Information Security Archives

Demystifying DMARC: A guide to preventing email spoofing

October 15, 2018June 15, 2018 by Sean Whalen

A screenshot of a premade aggreate/summary DMARC dashboard in ELK using data from pardeemarc

DMARC can stop spoofed spam and phishing from reaching you and your customers, protecting your information security and your brand. However, complexity and misconceptions deter many organizations from ever deploying it. Part mythbusting , part implementation guide, this post explains the shortcomings of SPF and DKIM, what DMARC is, how to deploy DMARC properly, and how to respond to DMARC reports – all without the need for an additional vendor, thanks to open source software!

Lessons Learned from the US Federal Government’s Ongoing Deployment of SPF and DMARC

March 2, 2018January 1, 2018 by Sean Whalen

Two soldiers process mail in a US Army Forward Operating Base Mailroom

SPF and DMARC are standards that describe how the origins of email messages should be verified, to prevent email spoofing. I spent some free time over the past few weeks creating checkdmarc , a Python 3 module and command-line interface that can validate and troubleshoot SPF and DMARC records across multiple domains, with the intent of building it into a web application that will process DMARC reports. The Department of Homeland Security recently launched an initiative to deploy SPF, DMARC, and other best practices on most federal agency domains by issuing BOD 18-01. This created the perfect case study of common challenges and mistakes when deploying SPF and DMARC across very large organizations, and even a few small ones.

2018-01-30 update: I have made many improvements to my script, corrected a few of my own misconceptions about DMARC I had in this post, and switched to updated results from 2018-01-28.

How to install YARA and write basic YARA rules to identify malware

June 29, 2017June 15, 2017 by Sean Whalen

A screenshot of a YARA rule with syntax highlighting

YARA is described as “The pattern matching Swiss knife for malware researchers (and everyone else)”. Think of it as like grep, but instead of matching based on one pattern, YARA matches based on a set of rules, with each rule capable of containing multiple patterns, and complex condition logic for further refining matches. It’s a very useful tool. Let’s go over some practical examples of how to use it.

WannaCry ransomware analysis: Samples date back to at least early February 2017

May 19, 2017May 18, 2017 by Sean Whalen

VirusTotal results showing the earliest observed sample of Wannacry ransomware

The WannaCry ransomware worm has spread panic and destruction as it infects hundreds of thousands of systems around the world; a rate not seen since the Blaster and Sasser worms of 2003. WannaCry — also known as WannaCrypt, WannaCryptor, WanaCrypt0r, WCry, or WCrypt — leverages vulnerabilities that Microsoft patched in the March MS17-010 Security Bulletin, after taking the unprecedented step of canceling the February Patch Tuesday.

While collecting samples of WannaCry, I found a sample that predates the worm version. The sample was compiled on February 9th, and uploaded to VirusTotal on February 10th. While compile timestamps can be faked, the closeness to the upload date suggests that the compilation timestamp is legitimate.

Google Pixel phones can be unlocked with a recording of a trusted voice by default

October 24, 2016October 23, 2016 by Sean Whalen

user manually enables "Ok Google" Trusted Voice

The headline feature of the new Google Pixel phones is deep integration between the operating system and the Google Assistant AI. By default, the Google Assistant can be activated even when the phone is locked and the display is off, if the device hears the trusted voice say the hot word, “Ok Google”. This also has the effect of unlocking the device, meaning that anyone with a recording of the trusted voice saying “Ok Google” — or even someone with a similar voice — can easily unlock the device.

PSA: The latest Google Chrome release trips EMET’s EAF+ mitigation

September 18, 2016September 9, 2016 by Sean Whalen

A screenshot of the EAF+ error generateted W=by the latest Google Chrome release when used with the defualt EMET config

When Google Chrome updated to 53.0.2785.101 on my Windows systems, I encountered an onslaught of alerts from EMET, which was killing chrome.exe processes for EAF+ violations as fast as Chrome kept trying to spawn them (each tab in Chrome is a separate process). Luckily, this problem is easily fixable.

HHS: Ransomware encryption of ePHI is a HIPAA breach

September 4, 2016August 23, 2016 by Sean Whalen

Colorful shelves of paperrecords at a dental clinic Credit: Tom Magliery License: CC BY-NC-SA 2.0

As a growing number of medical facilities are struck by ransomware, the US Department of Health and Human Services (HHS) has published a fact sheet describing how businesses that process electronic Protected Health Information (ePHI) should defend against and respond to ransomware.

Prevent ransomware from succeeding with strategic defense-in-depth

September 4, 2016August 22, 2016 by Sean Whalen

Thoughtfully placed countermeasures can prevent ransomware like Petya, shown in this screenshot

Ransomware has become the weapon of choice for financially motivated cybercriminals. Individuals, hospitals, businesses, schools, police departments, and government agencies have all been victims of highly disruptive ransomware, resulting in ransom payments totaling at least $24 million in 2015, according to the DoJ and DHS. It doesn’t take much to start a ransomware campaign, and the returns can be extremely high. Fortunately, the steps to prevent ransomware from succeeding are equally simple and low cost.

DoJ v. Apple: It’s all about the precedent

August 6, 2016March 21, 2016 by Sean Whalen

a battle for encryption privacy and secrecy has crecent;y meen highlighted in a series of DoJ v. Apple

By now, you’ve probably heard something about the ongoing legal battle between Apple and the Department of Justice. “DoJ v. Apple” coverage has been abundant, on blogs and TV news shows alike, but in case you haven’t here’s a quick recap. The FBI obtained the work iPhone of Syed Rizwan Farook, who, along with his wife Tashfeen Malik, murdered 14 people in a shooting rampage at a holiday party in San Bernardino, California. The government suspects that iPhone may hold critical information about the couple’s contacts in the weeks leading up to the attacks – contacts that may uncover future plots. They have a warrant, but they can’t access the data on the phone because it is using the strong encryption that comes with iOS 9 and up. Not even Apple can bypass the encryption, at least directly.