Category Archives: Best Practices

FBI Says Over $2 Billion Lost To CEO Email Fraud

Wow.  That is an impressive number.  As I have talked about before, what the insurance industry calls business email compromise or BEC and what the FBI is calling CEO email fraud is a very lucrative business at $2.3 billion since January 2015.

The way it works is the attacker does a little research on the “mark” – and this is a classic con job, hence the term mark is appropriate – and then sends the mark an email.  Could be the head of finance, someone in the wire room, something like that, pretending to be the CEO or CFO and needing a wire.  With a little social engineering they get their money from the mark.

And, unlike a check or credit card, it is very difficult to get that money back.  Usually, it is transferred out of the target account almost instantly.

Insurance copies, as I have written about, are also starting to push back saying that this is not a cyber breach.  The employee willingly wired the money.  They will cover it, but it is different policy.

There are many variations on exactly how this works, but the result is the same – someone voluntarily wires money to the bad guy.

There are also well known ways to curb this.  In almost all cases, they add some overhead to the process.  If your employee is asked to wire money to someone that they do not wire to normally, ask a question.  Shouldn’t there be a PO?  Or a contract?  Walk down the hall and ask the CEO.  Require two people to approve the wire.  Stuff like that.

Brian reports on a couple of well known phishes – Mattel toys, $3 million, Ubiquiti, $46 million and Scoular, $17 million, among many others.  None of these companies will go out of business but it is both embarrassing and expensive.

The best one though, is when the company Phish Me, who makes anti-phishing management software, was attempted to be phished.  They, as you might expect, did not fall for the con, but did decide to play with the attacker.  That is all documented in the Phish Me article below, so I am not going to repeat it.  The article is a wonderful tool to use in training, however.

At this point, organizations need to fortify the payments process.  As the bank robber Willy Sutton is reported to have said – that is where the money is.

To do that is pretty simple – one part training, one part process and one part sheer will.  There should be a well documented process on how to get money out of your company and based on the particular business model, you should figure out where the soft underbelly is and armor it up.

For those of you who are interested in the details of how these attackers pull these attacks off, I recommend reading the Phish Me article.

For everyone else, this would be a good time to look at your accounting process.

Information for this post came from Krebs On Security and Phish Me.

Facebooktwitterredditlinkedinmailby feather

U.S. and Canada Issue Ransomware Alert

As you are probably aware, the number of publicly announced ransomware attacks seem to be going up geometrically.  Some examples in the last month include:

  • Hollywood Presbyterian Medical Center – their systems were down for 10 days until they paid a ransom
  • Henderson Kentucky Methodist Hospital
  • Desert Valley and Chino Valley hospitals in Southern California
  • Now it is Medstar Health in DC – 10 hospitals and 250 clinics
  • Norfolk General and Ottawa hospitals in Canada
  • And probably many others that have not made the news

As a result of these attacks and others, the U.S. Department of Homeland Security Computer Emergency Readiness Team (US CERT) in partnership with the Canadian Cyber Incident Response Centre (CCIRC) issued a ransomware alert.

The alert says, among other things, that paying the ransom does not guarantee your files will be decrypted.  It also does not guarantee that the malware will be removed from the infected systems.

The alert made some recommendations:

  • Keep all of your software up to date – operating systems, applications, mobile, desktop and server.
  • Maintain current anti virus software and do real time file scanning
  • Restrict users permissions to install software – use the principle of least privilege
  • Avoid enabling macros from email attachments
  • Do not follow unsolicited web links for emails

While these recommendations are not earth shattering, they are reasonable steps.

The FBI has been telling people that they may well have to pay the ransom because there is not much that they can do, the CERT alert is telling people not to.  The FBI is being practical;  CERT is being philosophical.  When your files are gone, it is hard to be a philosopher.

One thing that the alert does not say is that good, current, off line backups, a disaster recovery plan, a business continuity plan and an incident response plan are critical in case of any cyber security incident.  The hospitals that were successful – that got back online, quickly, with minimum disruption all had good backups and plans.

Are you ready?  All it takes is one employee clicking on the wrong link.

Information for this post came from Health IT Security and DHS Alert.

Facebooktwitterredditlinkedinmailby feather

Why The First Call After A Breach Should Be To Cyber Counsel

If you are responsible for your cyber incident response team and you discover that you may have been breached – like the Trump Hotels this week – who should you call, and how should you contact them?

I will answer the and how part first because it is easier.

Walking down the hall is best.  Failing that, the phone is ok as long as it is not connected to your company network (like a VoIP phone).  What you don’t want to do is use company email or messaging systems.

There are two reasons for this.  The first is that you do not know if those systems have been compromised and if, as a result of using them, you are telling the attacker that you are on to him and how much your know.

You are also leaving bread crumbs that can be discovered as part of the legal process after the breach and used against you.

So now that the and how part is handled, lets move on to the the who part.

The answer is not your boss or the CEO.  That will just ruin their day and if you tell them 5 minutes later, it won’t make any difference.

That first call should be to your outside cyber incident response law firm.  The one you should have on retainer.  The one that you have already brought up to speed on your business and processes.  The last thing you want to do at this point is be dealing with contracts and explaining to them what you do.

The firm also has to be experienced in cyber incident response – otherwise, they might make mistakes.

The one thing that Target did right during their breach – and it was not to decide to wait until after Christmas to remove the malware – was to contact their cyber incident response outside attorney.

That firm directed the response in order to provide the company legal advice and prepare for lawsuits.  That cover allowed them to protect what they did under attorney client privilege.  It turns out that the fact that they were outside counsel instead of corporate legal makes a difference in the story.  After all, you were preparing for litigation – you don’t pay outside law firms hundreds of dollars an hour unless you are expecting something bad to happen – more cover.

And it worked.  When the banks who were suing Target attempted to get Target to produce documents during discovery, Target’s law firm said that those documents belonged to the law firm (since the law firm engaged all the consultants and experts, not Target) and were protected by privilege.

Except for a few business emails between the CEO and the Board which were considered business records and not protectable, the judge struck down requests for every other document.

So in your incident response plan should be, at the top, a note to self:  CALL ATTORNEY FIRST.  Then call your boss.

If you have questions, remember that I am not a lawyer and do not play one on the Internet – contact that cyber incident response attorney that you already have a relationship with.

 

Information for this post came from the National Law Review.

Facebooktwitterredditlinkedinmailby feather

Why Biometrics Are Good For Identification, Bad For Authorization

I have never been much of a fan of using your fingerprint or eyeball print as a way of gaining access to something – whether it be your phone or a data center.  There are a number of reasons why, but now we can add a new one to it.

The Chaos Computer Club demonstrated (see article in Tech Crunch) a way to capture a fingerprint and fake the iPhone’s fingerprint reader out.  Some fingerprint readers are even easier to fake – you can fool them with a fingerprint on a gummy bear.

Now mind you, their attack some some serious work and for most people, who don’t even put a PIN on their phone, the fingerprint is a serious upgrade.

For those people who are paranoid, the courts have held that you can be forced to stick out your finger to unlock your phone while you cannot be forced – without being given immunity – to give up your password.  Also, you can, conveniently, forget your password.  It is hard to forget your finger.

Suffice it to say, biometic information can be captured, with different levels of difficulty and if that information is used for authorization (i.e. unlock your phone), it is possible to unlock your phone without your approval.

One way to get around this is to use biometics to identify the user and a password to authorize that user, but that is inconvenient, so, except for high security environments – such as data centers – that is not often done.

Now today’s new problem.  Agic (see their web site) has created a technology that allows you to print a computer circuit board on your ink jet printer.  Swap out the ink cartridges with their ink and use their paper and you can print a circuit board.  Put some components on it and you have a real circuit.

How does this relate to biometrics.  Well, apparently, it turns out that the capacitance of this ink and paper combination is such that you can print a fingerprint on their paper, using their ink, and that fingerprint has the right capacitance to fool many fingerprint readers.

This means that you can take a picture of someone’s finger, invert the ridges and grooves and print it.  They claim to have unlocked a Samsung Galaxy S6 using this technique.

It also means that if you forget your finger and you took a picture of it and put it in your wallet, you can still unlock your phone.

The point is that there should be a distinction between IDENTIFYING who you are and AUTHORIZING your access – and vendors are collapsing the two.

That being said, given that many people don’t even put a PIN on their phones (Marissa Mayer, CEO of Yahoo famously said that it was too much work to do that (see article), so  using a fingerprint is a huge step up.  But for those people for whom security is important, I do not recommend using a fingerprint at this time.  An Alphanumeric password of at least 10 characters is a pretty safe bet.  Experts are recommending 16 characters.  It could be a phrase like “I Like Ice Cream!”, since those are a lot easier to remember.

Information for this post came from the Security Now podcast, episode 550.

Facebooktwitterredditlinkedinmailby feather

NSA Refused Clinton A Secure Blackberry

THIS IS NOT A POLITICAL POST.  But the story does have, I think, an extremely important message to all corporate I.T. and security people.

Here is the Clinton story. Judicial Watch, the conservative PAC that has been driving the Clinton email investigation got some documents under a Freedom of Information Act request that are enlightening.

Apparently, Clinton was not a computer user, but someone gave her a Blackberry and, after a while, she became addicted to it.

But, the seventh floor at Foggy Bottom (State Department HQ, mahogany row) was a wireless free zone for security reasons, so she had to leave her Blackberry in a locker outside, just like the rest of us do when we enter a SCIF or high security area.  The effect of that was that she would be without email access for hours at a time and would run outside on breaks to check her email.

In fact, they crafted an office for her, outside the SCIF, so that she could go read her emails a couple of times a day.

In an effort to solve this problem. Donald Reid, the State Department’s coordinator for security infrastructure said that he repeatedly asked the NSA what their solution was for the President’s Blackberry addiction and was “politely told to shut up and color“.  Great quote.  Probably not for the NSA, but I like it.

So  what did Clinton do?  She did what every executive will do in the face of being told no.  She told them to F@#$ Off and used her own Blackberry, insecure as it was.

NSA did have a secure phone, called a SME-PED.  SME-PED stands for Secure Mobile Environment Portable Electronic Device.  Think about holding a brick up to your face and talking into the brick.  People that I know who have one call it a Franken-phone.  It was a horrible device and never accepted in the military – except when forced on low ranking soldiers.  I recall many stories of military brass asking their keepers to borrow their personal phone to make calls, the SME-PED was so bad.

SME-PED

Not only were SME-PEDs horrible to use, they cost, according to Ars, almost $5,000, which, to spend on the SoS, is not a big deal.  On top of it, according to some special ops folks who showed me one (but wouldn’t let me touch it even though I had a clearance – I didn’t have a need to know), the rules for handling it were unworkable also.  You basically had to treat it like the classified information it contained.

Condaleeza Rice, Clinton’s predecessor in the Secretary of State position had received waivers for her and her staff to use their own Blackberrys.  But now, under the new administration, they wanted Clinton to use this brick, the SME-PED.

The SME-PED was only cleared to store information classified at the SECRET level, not TOP-SECRET or Compartmented information, so even if she used one, it would not be able to store the information that people are now complaining they have found some instances of, unmarked and classified after the fact, on her Blackberry.

All that was background.  Here is the important part and if you don’t already know this, you should.

IF YOU (I.T. OR SECURITY) TELL PEOPLE IN YOUR ORGANIZATION THAT THEY CAN’T DO SOMETHING THEY THINK IS IMPORTANT, FOR SECURITY REASONS, THEY WILL DO IT ANYWAY IF THEY THINK THEY CAN GET AWAY WITH IT.

I have been having the conversation with a friend of mine in the DoD who keeps saying that if he did what Clinton is accused of doing that he would get fired and likely brought up on charges.  And I have no doubt that he is right.

But, executives have different rules.  Colin Powell used his personal email.  he said the State Department computers were totally unusable.   Condi Rice and her entire staff used Blackberrys.  No one got in trouble for doing that.  You could counter that Rice got permission to do that – Powell did not – but Clinton asked for permission and was told to shut up and color.  My friend points to General Patraeus who didn’t risk having his emails compromised;  he willing gave them to his mistress.  There is no question about whether his emails were compromised, we know they were.  And, he was the Director of the Central Intelligence Agency.  Should he, kind of, know better?  Not to mention, having a mistress is kind of a violation of military rules.

What happened to the General?  Well, he had to retire.  Sadness.  He was ordered to pay a $100,000 fine and serve two years probation.  Granted, this was much more serious penalty than the 100 hours of community service that Sandy Berger got for removing classified documents from the National Archives, but he didn’t give them to his mistress.

According to CBS, the Pentagon considered retroactively removing one of General Patraeus’ stars (demoting him), but decided not to because he apologized.

So, apparently, if you are Brass and you break the law, violate the Uniform Code of Military Justice and give classified documents to your mistress, but say you are sorry, then we are good?  He doesn’t have to forfeit his pension of $230,000+ a year.  And, of course, he has a private sector “consulting” job working for KKR making seven figures a year (see here).

None of this is unusual, but the point is, DON’T TELL PEOPLE THEY CAN’T;  THEY WILL THUMB THEIR NOSE AT YOU AND DO IT ANYWAY.

Just my two cents.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

The Risk Of Giving Users Admin Rights In Windows

Those of us in the computer security world have been telling  businesses not to give users admin rights in Windows and now we have some very strong evidence to support that claim.

Avecto, a company that makes security software, analyzes Microsoft’s patches each year and here is what they came up with for 2015:

  • Of the 251 vulnerabilities in 2015 with a critical rating, 86% would be mitigated by removing administrator rights
  • 99.5% of all vulnerabilities affecting Internet Explorer could be mitigated by removing admin rights.  Remember that even if you don’t use IE, it is still installed – it is almost impossible to remove – and many of those vulnerabilities still work even if you are not using IE as your browser.
  • 82% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights
  • 85% of Remote Code Execution vulnerabilities could be mitigated by removing admin rights
  • 82% of Critical vulnerabilities affecting Windows 10 could be mitigated by removing admin rights.
  • 63% of all Microsoft vulnerabilities reported in 2015 could be mitigated by removing admin rights.

So if you were getting push back from your users or your management on removing admin rights up until now, this is some pretty strong support that removing these permissions.

Is being able to mitigate 63% of all vulnerabilities, 99+% of vulnerabilities related to IE or 82% of the vulnerabilities affecting Office a worthwhile exchange for losing admin rights?

That may mean that you have to find workarounds to solve some legitimate issues or it may mean that some people will still need admin rights, but that is a whole lot smaller attack surface to deal with.

From a cyber risk standpoint, what you want to be able to do is reduce the attack surface so that you can focus your limited resources on what is left.  Getting rid of admin rights does that.

If you are still not sure, think about this.  There was this guy at the NSA a couple of years ago that had admin rights.

His name was Edward Snowden.

And whether you think Snowden was a criminal or a patriot, I think everyone can agree that which ever side you are on for that case, the abuse of admin rights – either by an insider or by an attacker – cannot always work to your advantage.

Likely, more times than not, it will work to your detriment.

Remove admin rights except in those cases where there is a legitimate business need, and in those cases, add compensating controls.

 

Information for this post came from Avecto.

Facebooktwitterredditlinkedinmailby feather