obtain an authenticated and verified request to a service (forRead more.

WannaCry / Wcry / WannaCrypt help / advice

I compiled a list of -hopefully- useful tips and help for dealing with the WannaCry ransomware. I try to keep the page updated as soon as new information is available.

See https://www.wannacry.be/. Feedback is welcome!

What could have limited the impact of the WannaCry / Wcry / WannaCrypt ransomware?

A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers aroundRead more.

ipv6: Neighbour table overflow

One of my virtual machines hosted at Gandi had an excessive amount of error messages

The cause of this error message are the IPv6 router announcements that try to discover and configure the IPv6 neighbourhood. The excessive amount of messages were polluting the logs.

After contacting the Gandi helpdesk they provided insight on the cause of the error message and provided mitigations to prevent these type of errors. I had to update /etc/sysctl.conf withRead more.

The Apache Struts 2 Vulnerability and the Importance of Patch Management

I published an article on IBM Security Intelligence on The Apache Struts 2 Vulnerability and the Importance of Patch Management.

The post describes a vulnerability in Struts 2, a free, open source framework for creating Java web applications that allows attackers to execute arbitrary code.

Simplifying Risk Management

I published an article on IBM Security Intelligence on Simplifying Risk Management.

What is Shodan telling us about ICS in Belgium?

I have been using Shodan, “the world’s first search engine for Internet-connected devices”, since a long time. Recently I switched my free account to a membership account. A membership account allows you to do API queries with additional query filters (for example restricting search results to specific countries).

In this post I describe the results of querying the Shodan API for ICS (or related) devices in Belgium. These results are entirely based on what isRead more.

Hack of Polish Financial Supervision Authority and Polish banks

A couple of days back the financial sector in Poland was shocked by the news that the Polish financial supervision authority was hacked and was used as an attack vector to get access to other (mostly Polish) banks.

This is a very short summary with some IOCs (Indicator of Compromise) that you can use to check your logs and verify if you are affected.

Note that most of this information is composed from information foundRead more.