Salted Hash: RSA Conference 2017 – Live Blog

Salted Hash is on location in San Francisco this week, covering the RSA Conference

RSA Expo North Hall
Credit: Adam Murray

All this week, Salted Hash will be on location at the RSA Conference in San Francisco. We'll be updating the blog multiple times a day with news and other content from the show – so check-back often.

Tuesday, Feb. 14:

5:00 p.m. PST:

Ok so today was nuts. Back to back meetings for Salted Hash, which left the blog empty most of the day. For that, we apologize. However, there are some interesting things going on, and if the current investigation goes according to plan, we’ll have a rather large story to report on soon.

For now, let’s just say that if you are a criminal, having backups are sensible, as you don’t want to lose data. However, leaving those backups exposed to the public isn’t wise. Though, some of us think it is hilarious and are really happy you made such a common error when it comes to cloud-based backups.

News wise, by now everyone knows what happened with CrowdStrike and NSS Labs. However, if you were curious about the test results, some of the highlights are below.

CrowdStrike is listed with incomplete data, rated as below average on security effectiveness.

“The CrowdStrike Falcon Host achieved a Security Effectiveness rating of 74.17%. The Falcon Host’s final rating may have been different had it completed the test. The Falcon Host did not block any false positive samples after the initial tuning. The Falcon Host did not detect or block 50.0% of the tested evasions,” the report shared with Salted Hash states.

However, others listed as below average include ESET and Malwarebytes. Carbon Black took top spot for effectiveness on the NSS Labs report, followed by McAfee, Symantec, Sentinel One, Cylance, and Invincea. In a blog post earlier today, CrowdStrike called the results “incomplete and materially flawed.”

9:00 a.m. PST:

Yesterday, we mentioned a lawsuit filed by CrowdStrike, which attempted to prevent NSS Labs from releasing test results on the Falcon platform. We've obtained the court documents and published a story on the topic, along with the court record.

We'll update the blog again later this morning.

Monday, Feb. 13:

It's Monday, day one of the RSA Conference in San Francisco. If you haven’t noticed yet, construction by the conference center is nuts. There’s no crossing topside, anyone moving between the North and South halls will have to stay underground.

Monday’s are slow, people are just starting to come in and the expo areas are off-limits to the public as crews work to build the floor. Most of the spaces are put together, but the finishing touches still need to be applied.

But, just because it's slow, doesn't mean there is any news to report from out here. Let's start with BEC attacks.

Last week, Salted Hash reported that more than 30,000 taxpayers across 31 incidents. Today, those numbers are larger. As of this morning, at least 44 BEC attacks have exposed more than 45,000 people this year, and we only just getting into February – tax season isn't even over yet. But you can bet this number will change before the end of the day, as new incidents are disclosed daily.

Last week, we wrote about Monarch Beverage, a company in Indiana that was hit by BEC attacks twice in two years in a row. The first attack wasn't discovered until the company started investigating this year's incident.

It looks bad, but they're still the victim and the employee who was fooled into disclosing the sensitive documents did so because the request didn't feel wrong, or suspicious. That's the problem with BEC, the criminals behind the scams are targeting an internal system that can't be fixed with technology – it's a people issue, a policy issue.

A situation similar to the one Monarch faced as recently come to light. Land Title Guarantee Company disclosed a BEC attack last week, and in their notification letter, the company says that the same employee responded to the scam emails twice – once in 2016 and once in 2017.

"In response to reports from employees in June 2016 of tax-related identity theft, Land Title promptly conducted an investigation which included working closely with the Company’s third-party payroll provider to identify any irregularities," the disclosure notice states.

"That investigation did not uncover any connection between Land Title and the employees’ reports. After receiving new reports last month of similar incidents, Land Title promptly renewed its investigation and thoroughly reviewed information stored on the Company’s information systems. Through these diligent efforts, the Company uncovered the phishing e-mails on or about January 27, 2017. Land Title has contacted the FBI concerning these incidents and will cooperate fully in any investigation."

Salted Hash along with Dissent at Databreaches.net will keeping a running list of the BEC attacks this year. It’s being updated as soon as new information emerges.

4:30 p.m. PST

Something interesting happened last week on Twitter. So here's a quick story time post, since the videos are now live and linked below.

TL;DR: Saying 'prove it' to a hacker often doesn't go so well, as one Microsoft employee recently learned.

A conversation started on Twitter after Jose Pagliery, a security reporter for CNN, had a frightening realization – what if someone started spreading malware via the unsubscribe links within unwanted emails?

Another security expert (Kenn White) commented with a paraphrased quote by Dave Kennedy, the founder of TrustedSec and creator of the Social Engineering Toolkit (SET) – "Sketchy unsubscribe links are sketchy" – meaning (as far as this conversation is concerned) it's a safe bet criminals already do this or have.

Mark King, who says on his blog – UnplugThePBX – that he works at Microsoft, entered the conversation by stating that Microsoft's Office365 Advanced Threat Protection would stop people from messing with unsubscribe link.

Twitter conversation archive SRagan

Kennedy disagreed, and said that ATP was pretty easy to skirt, given some conditions. The two went back and forth – prompting Kennedy to respond with a personal example from an assessment he was working, but. King demanded proof.

When Kennedy explained that he would break an NDA by sharing, King asked about the NDA and stated he was wanting to make Office365's ATP better if it misses something. Then, after apparently seeing who Kennedy was, responded: "ohh are you just trying to promote your crap by disparaging something that actually works. Got it. Good try."

A day later, Kennedy – after having his integrity called out and told to 'prove it' – responded with an image. In it, Kennedy demonstrates that Office365's ATP is vulnerable (Safe Links enabled w/ block, safe attachments too) by showing an open shell on a remote system.

The videos below, as well as a blog post on the TrustedSec website, offer additional details and deep background on the core issues. The bottom line is that while ATP will work, it isn’t flawless.

Kennedy will work with Microsoft to help improve things. Also, while he originally planned to release additional details, the specifics of how to replicate attacks on Office365 are being withheld for now.

“As we can see from both videos, it is extremely trivial to get around safe links. Microsoft, if trying to get into this space, should probably get into web analysis dynamically of pages, and inspect for certain components prior to allowing a user into the site,” Kennedy explained in a blog post.

“I'm guessing this option was probably explored (just a guess) and this would require extensive resources in order to process each web request coming from a link in email. I do believe though that if Microsoft is going to be offering a service touting advanced protection capabilities, that it should consider this as a method.”

Microsoft Advanced Threat Prevention (ATP) with Safe Links - Using Metasploit MS16-051

Microsoft Advanced Threat Prevention (ATP) with Safe Links - Using SET


5:00 p.m. PST

CrowdStrike sues to keep test results hidden

Something new from the floor here at RSA. Last week, CrowdStrike sought a temporary restraining order and preliminary injunction from the courts in order to prevent NSS Labs from releasing the results of tests the lab conducted.

CrowdStrike went to court on February 10, and the court denied them earlier this afternoon. NSS Labs will publish the results of the test on Tuesday at 9 a.m. We’ll have more on this story soon.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
How much is a data breach going to cost you?