Securence

17
May

Be safe from WannaCry

What’s the big deal?

Over the weekend of May 13-14 2017 news broke of a new Ransomware called WannaCry.  This Ransomware affected some large institutions.

WannaCry uses a vulnerability in Window’s file sharing to spread from one infected computer to another.  This vulnerability was discovered by the NSA and kept secret until someone hacked the NSA and eventually leaked the information publicly.  The vulnerability was patched in Microsoft’s March 14, 2017 software update.  This was a month before the vulnerability was publicly exposed on April 14,2017.

This exploit may be known as other names or be associated with some of the following terms:

  • MS17-010
  • EternalBlue
  • DoublePulsar
  • WannaCrypt
  • WanaCrypt0r 2.0
  • Wanna Decryptor

How do you protect your computers?

Patch your systems

The most important thing to do to protect your systems from this infection is to update your Windows systems.  There is a patch available for all supported Windows operating systems as well as these no-longer-supported Windows systems:

Run versioning backup software

Versioning backups are critical, if you only have the most recent version of a file, you will have a backup of the already encrypted file, this is not helpful.  You must have the option to choose a backup from before the Ransomware started encrypting files.

 

Are Securence Signatures up to date to block WannaCry?

Some Intrusion Detection Systems have signatures for WannaCry, but, there are no specific signatures for emails.  So far, WannaCry spreads exclusively through SMB protocol attacks, not email.  Future variants may use different vectors as noted above.

How does Securence protect against WannaCry?

Securence uses multiple virus engines to identify malicious content in emails and they are all automatically updated as quickly as the A/V vendor publishes new signatures.  Unfortunately, recently A/V engines have been ineffective identifying the newest phishing and ransomware messages.  Securence has developed significant identification techniques to block these messages.  Thousands of malware emails are blocked every day by these techniques.

 

If current or future WannaCry attacks are spread via  emails they will likely use the same tactics as previous ransomeware and viruses:

  • Attached executables
  • Zipped executables
  • Password protected zipped executables
  • Word macro viruses
  • Javascript attachments
  • Links in email bodies
  • Links in attachments
  • Many other methods

When they do, Securence is ready.

28
Dec

SMTP Over TLS Certificate Chain

Securence uses DigiCert certificates, you will find additional details about their certificates here: https://www.digicert.com/digicert-root-certificates.htm

  • Root CA:  DigiCert Global Root CA
    • Valid until: 10/Nov/2031
    • Serial #: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
    • Thumbprint: A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
    • Certificate key size: RSA 2048
  • Intermediate CA:
    • Valid until: 08/Mar/2023
    • Serial #: 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91
    • Thumbprint: 1FB86B1168EC743154062E8C9CC5B171A4B7CCB4
    • Cert key size: RSA 2048
  • Securence Cert: *.securence.com
    • Serial Number: 08:18:f7:4c:e4:de:12:ea:e9:de:fb:ea:20:3a:02:73
    • Signature Algorithm: sha256WithRSAEncryption
    • Cert key size: RSA 2048

See also: SMTP over TLS supported cipher suites

28
Dec

SMTP Over TLS Supported Cipher Suites

These are the Cipher Suites supported by Securence.  When negotiating a cipher suite the order below is the preferred order.

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV

 

Se also: SMTP over TLS Certificate Chain