Wannacry related interim timeline

Let me share a timeline I constructed regarding Wannacry during the last days. The interesting point I shared with some colleagues was that the patient zero (o patients) infection vector is not referenced or described as of now yet.

15th February 2017 Microsoft cancels its monthly patching for that month

9th March 2017 Wikileaks press release regarding Vault7, "the largest-ever publication of confidential documents on the agency" according to Wikileaks.

14th March 2017 Microsoft publish security update MS17-010 for SMB Server

14th April 2017 (according to https://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers) Equation Group (see https://en.wikipedia.org/wiki/Equation_Group) releases some exploits, EternalBlue among them. EternalBlue took advantage of the vulnerability that Microsoft patch MS17-010 fiexed.

14th April 2017 Microsoft publish their triage analysis on the exploits

15th April 2017 Security companies analyse exploits. One example of the anaylisis of EternalBlue is the following:

15th April 2017 Some news sites start to wonder how come that the patch existed before the release e.g. https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/

12th May 2017 WannaCry appears in the wild

Some sources mention that the infection vector was a phishing email

However, no analysis yet of that mentioned phishing email, its attachment and its modus operandi in general.

Update 1: Response and proposals from Microsoft

Rocky days

Book Review: Bitcoin and other virtual currencies for the 21st Century by J. Anthony Malone

A very handy book to approach Bitcoin.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

The book starts first with the concept of money, how money was an innovation itself, the functions of money as a medium of exchange, a unit of account, a store of value, a deferred payment and a value measure. It also provides some insights on the history of money and how credit is older than cash and, finally, a key concept: the monopolistic role of the government in terms of currency issuance.

There are some hints in the book to consider Bitcoin a starting point to end the monopoly of central banks. It claims that the Bitcoin value scheme is inspired on the old gold standard. It is interesting to read the links that the author sees between the Austrian School of Economics and Bitcoin.

The point that Bitcoin does not have a centralised clearing house is certainly a key point in the book. It also mentions that the blockchain public ledger is the heart of the Bitcoin technology. It also mentions that Bitcoin is inflation-free (there is a fixed number of Bitcoins that can eventually be minted). The supply of Bitcoins does not depend on the monetary policy of a central authority. It also remembers the Keynesian line of thought on deflation and how it encourages individuals and businesses to save money.

To use Bitcoins, you just need a Bitcoin wallet and a Bitcoin address. Technically, Bitcoin has currently a transaction limit of 7 per second.

There is a section of the book on legal aspects of Bitcoin. Apparently virtual currencies do not have legal tender status in any jurisdiction. Bitcoin has the properties of a payment system, a currency and a commodity. There is still a bit of regulatory ambiguity in terms of Bitcoin. There are some appendixes in the book related to a very useful glossary of terms, a legal guidance issued by FinCEN in the US, also from US GAO (Accountability Office), from the Inland Revenue Service, some input from revelant regulators and legal documentation on different Bitcoin-related cases.

Happy growing!

Book Review: Bitcoin and Mobile Payments: Constructing a European Union Framework (Palgrave Studies in Financial Services Technology) edited by Gabriella Gimigliano

This book sheds some light on how Bitcoin and mobile payments interact with EU rules and regulations. A key point certainly are the PSD and PSD2 directives on payment services in the internal market.

Let me try to share with you the main learning points I collected from this book. As always, here it goes my personal disclaimer: the reading of this very personal and non-comprehensive summary by no means replaces the reading of the book it refers to; on the contrary, this post is an invite to read the entire work.

The book has been built into 4 parts:

- Institutional strategy and economic background
The institutional strategy can be an enabling factor for a sound growth of new instruments and certainly for the security of payments. The definition of an effective “cyber security strategy” at national and European level is one of the pillars of the creation of the “digital single market”. The financial services and the payment industry are an essential component. Certainly the role of SEPA (Single Euro Payment Area) is considered. Interestingly, Bitcoin is an alternative payment scheme without fiat or banking money. There is an interesting statement, “Bitcoin has a tendency to create an oligopoly in terms of miners”.

- The framework – a European outline and a comparison with other frameworks
There is a lack of specific regulations in terms of virtual currencies. Can they be considered payment instruments? What are they really? What is the role of self-regulation in all this? In Europe we see a technological fragmentation of the payment chain. It is still too early to know which path will be followed. Experts suggest an adaptation of the laws for newcomers such as bitcoin.

- Regulatory challenges (e.g. protection of customers’ funds, data integrity, soundness of payment and financial system, competitiveness of European market)
A basic requirement is to have an adequate security that encourages the usability of the system. What happens when there is no central service provider? The increasingly stronger general rules for data protection in the EU will eventually require equally strong sector-based rules.
Mobile payments’ legal situation regarding Anti Money-Laundering is legally certain. Virtual currencies’ legislation not.
Interesting detail: Bitcoin does not attract too many VAT complications within the EU.
For the time being, there is a lack of a fully implemented and integrated business model in the mobile payments ecosystem in Europe.

- Evolution of payment services
Only two sentences on this topic. Bitcoin is really a conceptual revolution, mobile payments are really an evolution.

Happy constructing!

Quick Book Review: Value Web by Chris Skinner

I thought I would share with my readers a selection of the points mentioned in the book (modest disclaimer: it is a non-comprehensive, and personal, quick summary that does not replace the reading of the book)

The book is titled "Value Web" by Chris Skinner.

-          The author is an independent commentator in the financial industry.
-          Summary in a sentence: There is a network transformation of how we exchange value.
-          This network transformation is linked to our secure digital identities.
-          The author describes the blockchain technology also as an authentication technology.
-          He touches also upon the history of money and how farming created money as an instrument to keep value.
-          A detail: It was China inventing paper-based money.
-          An interesting thought: “Simplification comes from kids and complexity comes from incumbents”
-          Clear statement: Banks don’t trust each other anymore.
-          Interesting story of an attempt to regulate: https://en.wikipedia.org/wiki/BitLicense
-          The author sees banks more than as money stores as value stores. His stance: value stores need regulation.
-          Three different roles played by fintech players in the banking industry: wrappers, replacers and reformers (vis a vis traditional banking).
-          How free apps can make money? By creating additional (not currently existing) value and by being relevant.
-          The potential to re-invent banking (rather than to disrupt banking)
-          However: Let’s be realisitic. In the UK 62% of the population still prefers face to face in a branch as preferred channel to access bank services.
-          Banks already require a digital core, a platform. So that channels are replaced by access. In the digital era, they talk about access (to that digital core) and not channels anymore.

The last part of the book includes interviews to key players in this field. My 2 cents. Follow these three names on twitter: @jonmatonis, @brockpierce and @chrislarsensf

Happy valueing!

Security sites to bookmark: fireeye, darkmatters.norsecorp and blueliv

New trends in security intelligence services

A traditional marketing element already present in most security providers' Internet presence is a blog on current topics of interest: A smart way to attract readers while announcing their added value as a security company. 

This is the case of three international players. They are relatively new in this sector and they all combine technology solutions with intelligence services: they are FireEye, founded in 2004, Norse, created in 2010 and Blueliv, founded in 2009. The first two even team up together for customers as relevant as the US Department of Energy.

FireEye, the veteran in this field, is a company that quickly grasped, already in 2004, the relevance to the business world of the advance persistent threats (customised cyber attacks, at the end of the day). When these attacks were already hitting the mass media news, they already devised a product and a service to protect companies. 

FireEye offers two blogs:

- ThreatResearch talks about current Internet threats. I recommend a visit to those who want to know about technical details of new malware campaigns and espionage operations that come to light.

- ExecutivePerspectives, less technical, is focused on business matters. It raises awareness among executive managers and budget decision-makers in terms of cyber (in)security.

Let's remember that in 2014 FireEye acquired Mandiant, the
security consulting firm led by Richard Bretjlich.

Norse Corporation offers also both an appliance to install and security intelligence services to hire. In its blog it presents news related to current cyber attacks together with their executives' public appearances such as the ones from Sam Glines, Norse co-founder. It also provides a link to a colourful world map with current Internet attacks that seems to be updated in real time. A very effective way to amaze those who do not work in our sector. 

An example of a typical blog post is the one showing the use of Splunk, the popular and successful log search engine, with their security intelligence data feed i.e. the product that provides the data presented in the attack map mentioned above.

Blueliv was founded by Daniel Solis. It value proposition is innovative. Gartner mentioned it in 2015 as a "cool vendor". Its blogs contains targets business people, researchers and industry practitioners. There are also some free resources ranging from datasheets to reports and videos. They also display an impressive cyber threat map

In short, the visit of these three blogs could be a first step for those security professionals willing to get introduced to the security intelligence services arena.

Happy security intelligence gathering!