Tag Archives: Ransomware

The Holistic Z: Selective Encryption gives way to “At-Rest” & “In-Flight” Data Protection with Pervasive Encryption

IBM Z encryption moves the market from a selective encryption model to one that is pervasive. This represents a significant modification in the basic structure of computing and its effect on security will, in my opinion, have a major disruptive effect.

The overall concept is to not introduce a decision layer that says what will or will not be encrypted. Instead, it will be possible to have encryption be part of normal processing. The removal of the decision for selective encryption is a further saving in the overall cost and a reduction in the difficulty in using encryption in the current market.

The Holistic Z

The new IBM Z provides a bullet-proof platform for digital transformation, a base for strong cloud infrastructure (fortified clouds, which can be open, private, public, and hybrid), and allows back-end services to be securely exposed through secure APIs.

IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

The Z is arguably more powerful, more open, and more secure than any other commercial offering and makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain.

Positive Disruption with Pervasive Encryption 

But for me the focus of my interest comes back to Pervasive Encryption. The Z (“Zero Downtime“) appeals to many, on many different levels but for me it is Pervasive Encryption that piques my interest.

It is a seismic shift and legitimately makes the z14 the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot. The z14 mainframe has a tried-and-true architecture and excels with security features that are built into the hardware, firmware, and operating systems.


True Cost & Performance Mitigation 

The largest barrier to doing full-scale encryption has been the cost of the encryption and the performance load that such activity puts on the computing platform.

Bolted-on solutions that are being deployed have caused system capacity to grow such that there are loads of up to 61% of the system load that is being consumed by security processes. This translates into significant infrastructure costs and performance drags.

Even without the newest advances the Z architecture delivered encryption (selective encryption) more efficiently and with a lower resource expenditure than other platforms.

It delivers over 8.5 times the security protection, at 93% less cost in overall expenditure, and with 81% less effort. The full impact of the faster encryption engine and the ability to encrypt information in bulk on the z14 creates a fully pervasive solution that runs more than 18.4 times faster and at only 5% of the cost of other solutions.

The Threat Landscape & GDPR Compliance 

IBM Z pervasive encryption provides the comprehensive data protection that organizations, customers, and the threat landscape demand.

Here are some stats on that threat landscape:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source:https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

By placing the security controls on the data itself, the IBM solution creates an envelope of protection around the data on Z.


Extracts, Source Material, References, & Acknowledgements to IBM Z Systems, IBM Security, IBM Systems, IBM Systems Social Program, and Solitaire Interglobal Limited.  

Building A Global Nation State SMB Exploit Honeypot Infrastructure With A £50 Budget #EternalPot

Note to post: All words, IP ownership, analysis, opinions, data, graphs et al are the property of Kevin Beaumont and where altered and extracted are done so remaining true to the original meaning / assertions. From and article by “Kevin Beaumont InfoSec, from the trenches of reality. Email kevin.beaumont@gmail.com | Twitter: @gossithedog on Twitter” titled “EternalPot — Lessons from building a global Nation State SMB exploit honeypot infrastructure” athttps://doublepulsar.com/eternalpot-lessons-from-building-a-global-nation-state-smb-exploit-honeypot-infrastructure-3f2a0b064ffe

Worthy of note before beginning to read this beauty – Mr. Beaumont predicted that this would happen back in April 2017:

Now over to the expert ….

Extracts BEGIN (again full original article here

A week ago I started building #EternalPot, a honeypot for the Equation Group SMB exploits leaked by the Shadow Brokers last month.” (May 2017) – “My entire budget for one of this is £50, as I self fund all my InfoSec research — I work for a company that makes crab paste, so everything is done outside of work, on my own time. I highly recommend working InfoSec for a company where the CapEx tap is turned off temporarily, by the way, as you’ll find out how skilled your workforce are and you’ll get back to the most important part of InfoSec: the basics. Build simple solutions, always…..



There has been a lot of vendor and press coverage of WannaCry which has been inaccurate. Despite what has been said, WannaCry was not spread via phishing or email — in fact, it was an SMB worm. Seeing a constant stream of misinformation from InfoSec vendors still around this has been depressing — it still continues to this day, long since the major players and initial victims walked back the email line…..



The EternalPot data has shown advanced attacks, multiple coin miners, remote access trojans and lateral movement attempts into corporate networks — all via the Windows SMBv1 service. One of the exploits — EternalBlue — was used by the WannaCry ransomware spreader…..



As you can see pre-WannaCry (refer to diagram in article and below), these SMB attacks were almost non-existent. It’s an SMB worm like the ones from the prior decade. Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3…..




All the WannaCry samples seen so far — thousands delivered in real world honeypots — have two factors:

  1. They are one of two corrupt versions, where they spread but fail to execute ransomware as the PE headers are corrupt.
  2. They contain working killswitches.

If you’re pondering why WannaCry seemed to disappear almost completely, here we are. The authors simply disappeared. The Tor payment pages don’t even exist now. We owe MalwareTech more than pizza…..



Another angle to the press coverage was Windows XP being impacted — in fact, an entire weekend of UK mainstream media and political commentary ran about this. While SMBv1 has serious issues on Windows XP and 2003 (and on later OSes!) and should be patched and firewalled (aka disabled), the reality was the WannaCry spreader didn’t work on Windows XP SP3. Here’s Kaspersky’s graph of infected operating systems…..




One thing I will say — I don’t want to name the vendors, but some of the biggest next-generation security productssimply aren’t detecting SMB attacks nearly well enough. Malware regularly infects these systems, and they have to be reimaged as a result. It is amazing seeing next gen, premium tools with machine learning etc running Coin Miners andremote access trojans delivered via old exploits, with the tools not even noticing. It has been very eye opening for me. The marketing to reality Venn diagram here isn’t so Venn. At times it is so bad it is actually jaw dropping seeing certain attacks not being detected…..

Extracts END (again full original article here