Recent Posts

Mar 17, 2020 6:00:00 AM

Maze Ransomware Now Available for Attack Simulation

Remote Work and Increased Cyberattacks While the world implements social distancing and turns its eyes toward the internet in search of the latest news on the COVID-19 pandemic, hackers are seizing the opportunity and increasing phishing campaigns and other cyberattacks.

Topics: ransomware

Jan 8, 2020 6:00:00 AM

Denial and Disruption: Potential Iranian Retaliation

Drone Strike Prompts Vow of Retaliation from Iran On January 3rd, a targeted drone strike by the U.S. killed Qasem Soleimani, the commander of the Iranian Quds Force responsible for clandestine operations and support for non-state actors in the middle east. Iran has vowed “revenge” for this action, and the last two decades have shown us that state actors have not restricted cyber operations to military or government targets. In addition to whatever kinetic actions Iran might take, the consequences of the strike will almost certainly include a cyber element.

Jan 7, 2020 6:15:00 AM

Threat Runner Update: Ryuk Ransomware Simulation Now Available

You may have heard that employees of the City of New Orleans were alarmed a few weeks ago by a booming voice on the overhead speaker system of City Hall. The voice was notifying them to unplug and disconnect all devices, including cell phones. The City later discovered it had suffered a ransomware attack, becoming one of many recent victims of Ryuk. 

Topics: ransomware, threat runner

Nov 4, 2019 1:49:36 PM

Is Your Google Chrome Browser Up-to-Date?

Late last week, Google announced an urgent Google Chrome browser update (78.0.3904.87) for Windows, Mac, and Linux platforms. The update includes security fixes for two identified vulnerabilities within the current Chrome browser. Very little information about the two vulnerabilities has been released at this time; however, Google noted that one of the exploits is actively being exploited “in the wild”.

Topics: Vulnerabilities

Jul 1, 2019 2:21:39 PM

DEF CON 27 Workshop Preview: Intro to Reverse Engineering with Ghidra

Software reverse engineering is an intimidatingly technical skill to pick up. The goal is to accomplish something that, by the design of how software is built, isn’t meant to be done. Introductory courses on programming that teach “compiled” languages, such as C, often describe the compilation process that builds a program from source code as being “one way”. To learn how we can answer questions about malicious software and vulnerabilities in widely-used programs requires the study of complex tools, computer architecture, and methodology.

Topics: DEF CON, Reverse Engineering, Ghidra

Apr 4, 2019 10:00:00 AM

A Ghidra Explainer

On March 5th, the National Security Agency officially released Ghidra, a software suite that the NSA hopes will help cybersecurity professionals “make the cybersecurity of our great nation BETTER”. With the attention this drew at the RSA Conference, it caught the attention of technology news outlets and a broad range of individuals and organizations interested in security. While the release of this software is high-profile, the use of it is specialized, so there are far more people asking questions about it right now than those that have answers. The purpose of this post is to provide IT security stakeholders with an “explainer” on Ghidra and the implications of this release.

Topics: Malware, Reverse Engineering, Ghidra

Dec 5, 2018 9:14:54 AM

'Tis the Season for Cybercrime

Cybercriminals take advantage of events and occasions that give their targets a sense of urgency. The end-of-year holiday season combines an unbalanced shortage of staff through the month of December with a rush to complete work before the year’s end, and the personal obligations of individual staff. The heightened level of stress and impending deadlines will cause otherwise-vigilant employees to miss attacks and scams this time of the year. Criminals will take advantage of the chaos.

Topics: Attack Surface

Oct 10, 2018 10:00:00 AM

Fear and Prosecution in Ransomware Operations

When a new ransomware variant reveals itself, there's an intense effort put towards reverse engineering the malicious software ("malware"). As I've discussed previously, reverse engineering is the process of analyzing software to determine its capabilities, how it works, and the design decisions that went into its creation. This process allows for quick identification of "indicators of compromise", unique changes made to the infected system by the malicious software. These indicators can be used to detect the presence of ransomware on systems, ideally before it has a negative impact on your network.

Topics: ransomware, Attack Surface, Reverse Engineering

Feb 12, 2018 4:34:11 PM

The New Theft: Drive-By Cryptocurrency Mining

You may be able to wrap your head around the concept of a cybercriminal stealing money from your bank accounts, or monetizing your customers’ personal financial information, but have you considered that an attacker might be able to steal money from you through your utility bill, and maintenance budget for computer hardware? Cryptocurrency mining through malicious advertising on popular sites like YouTube is the new theft and could put your organization's bottom line at risk.

Topics: Penetration Testing, cybersecurity, advanced penetration testing, incident response, Malware, Attack Surface

Oct 16, 2017 9:45:25 AM

Impact and Mitigation of the KRACK WiFi Vulnerability

A vulnerability has been disclosed in the most popular and recommended security protocol for WiFi networks: WPA2. The weaknesses, discovered and documented by Mathy Vanhoef, may change the way your organization uses wireless until vendor patches are available. The purpose of this post is to discuss the potential impact on your organization and discuss how you can layer security around protocol weaknesses such as this one.

Topics: Attack Surface, KRACK

May 24, 2017 9:03:00 AM

The Fear of a Zero Day

Recently, the security community has been enthralled—simultaneously terrified and fascinated—with a set of new attack tools that have leaked. Within this set, a number of tools were designed to exploit “zero day” vulnerabilities for the Windows operating system. For this week’s blog, I’ll try to shed some light on what this jargon means, why “zero day” bugs are feared by some, and why you won’t need to panic.

Topics: Attack Surface, WannaCry, Zero Day

May 16, 2017 2:10:05 PM

Ransomware Worms Force Your Hand: Patch or Layer Security

Friday, May 12th, the “WannaCry” network worm joined the ranks of Conficker and Code Red. It’s infected tens of thousands of systems worldwide, and climbing. Among those victimized were England’s National Health Service, automobile manufacturers, and government systems. The worm’s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users’ desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems interfaces.

Topics: ransomware, Attack Surface, WannaCry

Jan 10, 2017 9:07:34 AM

A Dangerous Shift in Ransomware Targeting

There’s good news for commentators that really “phoned it in” on their 2017 predictions: ransomware is becoming even more of problem. While you’ll be hard pressed to find analysts who thought otherwise, the reason that malware has become more dangerous may be less obvious to those not in the trenches. It’s time to put the forecasts for 2017 aside and start looking at the reality of what’s being perpetrated against the victims of cybercrime this year.

Topics: cybersecurity, ransomware

Dec 29, 2016 3:31:39 PM

Malware Removal Software Company Identified as Acting on the Behalf of Russia: What Does it Mean for You?

President Obama issued an executive order recently in response to address Russia’s cyberattacks against the United States. There are sanctions against Russian individuals and entities, and a number of Russian diplomats have been ordered to leave the US within 72 hours. This order is representative of the huge impact that cyber security has on international relations, but less immediately apparent are the implications this has for businesses and individuals.

Dec 1, 2016 10:01:00 AM

Compliance Alone Won’t Save You: The Next Attack Will Hit Harder Than the Last

This past weekend, the San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack that left it unable to process payments for rides. The SFMTA was forced to continue providing service, for free, as they repaired the systems that were damaged in the attack. Even in an incident where the ransomware author was not successful in extorting a payment, the financial impact on the victim can be significant.

Topics: cybersecurity, cyber risk

Sep 27, 2016 8:39:21 AM

Four More Years and Four Hundred Pounds of “You’re On Your Own”

Last night at Hofstra University, at the first of three scheduled presidential debates in 2016, Lester Holt introduced a segment of questions on “Securing America”. While as an avid consumer of the news, I was determined to watch the entire debate, this segment engaged my personal and professional interests. Holt went right to the point of cyber security, a “21st century war happening every day”, and I was eager for a glimpse at the candidates’ vision of how the nation can protect its own secrets, as well as the operations of businesses, over the next four years. In my analysis, regardless of what the nation decides on November 8th, the message to American business is the same: “You’re on your own”.

Topics: cybersecurity, politics, information security, debate

Sep 6, 2016 10:00:00 AM

Lessons Learned from Exploiting IoT in the Enterprise

Over the past year, the HORNE Cyber penetration testing team conducted advanced penetration tests of organizations in many different sectors: from healthcare, financial services, and manufacturing to food production and retail. A constant theme across every tested organization was the proliferation of IoT devices that allowed our team members to infiltrate, observe, and move around target networks.

Topics: Penetration Testing, IoT Security, IoT

Aug 15, 2016 11:22:51 AM

Delta Airlines and the Security of Critical Infrastructure

Last week, I had the pleasure of joining Elizabeth Wharton on her radio show, Buzz Off with Lawyer Liz, to talk about the security of critical infrastructure, specifically as it relates to the significant downtime Delta Airlines experienced last week. Liz had asked me to be a guest on the show for a couple of reasons: the research I have been involved with with regards to critical infrastructure security and my personal connection to last week's incident.

Topics: Penetration Testing, cybersecurity, critical infrastructure

Aug 4, 2016 10:00:00 AM

Secure Penetration Testing Operations

Just a few months ago, my team found the back door of a network left open by a previous penetration tester for one of our clients. Unfortunately for this client, they thought they were taking the necessary steps to protect their data, but they learned a valuable lesson: not all penetration testers are created equal.

Topics: Penetration Testing

Jul 19, 2016 10:30:00 PM

Highlights of DEF CON 24

After last week’s blog covering the upcoming presentations at Black Hat USA, I had a number of requests for our take on the DEF CON 24 schedule (immediately following Black Hat, August 4-7). While I encourage you to attend my talk, Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools on August 6 at 11 a.m., here are some of the other presentations our team is excited about attending:

Jul 13, 2016 12:00:00 PM

6 Talks We’re Looking Forward to at Black Hat USA

A number of us at HORNE Cyber are attending Black Hat USA's briefings on August 3rd and 4th. I am looking forward to sharing my work on conducting more secure penetration testing operations on August 3rd at 1:50PM.

Topics: cybersecurity

Jun 21, 2016 1:00:00 PM

Rising to the Challenge of Pen Testing ICS

Many organizations, including portions of our national critical infrastructure, rely on industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA) to automate critical processes. This includes manufacturing, water treatment, power generation and distribution, and transportation. These systems present unique challenges to teams that perform penetration testing on them. While it is clear that these systems should be tested for security flaws, public and personnel safety must take priority, and continuity of service must be considered for critical systems.

Topics: Industrial Control Systems

May 24, 2016 10:00:00 AM

Immediate Crisis in Healthcare Information Security

After reading the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, the overwhelming themes of the study were clear to me: Breaches are so common that no healthcare provider is safe, and almost every patient will eventually become a victim as well. I’ve put together some of my thoughts on the data presented by this study in this post.

Topics: healthcare security

May 17, 2016 10:00:00 AM

When Your "Insider Threat" Isn’t an Insider

A classic urban legend and horror movie trope involves the hapless victim being repeatedly terrorized by creepy and threatening phone calls. When the police are called, they begin to trace the calls. Later, after continued harassment the police call back and tell the victim, “We’ve traced the call! It’s coming from inside the house!” On your network, the attacker is likely to be able to get a foothold “inside the house” as well.

Topics: Insider Threats

May 5, 2016 10:00:00 AM

HORNE Cyber at Black Hat USA 2016

Wednesday evening, I was notified that my proposal for a talk at the Black Hat USA 2016 Briefings (August 3rd and 4th) was accepted by the review board, composed of professionals in the information security industry. Black Hat USA is one of the highest-profile events in information security, and a great venue for presenting the latest vendor-neutral research and trends. I feel honored to have a panel of peers select my talk out of the many submissions they receive.