Category Archives: Hacks

Are You Trusting Your Web App to Backup Your Data?

Many of us use Internet services – Dropbox for file sharing, Google for collaboration, Mint for finances and many others.  Some of us – individuals and businesses – have data spread far and wide over the web.  So wide that in many cases we really don’t know where our data lives or how it is protected.

This week many people learned the hard way that that doesn’t always turn out the way you want it to.

Email provider VFEmail announced that they had a catastrophic event that wiped out all of their user’s emails and all of their backups.  The first signs of the attack came on February 11th.

The founder of VFEmail says that 18 years of customer data are likely gone and will never be recovered.

Some emails that were stored on a backup in the Netherlands may be recoverable, but how many and when – that is unknown.  Most of the user’s info was stored in the U.S. and that, they say, is all history.

VFEmail had multiple servers in multiple data centers with multiple authentication methods and they were all wiped by an attacker.

At this time they have not provided any reason for the attack, but clearly the attacker wanted to do some real damage.

But this is a word of warning to any person or business who assumes that their service provider is going to protect them.

Number 1 – Read your contract.  Does it say that your provider provides any guarantee regarding your data?  It would be very unusual if any of your providers offer any guarantees at all.

Number 2 – Find out what measures each of your providers takes to protect your data.

Number 3 – How much trouble would you be in if you lost ALL of your data from one or more of these providers?  For example, all of your email.  Forever.  Or all of your pictures.  Or all of your finances.

Number 4 – For those services which your data is important – for which losing some or all of the data would be a “problem”, create an alternate backup.  Or two.

The bottom line is that ultimately, you or your company are responsible for your data.  Unless you have a written agreement with your provider that says that they are legally liable, which is almost unheard of.  Even then, that is only as good as the damages available.  Many times in contracts your claim is limited to the amount of  money you paid.  Pay a $100 a month for a year and the most you can collect is $1,200.    Does that cover the loss of your data?

You, and only you, need to figure out what is required to protect your data. 

Our recommendation is at least one set of offline, disconnected backups.  After all, it is hard to hack a backup that is powered down and stored in a safe or a vault.

Also remember, backups are not like fine wine – they don’t age well.  Backup early, backup often.

Information for this post came from Brian Krebs.

 

Facebooktwitterredditlinkedinmailby feather

GoDaddy Users Beware

GoDaddy has an interesting feature.  If a hacker creates a FREE GoDaddy account they can and have created a whole bushel of mischief.

If you have a free account, you can use GoDaddy’s managed DNS service for free for a limited amount of time.

Only problem is that GoDaddy didn’t validate that you owned the domain that you wanted to add to your free account.

Once you own DNS for that domain you can send mail, read mail and act as a man in the middle attacker of the domain’s web site.

Since the account was free, the hacker didn’t actually own the domains in question and the IP addresses associated with the attack were not in the U.S., good luck finding the culprit.

This attack method apparently also works at other registrars.

Since the domains in question were dormant, nobody noticed or cared that they had been taken over for a month – long enough to send out tens of millions of spam emails.  Two recent campaigns, one threatening to expose pictures of you watching porn if you didn’t send them money and the other saying that there was a bomb in your building and it would go off if you didn’t pay up, used these hijacked domains.

Thousands of domains were compromised.  Soon after the story of the attack method was published GoDaddy said that they put a fix in place.

They also said that they fixed 4,000 hijacked domains.

The only problem is that there are many thousands of more domains that they didn’t detect or fix.

GoDaddy says that they have now fixed more domains but are also looking for other similar attack vectors that may not have been closed.

GoDaddy now says that they believe that it is not possible to hijack domains any more using this specific method.  Other methods – not so sure.  Existing domains compromised?  You’re on your own.

Some researchers think that some of GoDaddy’s DNS servers have been compromised but GoDaddy says that its not the case.

One of the attacks using this scheme distributed the Gand Crab ransomware.  One company, A.S. Price Mechanical, a small metal fabricator in South Carolina, was hit with the ransomware.  The ransom was initially $2,000 but went to $4,000 while they decided what to do.

Charlene Price, co-owner of the company, said “it’s not fair or right and this is unjust“.  “We  have accepted the fact, for now, that we are just locked out of our company’ information.  We known nothing about this type of issue other than we have to pay it or just start again.

While she is absolutely correct, the crooks don’t really care.  The fact that she is not knowledgeable about protecting her valuable company information is also not of concern to attackers.

So what do you need to be doing?

First of all, if you don’t have offline backups – ones that cannot be infected – you need to create them now and keep them current.  I keep mine in a bank vault.  The good news is that it is not a smart vault and the vault does not have an internet connection so it will be pretty hard to encrypt those backups.

Second, beef up employee training.  The A.S. Price attack happened when an employee clicked on a malicious link.

Third, add robust anti-malware protections.  There are lots of them out there.  It does cost money, but so does losing access to your data. In the A.S. Price case it is $4,000 (not including the cost/value of losing access to the data).  While it is a lot of money, what if they asked for $100,000 instead.  It has happened.  And the hackers have been paid.

Next, have a strong, tested incident response program.  A few months before the Sony attack, the same group attacked some of Sheldon Adelson’s casinos (the Sands in Las Vegas).  Because Adelson’s IT team had a tested incident response program and even more importantly, they were empowered to act without a committee’s approval, they minimized the damage so much that you didn’t even hear about the attack.  Visualize this.  Geeks with pocket protectors running through the casino’s floor unplugging live, operational, computers so they didn’t get infected.  Unplugging the entire Sands empire from the Internet.  WITHOUT A SINGLE MEETING.  That is training, trust and empowerment.  And it worked!

Finally, implement the processes that Homeland Security recommended in Emergency Directive 19-01.

Information for this post came from Brian Krebs.

Facebooktwitterredditlinkedinmailby feather

DHS Issues Emergency Directive 19-01 (DNS)

Homeland Security’s newly named agency – the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to executive branch agencies – many of which have personnel on furlough – regarding a DNS hijacking issue.

The issue is not limited to agencies and every company and private individual that owns one or more Internet domains should take immediate action.

CERT’s alert is based, in part, on FireEye’s report issued last week of a coordinated campaign run by state sponsored hackers, possibly out of Iran, to hijack agency, business and consumer Internet domain names.

Using very traditional phishing techniques, the attackers steal credentials to log in to the user’s account at domain registrars around the world.  Once they have access to the user’s domain administration pages, they can redirect web site visitors and email to their servers, using this to steal credentials from web site visitors and email recipients.

The hackers redirect the users to the legitimate web site after stealing their credentials.

DHS is giving agencies, many of which have very limited staff due to the shutdown, 10 business days to complete an action plan.

There are no consequences if the agency blows off DHS, which many do on normal day.  Under the current circumstances, likely even more with do so.  This means, of course, that you should consider any government server suspect, especially if it asks you for a userid and password.

DHS is admitting to at least 6 agencies who have had their DNS records hijacked.  Likely there are more;  some of whom do not know that they have been hijacked for a variety of reasons.

If you are not a government agency (or even if you are), here are some things that you should do:

  • Implement multi-factor authentication on any domain registrar accounts that can control DNS or web site settings.  Examples of big domain registrars are Go DaddyWixHostgator1&1 IONOS, Network Solutions and others.
  • Verify that existing DNS records for domains and sub-domains have not been altered for any resources. 
  • Search for SSL/TLS certificates which may have been issued by registrars but not requested by an authorized person.  These certificates would allow an attacker to masquerade as a legitimate version of the web site and steal visitor’s credentials or install malware on visitor’s computers and phones.
  • Conduct an investigation to assess if attackers gained access to your environment.
  • Validate the source IPs in OWA/Exchange logs.

 

Information for this post came from ZDNet and the US Computer Emergency Response Team at Carnegie Mellon.

Facebooktwitterredditlinkedinmailby feather

New Business Email Compromise Scam Variant

Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.

The scam usually works something like this.  Someone in the target department – often not too high up in the food chain –  gets a email pretending to be from an executive like the CEO or CFO.

The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.

The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without  the normal thought process.

Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.

So now a new attack method has been added to the mix.

Steal the credentials of employees, log on to the HR platform and change the direct deposit information.  The employee is completely unaware of this until they don’t get paid.  The attacker has already emptied the account by the time that the employee talks to HR.

Now the company has a problem:

  1. Do they believe the employee that he or she didn’t change the direct deposit instructions.
  2. The employer did nothing wrong so do they just eat the loss and pay the employee twice.

I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.

If that vector doesn’t work, target the HR employee.  Using that account the attacker could change several paychecks at once and get a bigger payday.

Or both.

There are a number of things that an employer can do to protect themselves and their employees.

First of all, if you are do not have two factor authentication in place, do that now.  If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.

Geofencing is the technology that restricts access to your HR system to a limited geographic area.  For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S.  While this is not perfect, it does make it harder for the hackers.

Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period.  If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.

And of course, educate people.

None of these changes should be particularly expensive or hard to do and could save you significant pain.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Feds Shut Down 15 Denial of Service Websites

You can get anything on the Internet.  One of the relatively recent additions are web sites that you can pay (I presume in Bitcoin) to “stress” a web site that you don’t like.  Stress is a euphemism for denial of service attacks which force the target site offline.

They have charged 3 men today – two in California and one in Alaska with operating the 15 sites that they took down.

US-JUSTICE-POLITICS-COMPUTERS

The feds claim that these sites, including DOWNTHEM.ORG, NETSTRESS.ORG, QUANTUMSTREESS.NET, VBOOTER.ORG AND DEFCON.PRO, are a significant national  threat.

It is certainly true that these sites, which attack other web sites for a fee, are not a good thing.  It is pretty stupid for people inside the United States to run sites like these and think that they are not going to get caught and prosecuted.  Think of it as the Darwin Effect.

According to the feds, DOWNTHEM.ORG alone had 2,000 customer subscriptions and carried out over 200,000 attacks.

While these “take downs” are interesting, they likely won’t have much of an effect on the overall level of denial of service attacks affecting the Internet.

Many (most?) of these attacks are controlled from places offshore like Russia, China and North Korea and I doubt whether the feds bringing charges against 3 Americans in the U.S. will have much of a deterrent affect in those countries.

Still, there is no downside to taking down these sites and filing charges against the 3 men.  The challenge that the problem is huge and largely offshore.

Today’s operation used cooperation between the U.S., U.K. and Dutch and several companies including Cloudflare and a number of others.  exercising this process is a good thing.

The feds have been pretty active recently in issuing warrants – in many cases to foreigners with a low likelihood of being apprehended, but in this case, if they have not already caught these three, they probably will soon.

The message the feds want to deliver is that there is a possibility that you will be caught and prosecuted – even if the probability is low.  That will be enough to deter some people.

The bigger problem is with sites run in unfriendly countries where even if they get taken down, the bad guys just register a new domain and they are back in business.  Some of these sites operate on the dark web where they are harder to find and harder to take down.

Most of these sites use “zombie” computers to attack people.  Zombies are computers that have been compromised due to poor cyber hygiene. Likely it will be someone’s home computer or a computer in a small business.  Sometimes it is a company’s server in a data center.  In the grand scheme of things, they don’t really care whether the feds coming knocking at your door to tell you that you are running a denial of service attack because even if the feds seize your computer it won’t make it any easier for the feds to find the people behind the attack – unless they are not very skilled.

For businesses, unfortunately, that means that you need to be prepared for a denial of service attack.  Most of the attacks are pretty short and try to get you to pay them to stop the attack.  Most of them will stop on their own, but if you don’t pay they might attack you again and again to try and get you to pay.

Most of the attacks will be able to consume any bandwidth you might have, even if you have a gigabit Internet connection.  Many of the attacks consume 50 gigabits or more per second.

In many cases your Internet provider may help the attacker because it will intentionally take down your internet connection to protect its other customers.  In that case, the attacker wins.  In a few cases, the Internet provider will cancel YOUR service, even though the attack is not the result of anything that you did wrong.  In the U.S., where there is often very little choice of Internet providers, this can be a real problem for businesses.

One thing that you can do is have two Internet connections so at least if one goes down as a result of an attack, the other may still work.  This is not a cheap solution.

Another solution is to use a service like Cloudflare.  This is not easy either because it may require modifications to your web site to make it work.

There is no easy answer to this problem, but if it is important to your business to remain online for your customers and employees, thinking through the risks and the options is mandatory.

Information for this post came from Tech Crunch.

Facebooktwitterredditlinkedinmailby feather

NSA Says US Companies Losing Ground to Chinese on Cyber Attacks

Rob Joyce, long time NSA cyber executive, former special assistant to the President for cybersecurity, cybersecurity coordinator for the National Security Council and all around cyber guru says that we are in trouble.

He said that Chinese cyber attacks have increased in recent months, targeting critical infrastructure.

He says that he is worried that they are preparing for disruptive operations against that critical infrastructure.

What is he considering critical infrastructure?

  • The US Energy sector (like lights, heat, water, etc.)
  • Finance (banking)
  • Transportation (Planes, trains and automobiles)
  • Healthcare (doctors, hospitals and clinics)

Other than that, things are pretty good.

This is, of course, in addition to Chinese theft of intellectual property and espionage.

These comments are in advance of what is likely new government charges of hacking by the Chinese and additional sanctions.

So as long as you don’t drive a car, take public transit, have lights and heat where you live, use a bank, need to see a doctor or use any technology, you have nothing to worry about.

What do you need to do?

If you own or manage a US business, you need to up your cybersecurity game.

What does that mean?  Patching, employee training and alerting are a good beginning – but just a beginning.

Probably over 99% of attacks are targets of opportunity, meaning that the bad guys have no idea who they are attacking.

This includes consumers.  We hear stories regularly of people losing thousands to hackers.  If you have thousands to spare so that you don’t care if you lose a few thousand to a hack, then don’t worry about it.

If that would be a problem, then you need to up your game too.  Learn when not to click and how to protect yourself, patch your computers and phones and take other precautions.

For the Chinese and others, they will keep hacking until they get in.  Somewhere.  Anywhere.

While this may not sound nice, you need to protect yourself so that the hackers attack your neighbor rather than attacking you.  They will attack the easiest target.  If you can help your neighbor too so that the hackers go to a different  town, that is OK, but number one is to protect your information and your money.

If you need assistance, contact us, but please take this seriously.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather