The 5 keys of an Operator’s Security Plan for a health service

(This post has been prepared by Juan Carlos Muria & Samuel Segarra.)

Regarding the protection of critical infrastructures and essential services, as reflected in the European NIS Directive, in Spain there is a National Strategy that includes the health sector as a critical infrastructure.
In this SAW post, we explain the key success factors for approaching the preparation of the Sector Strategic Plan to render it compliant with Spanish regulation, although there are many points in common with protecting critical infrastructure in other countries, according to our experience.

And finally it arrived: The Sector Strategic Plan (PES) for the health sector was published at the end of October, and now comes the time, for elected operators, to draft the Operator’s Security Plan (OSP) in less than six months, not forgetting that then there will only be four months to detail the Specific Protection Plans for each of the critical infrastructures, and finally the Operational Support Plans (PAO).

This is the minimum required by the National Center for the Protection of Critical Infrastructures, in response to meetings held and emails exchanged with different operators.

The structure of these plans is defined by the (CNPIC) itself, so we have preferred to focus on the things that a healthcare operator should take into account, and since we are on a blog and the content should be short and concrete, we have decided to highlight the 5 most important things, which should not be missing in a OSP.
Shall we start?
[Read more…]

(Cyber) GRU (XI): TTP

The information that has come to light in recent months, especially Mueller’s accusation, has identified different tactics and techniques of the GRU, some of them previously known – and in many cases linked to APT28 – and others that, although we could all imagine, no one had previously confirmed. These TTPs are summarized in the following table, based on an adaptation of the tactics and techniques published by MITRE in its ATT&CK framework:... Leer Más

(Cyber) GRU (X): objectives

Apart from some more specific objectives, such as Westinghouse Electric Company’s – with business in nuclear technology – or domestic routers that can be compromised to orchestrate a distributed attack against the real objective, the information published in 2018 has brought to light five major GRU objectives, consistent with the interests of the Service and consequently with those of the Russian Federation; are those exposed at this point.

It is striking that in most of these objectives – with the possible exception of Ukraine and its infrastructures – the GRU has, presumably always, an interest related more to the confrontation of psychological information to which we have referred than with a purely technical attack. In other words, it is unlikely that the GRU will attack targets such as the researchers of the use of Novichok or the demolition of the MH17, which we will see below, with the intention of technologically altering the results of these investigations … it is more likely that the real objective was to obtain information, on the one hand, to know first-hand the state at each moment and on the other, equally important, to obtain data that would allow the Service to initiate disinformation campaigns against these investigating bodies, so that in the face of society they would lose lost credibility in their claims, thus benefiting the interests of the Russian Federation. [Read more…]

CISSP certificate – II. Personal experience

In yesterday’s post we saw some general aspects of CISSP certification, which can be expanded consulting the official website of (ISC)2. In this post I will go into detail on the non-formal aspects, such as materials, advice and personal opinions. Let’s get started.

Is the exam difficult?

If you search on Google, the main user communities related to (ISC)2 are found on reddit and in the (ISC)2 forums. In both there are multiple entries relating opinions, experience with the exam, asking and giving advice, reviewing study materials and other topics. However, my impression is that the tone tends to be negative and somewhat frightening, terrifying even at times. Many people who have taken the exam describe it as very difficult and obscure with tricky wording. In addition, there are no “example” questions on the Internet, and the people who produce the training material (including the official question book) or teach the training courses (bootcamps) are never the same people who write the exam questions. Therefore, a critical element to manage during exam preparation is uncertainty.

[Read more…]

IoT in the Industry 4.0 – Our data – collaboration or use?

On 7 February, a meeting was held in Madrid at the Vodafone Observatory of the Company, where experts in the cloud, artificial intelligence, robotics and digital transformation gave a vision on how to face the challenges of industry 4.0. In previous articles by Joan Balbastre about Industry 4.0, we could see what characterizes this industrial revolution and its basic design principles. In these articles, up to six different principles are named and one of them allows us to focus on this text: service orientation. This orientation turned out to be the fundamental axis of the whole event.

It is true that, in the face of strong competition between companies from different sectors, the optimization of the products or services provided has become a priority. There are many ways to improve a company or product. In recent years, information gathering has become one of the fundamental pillars on which the Industry 4.0 revolution is based. The data collected from consumers allows companies to perform different actions such as preventive maintenance, quality assurance, real-time defect management, operations management, etc. A clear example of the change that companies in the industry are undergoing is the case of Quality Espresso, which has gone from producing only one product, designing, producing and marketing coffee makers, to the provision of an added service thanks to the collection of information. Quality Espresso coffee machines not only allow connectivity with different devices, but are also able to collect statistical information for the company, in order to improve the products or even influence the design of new ones, as indicated in the event.

[Read more…]

Exchange forensics: The mysterious case of ghost mail (II)

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here )

On the previous article we left off with our views on the mail server of the Organization, a Microsoft Exchange 2010. The first thing we can do is ask Systems to do a message tracking of the email, using a graphical tool (although we can also do it by console) to locate the history of a high level email within Exchange.

First attempt, and the email still does not appear. We repeat the addresses and the Systems technician repeats the search without success. The email must necessarily be there, so we ask him to search again the whole day… and we finally find it, 14 minutes later than when it should have been sent.

Apparently the Organization has not implemented its time synchronization strategy well, and we have a 14 minute drift between the Exchange server and the clients (mental note: insist on the need to deploy an NTP server as soon as possible), but at last we have located the email. The screenshot sent by Systems would be something similar to this one (for confidentiality issues we cannot put any of the originals):

[Read more…]

(Cyber) GRU (VII): Structure. Unit 26165

Unit 26165 (85th Special Service Center) is located at number 20 of Komsomolskiy Prospekt. Also, at this same address is the Military Unit 06410 (152nd Training Center) with Koval NIKOLAY NESTEROVICH in command, which was created on 08/27/1943. Apparently, this second Unit is not related to the cyber field from a technical point of view, according to available information in public sources such as articles or theses related to military education, psychology, etc.

In the Soviet era, the GRU Service of Decryption was located at number 20 of the Komsomolskiy Avenue in Moscow, to which we have already referred, intimately related to the Sixth Directorate (SIGINT) but not dependent on it. In fact, that historical Service of Decryption is apparently the very Unit 26165, created on May 23, 1953 according to open sources. Apparently, there is public information that confirms its existence at least in 1958, such as the medal commemorating the 60th anniversary of the Unit shown below:

[Read more…]

Who takes responsibility for errors made by smart robots?

As those of us who are interested in robotics know, ir represents one of the great technological advances of the 21st century. However, for this progress to be properly made, it must be accompanied by a transparent and dynamic regulatory framework that unifies and clarifies the uncertainties it generates. However, today there is no such regulatory framework at national, European or international level.

However, there are two references that are worth considering.

Firstly, the recommendation of the European Parliament (Draft Report with recommendations to the Commission on Civil Law Rules on Robotics (2015/2103(INL)) for the establishment of a set of rules on liability. In the face of a possible “new industrial revolution” in which society enters an age of robots, bots, androids and other more advanced forms of AI, it is imperative that the legislator consider the consequences that may result from the use and implantation of these devices in our daily lives.

[Read more…]

Analysis of Linux.Omni

Following our classification and analysis of the Linux and IoT threats currently active, in this article we are going to investigate a malware detected very recently in our honeypots, the Linux.Omni botnet. This botnet has particularly attracted our attention due to the numerous vulnerabilities included in its repertoire of infection (11 different in total), being able to determine, finally, that it is a new version of IoTReaper.

Analysis of the binary

The first thing that strikes us is the label given to the malware at the time of infection of the device, i.e., OMNI, because these last few weeks we were detecting OWARI, TOKYO, SORA, ECCHI… all of them versions of Gafgyt or Mirai and, which do not innovate much compared to what was reported in previous articles.

So, analyzing the method of infection, we find the following instructions:

As you can see, it is a fairly standard script and, therefore, imported from another botnet. Nothing new.

Although everything indicated that the sample would be a standard variant of Mirai or Gafgyt, we carried out the sample download. [Read more…]

Simple & crazy covert channels (I): Asciinema (en)

In the preparation of our audits, we often waste a lot of time developing tools that require a lot of work and, in many cases, do not go unnoticed by those users with a more technical profile.
However, there are other simpler (and equally effective) methods to carry out the exfiltration of information, such as through tools that were not initially designed for this purpose and which, with relatively simple adjustments, allow us to carry it out.

Thus, in the following article the analysis of the asciinema tool will be carried out, as well as the different possibilities of use and how it can be integrated with an attack vector.

Asciinema is a very nice tool that I usually use for demos whose sole function is to register the user’s session and to provide a URL that allows us to easily share the user’s activity. Very valuable information that can be used in a malicious way.

Below, we will see if we could use it as a Linux keylogger and what modifications would be necessary to apply.
[Read more…]