Security BSides Athens 2016

It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 

It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 

Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  

---

Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Ransomware - Did you update your incident response plan?

At the beginning of 2016 an article was published about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.

Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat. As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.

Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place. It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom. Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.

The Badlock day has arrived!

Badlock is a a crucial security bug in Windows and Samba. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available [here]. 

Microsoft and the Samba Team have been working together in order to get this problem fixed and for a patch to be released. You will have to update your systems as this security flaw is expected to be actively exploited soon enough. 

Badlock is referenced by CVE-2016-2118 (SAMR and LSA man in the middle attacks possible).

There are additional CVEs related to Badlock. Those are:

• CVE-2015-5370 (Multiple errors in DCE-RPC code)
• CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
• CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
• CVE-2016-2112 (LDAP client and server don't enforce integrity)
• CVE-2016-2113 (Missing TLS certificate validation)
• CVE-2016-2114 ("server signing = mandatory" not enforced)
• CVE-2016-2115 (SMB IPC traffic is not integrity protected)

Please, find more information about badlock at the dedicated website created for that reason: badlock.org

Start Google Chrome in Incognito Mode by Default

I tend to use different browsers for different tasks, and that makes my life a lot easier when it comes to managing all the different things I have to do. From my point of view, the Google Chrome web browser is the ideal browser for its incognito mode when accessing known safe websites. 

In order to speed things up, I tend to start it in incognito mode by default. Not many people know this, but it is really easy to start Chrome in incognito mode by default. 

If you already have Chrome already installed, locate the executable on  your system. You can R-Click on your existing shortcut (i.e. on the Start menu) and choose, "Open file location". 

Building a Security Operations Centre (SOC)

Building a Security Operations Centre (SOC) is undoubtedly the best move you can make towards protecting not only your organisation’s data, systems and services, but also any sensitive information about your clients that you handle or store. This article is a brief overview of the task of building a SOC, introducing not only the key elements but also how the challenges of increased security requirements and rapid response are addressed.

The process for building a SOC can be time consuming and it is directly related to the available budget. The best approach is to create a plan that allows for incremental phases of implementation. Starting with a gap analysis, you will be able to define and prioritise the milestones for incremental improvements by setting the appropriate expectations and timelines. To start with, take a look at the Centre for the Protection of National Infrastructure (CPNI) and more specifically the Top 20 Critical Security Controls guidance.

The incremental improvements need to take under consideration the collaboration and communication between people, technology, and processes. These are the three equally important components that define a SOC.