Category Archives: Alert

Security alerts

Very Creative Phishing Attack

It all starts with a calendar invite, but there is a setup. The con is that your bank account has been compromised and you need to fix it.

The attack starts with an email titled (like) “Fraud Detection from Message Center”. This part of the attack uses a real but compromised Office 365 account, complete with legit email security like DKIM and SPF.

The invite is hosted on the real Office 365 and contains a link. Clicking on the link causes another relatively simple document to open with another link.

Since hackers are equal opportunity crooks, when the user clicks on this link, they get transferred to a phishing site hosted at Google where the user is presented with a very convincing Wells Fargo site page.

The user is then prompted for the login information, PIN, various account number details and email credentials.

Assuming the user falls for all of this, they are taken to a legitimate Wells Fargo login page designed to make the user think the account was secured, when in fact, the user just gave the hacker the keys to the cookie jar. And likely all of his or her money.

According to the security vendor (Cofence), this is not the first time that hackers have used Google’s infrastructure to host malware. Credit: SC Magazine

So what should you be doing?

Education. Education. Education.

Anti-phishing training should be a requirement at all companies and for all employees. At the low end there is free training, but for most companies, there is a moderate cost solution that is highly effective.

Some companies send the same phishing email to everyone, maybe once a quarter. That is not an effective approach to train employees. The program needs to be much more active in order to be effective.

As you can see from the sophistication of the attack above, the hackers are working overtime to steal your money.

You need to work equally hard to protect it.

If you need help with your anti-phishing training, please contact us.

Don’t Want to Use Two Factor Authentication? You Might Want to Rethink that Decision

So you think two factor authentication is a pain?

Well it can be.

But let me suggest that decision can be a really bad idea and here is why.

Hackers are using two factor to BLOCK your ability to recover your account if it is hacked. This is already happening.

Here is how it works.

Hackers compromise an account. That could be done via password stuffing or any number of other methods.

Then the hackers turn on multifactor authentication and point that to a phone or email the hackers control.

Once you realize that your account has been compromised, you contact the provider. The web site says they will send a proof of ownership code to the phone or email registered to the account. Which is in the hands of the hacker.

At least some sites are saying tough luck. You are welcome to create a new account, but of course, you will lose all your data and in the meantime, if the hacker wants to extort you, they can put whatever THEY want on, say, what used to be your social media account. And there isn’t much that you can do. That could be any sort of nasty, reputation damaging stuff. And you have no way to tell visitors that it isn’t you.

You can sue the web site in court. Good luck with that one. In 2022.

In one case we just heard about, the hacker used a stolen xBox account to buy games with the former owner’s credit card. You can, of course, cancel the card if you think of it, but that is a pain.

Some sites will allow you to regain control. It may require that you send them copies of your identity documents. Assuming that the hacker didn’t change that information on your account after it was hacked. That can take a week or more. Depending on what the account is used for, well, that could be a problem in and of itself.

Bottom line – reconsider whether two factor authentication is really that much of a bother. Consider the alternative. Credit: Brian Krebs

Chinese Bank Forced Western Companies to Install Malware

Security firm Trustwave has discovered malware laced tax software in two of it’s western customer’s networks after they opened offices in China.

The bank said the software was required to pay local taxes. In fact the software did perform that function.

Trustwave calls this malware GoldenSpy and said that it installed a backdoor in their client’s computer. The backdoor allowed the Chinese to connect to the computer, install other malware and run Windows commands.

GoldenSpy installs two copies of itself and will automatically reinstall itself if one of the copies is discovered. It also has other self-protection measures.

It also waits two hours after the tax software is installed to silently install the backdoors.

There is no way to prove how the malware got there, but given they are in China and a western company, you can draw your own conclusions. Credit: ZDNet

Okay, so what does this mean?

It is not completely clear, but certainly it raises some questions.

Assuming you are not doing business in China, should you worry?

There is nothing special about the technique used and, in fact, the NSA is reported to have used it against folks that they want to monitor.

The technique could be used by

  • Competitors
  • Hackers
  • Nation state actors
  • and probably a host of others

Since *you* installed the software voluntarily, most of the security controls in your system will not detect it.

We have seen a number of attacks like this over the years. Sometimes hackers compromise a developer’s computer and insert the malware there. That way, when it gets checked in and compiled, it is not detected.

But that is only one way the malware can get there.

Traditional anti-virus/anti-malware software will not detect this.

What will detect this is software similar to Trustwave. They do managed security services (we offer a similar product that is well suited to small businesses).

What the software needs to do is detect unusual behavior like accessing data that it should not, connecting to web sites that it should not, installing software etc.

Generally interpreting what the alerts mean requires an expert.

What is less clear is how frequently this happens because most companies do not have software/services like these companies did. There also are no laws requiring companies to report these types of attacks unless the company is publicly traded and the attack materially affects the company’s balance sheet.

Assuming that the software doesn’t break anything, it likely would go undetected. Forever!

If you do not have anything in place to detect this type of malware, you should definitely consider it.

Historically, these types of attacks are designed to steal intellectual property. IP Theft is more difficult to detect because there are no systems in place nationally to detect these types of theft like there is for credit card fraud. In addition, IP theft has a long shelf life. If you steal information about a company’s business processes, for example, that information will be valuable until the company no longer uses those business processes, which could be decades later.

If the IP theft is controlled by a competitor, then that competitor could use that information to unfairly compete with the company who’s information was stolen.

If you need more information, please contact us.

The New Normal – Not So Secure

Facebook says that 50% of its employees could be working remotely in 5 years.

My guess is that this could be the new normal, which is not so good if you own a lot of expensive commercial real estate in a big down town.

Zuck also says that employees that move from say San Francisco or New York and work remotely from Kansas may have the pay “adjusted”. Likely downward, which is another motivation for companies – lower payroll, which means lower payroll taxes and less rent.

I think that is going to be the new normal. Companies have figured out over the last 3 months that people can be productive without sitting in a cube. In some cases, more productive. And, if you remove the distractions of kids at home and the economy in the toilet, they might be a lot more productive.

Which brings me to today’s story.

IBM released a study on work from home security. IBM is not some fly-by-night company. Sure everyone can be wrong sometimes, but this report aligns with a lot of other information I have seen. Here are some of the details.

  • Over half of the people they asked are not aware or unsure of any company security policies around the following areas with slightly lower percents for other policies-
    • Mobile device management (53%)
    • Password managers (51%)
    • Collaboration tools (52%)
  • 45% said that their employer had not provided any special training on protecting the security of devices while working from home
  • 93% said they are confident of their company’s ability to keep information secure even though 52% are using their personal computers for work, often with no new security tools.
  • More than 50% of new work from home employees are using their home computers for work but 61% said that their employer had not given them any tools to secure those devices.

So what does this mean?

It means that if some percentage of employees will be permanently working from home, what do you need to do regarding security?

We already know that hackers are taking advantage of the current situation. If that remains “profitable” (which means money or information), they will continue.

Money, such as business email compromise attacks, spear phishing and whale phishing will likely be detected soon after the attack is launched.

Attacks which only seek to stay inside your system undetected, well, those will work hard to remain, undetected. The longest such attack I am familiar with remained undetected for 12 years. The company eventually filed for bankruptcy and was sold for spare change.

So, as managers, it is your call. Do you beef up your security program? Or, do you collect spare change?

Your choice.

Credit: Help Net Security

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Ripple20 Vulnerability Affects 100s of Millions of IoT/IIoT and Medical Devices

If that headline doesn’t scare you, it should.

Ripple20 is a family of 19 vulnerabilities that are part of a library that is used in medical devices, home automation devices, oil & gas controls, networking devices and other industrial control devices.

The bugs are in a library that was developed in the 1990s and is integrated into all kinds of devices.

The problem is that these libraries are not something that a user – consumer or business – can do anything about. They are completely dependent on the manufacturer to fix it.

Likely many of these devices don’t even have a mechanism to update it.

To make things even more troubling, many times the buggy software was integrated into modules that then got integrated into products that then got sold to you and me. The software vendor has no idea where it got used and the integrator might not even know that the affected modules are in their product.

The product is a TCP/IP communications library – something that any device that is somehow connected to the Internet has in it.

So why were 19 vulnerabilities called Ripple20? Because, they say, of the ripple effect they will have in 2020. That is a bit of an understatement.

Some of the vulnerabilities have a risk rating of 10 out of 10 and others 9.8 out of 10.

While the software vendor has released patches for the current version of the software, what about products that were built 10 years ago for example? Those companies may not even be in business and even if they are, they likely don’t support a (pick a number) 10 year old, 15 year old or whatever age product. Assuming they know about the library.

Vendors that have released alerts include Intel, HP, Schneider Electric, Caterpillar, B.Braun, Green Hills, Rockwell Automation and Cisco.

Expect more alerts over the coming months.

The industry is still working through the impact of the Urgent/11 family of similar bugs that were released about a year ago.

The government is working on some voluntary guidance for Software Bill of Materials standards that I am watching, but that is going to take years to gain any traction.

Businesses need to keep pushing vendors and vendors need to keep pushing their vendors for a Software Bill of Materials to be a standard part of all deliverables. Software developers need to step up their game too.

Until then, we are making it very easy for the hackers. They know what the vulnerabilities are. They know at least some of the vendors that are affected and, more importantly, they know that most of these products will never be patched. Likely in a matter of days or maybe a week then entire Internet will be scanned looking for vulnerable devices. Then hackers have years to exploit it.

While a hacker turning off your smart light bulb might be annoying, changing the settings on an insulin pump – well that could have more life altering effects.

Ponder this: Software vendors have zero liability for these bugs. Congress is considering changing that (it is a recommendation of the Cyberspace Solarium Report). Until that happens, don’t expect that to change.

Credit: ZDNet and JSOF