You won’t get in unless you’re on the list
In a later presentation, ThreatLocker Senior Solutions Engineer Collin Ellis took a deeper dive into allowlisting and went through the history of access control going all the way back to Multics in the mid-1960s.Since then, he said, access control has become more tangled and complex, with Unix, Windows NT, Linux, Windows Vista and different versions of MacOS each introducing new mechanisms, most of which are still used.Application whitelisting cuts through the access-control clutter, Ellis said.”Deny everything that’s unnecessary,” he said. “You block it right at the door.”That doesn’t mean allowlisting is easy to implement, Ellis admitted. Many organizations have several different versions of Windows or MacOS running at any given time, and allowlisting can be adjusted to be permissive, strict or somewhere in between. Hasty implementation will likely break things.That’s why ThreatLocker’s Allowlisting starts off with an observational period of a few weeks, watching and learning about the client organization’s software environment without making any changes.”We start learning about what’s running as soon as we deploy,” said Ellis. “It doesn’t block anything at first.”Once the software is ready to block unauthorized applications, he said, it can simulate group policy changes before implementing them to make sure nothing breaks. Likewise, ThreatLocker has a test environment where it can run sandboxed applications before granting approval after an end-user request.”End users are the reason we have jobs,” Ellis quipped.In another session, ThreatLocker Special Projects Engineer Adam Fuller discussed optimizing Microsoft 365 configurations for maximum security, using both Microsoft’s own tools and ThreatLocker Cloud Control and Cloud Detect.And Seamus Lennon, ThreatLocker VP of Operations EMEA, described how ThreatLocker’s platform worked alongside the MITRE ATT&CK frameworks. He noted that ThreatLocker’s Detect endpoint software has more than 400 direct mappings to MITRE ATT&CK tactics, techniques and procedures (TTPs).
Managing PCs down to the firmware
One of the more interesting product walkthroughs by companies not named ThreatLocker came from Rob Inman, Director of Products at Phoenix Technologies, which has been developing BIOSes for PCs for more than 40 years.Phoenix’s latest innovation is BIOS-management software called FirmGuard, which installs an agent on endpoints and lets an administrator oversee the BIOSes on a fleet of PCs using a web-based interface.”Having to update BIOSes manually just doesn’t make sense in a large organization,” Inman said. “You’d have to go to each and every machine.”Using the interface, a systems administrator can select individual machines, change their BIOS settings and reboot the machines immediately or later. The software can also disable input devices or USB ports globally or one by one.Other features include a secure wipe that remotely erases hard drives, both spinning and solid-state, using various standards. Once the wipe is done, the software generates a Certificate of Erasure that the client can present to auditors or regulators.There’s also a secure-update process that uses the PC manufacturer’s own BIOS and update mechanism. The interface can batch-update machines, even those from different manufacturers.An audience member raised his hand, said he’d been locked out of the BIOS on his Lenovo machine, and asked if Inman had a backdoor code he could use.”I didn’t bring it with me,” he answered with a smile.
The lighter side of ransomware
Presenter peak energy level was achieved Thursday afternoon by antivirus veteran and current Smashing Security podcast host Graham Cluley, who flew in from England to deliver a hilarious half-hour session on what he called “The Crazy World of Ransomware.””Ransomware is probably the most damaging types of malware today,” Cluley said. “But it’s not a new problem.”The first known instance of ransomware, he said, was the AIDS Trojan that was delivered on 5.25-inch floppy disks in 1989 and infected DOS-based PCs.Mailed out to 20,000 people who had attended a health conference in Stockholm, the software provided information on the user’s potential exposure to the AIDS virus, and it behaved normally for nearly 90 power cycles.On the 90th reboot, however, the computer’s screen would go red and demand that $189 for a software license be mailed to a P.O. box in Panama. (To be fair, this “contract” was in the fine-print documentation that came with the floppy disk.) If the “license” was not bought, the computer’s files would be forever inaccessible.The ransomware’s author and distributor turned out to be Dr. Joseph Popp, an American evolutionary biologist. Brought to trial in the U.K., Popp was declared mentally unfit to stand trial and released by the judge after he came to court wearing a cardboard box on his head to block radiation. Popp later created a butterfly sanctuary in upstate New York.But, as Cluley pointed out, Popp may not have been that crazy. He did write the ransomware (which turned out to be easy to reverse), purchase the floppy disks in bulk, print out the labels and lick the stamps for the envelopes.Most ransomware since then has demanded ransom money, Cluley said, but not always. The “Rensenware” ransomware of 2017 demanded that the victim score a nearly impossible 200 million points in the Japanese shooter video game Unidentified Fantastic Object (not included).The ransomware’s creator, Cluley said, was a bored Korean student who, after distributing the malware, accidentally infected his own PC and couldn’t get to 200 million points in the game. So he hacked the game to post a fake high score, then put the workaround on GitHub along with an apology.In 2022, the “GoodWill” ransomware asked that the victim perform and document three acts of kindness: give clothing or blankets to homeless people, take five poor children to a restaurant and give money to indigent patients at hospitals. Each act had to be recorded on video and posted online.”So you don’t just need to protect your devices and make backups to avoid ransomware,” joked Cluley. “You need a storeroom of clothing.”It’s not clear how many people were hit by the GoodWill ransomware, but it turned out to be a variant of an open-source pen-testing program called “Jasmin” that demanded the same “ransom” as a possible joke. As with Jasmin, the files locked up by GoodWill could be decrypted using the infected PC’s host name.Finally, there was the Koolova ransomware, released around Christmastime in 2016. Perhaps as another gesture of goodwill, Koolova demanded that you read (or at least browse to) two online articles about ransomware, one on a Google blog and the other on Bleeping Computer.You had to do that within 10 minutes to get the decryption key. Otherwise, the ransom screen warned, the files would be deleted.Despite such hijinks, Cluley concluded, it’s no laughing matter: “Ransomware has managed to monetize malware like nothing we’ve seen before.”