Category Archives: Hacks

Attacks Against Office 365 Continue

Since Office 365 is the dominant office productivity suite, knocking Google on it’s butt, it is not a surprise that hackers are going after it hard.  To compare, I didn’t find great numbers and Google probably does not want me to do this comparison, but Office has 120 million paid users as of 2017 and Google has about 3 million paid users.  It is obvious why hackers go after Office.  To be fair, Google has a boatload of free users, but since those are predominantly consumers and really small businesses, the amount and quality of data to steal makes those free users a much less compelling target.

About a month ago, scammers were using emails with text in zero point type to bypass Microsoft’s security tools.  Apparently, Microsoft must of thought, if you can’t see it (after all zero is small), it can’t be a problem.  Not so.

Then hackers figured out a way to split URLs into pieces to fool Microsoft.

Now that Microsoft has closed those loopholes (the sheer beauty of cloud software – make a fix and in a few seconds, 120 million users are protected), the hackers have moved on.

So what are the hackers doing now?

In this attack, the victim receives an email with a link to collaborate on a Sharepoint document.  Of course, this email is a scam.  When the user clicks on the link in the invitation, the browser opens a Sharepoint file.

Inside the Sharepoint file is a button to open a linked One Drive file.  That link is malicious and at that point the game is over.  The hacker has the user’s Office credentials, since that is required to open the One Drive file and has installed malware on the victim’s computer.

Unfortunately, for a number of reasons, there is no easy way to block this attack.

So what should you do?

First, if you have two factor authentication turned on (everyone should!), then stealing your password is a much less effective attack.

Next, be suspicious.  Check the address link, ask why you are getting this collaboration request.  Check OUT OF BAND if the person who you think sent the request actually did send it (like talk to the person on the telephone using that antique VOICE feature).

Third, hover over links first and look at the underlying address.  If you can’t see the address or it doesn’t look right, stop and talk to your security team.

User training is key here and there are some very cost effective solutions out there.

And, of course, if you have questions, contact us.

Information for this post came form The Hacker News.

Facebooktwitterredditlinkedinmailby feather

Homeland Security Warns of Enterprise Systems Hacking

Enterprise Resource Planning (ERP) systems are quickly becoming a popular target of hackers.  It used to be that these systems were on private networks behind firewalls, but as companies move to the cloud and include their vendors and subcontractors in their ERP systems, the systems are becoming more public.

More public means easier to hack.

Two of the major ERP vendors are Oracle and SAP.  These systems can be incredibly complex and incredibly expensive,

But also incredibly easy to hack.

Oracle, for example, patched a record 334 vulnerabilities in the July 2018 patch release.

Patches may not be available if companies are running an older version of the software.

Even if a company is running the current version of the software, installing patches to fix 334 bugs is always risky, so companies often do not install the patches. Either ever or for a long time.  Often months, which is plenty of time for hackers to use those bugs to work their way into a company’s system.

Hacking into a company’s ERP system could give hackers access to a company’s  finances, plans, designs, production schedules, inventory, customers and a whole range of other information.

So what should a company be doing?

For EVERY SINGLE PUBLIC FACING system, you need to make sure that patches are being installed on a timely basis.  The more severe the bug, the quicker the patches need to be installed.  Hackers will start targeting systems within 24 hours of a patch being released, so waiting 30 days, for example, to install patches make be a greater risk than the possibility of the patch causing an outage.

And, there are ways to mitigate the risk of failure due to an errant patch.

Second, run third party penetration tests against all of your publicly facing servers at least once a year.  For sensitive servers, run the tests more often.  It will cost some money, but so will losing sensitive company information to competitors or the Chinese.

Run vulnerability scans on all servers at least monthly to find missing patches and potential vulnerabilities.

While ERP systems may be popular attack targets today, any public facing server is a target.  As we saw in the 2013 Target Stores breach, an attack on a vendor management portal led to the loss of 100 million credit card numbers.

It is important to understand that it does not matter who’s capital paid for the server that is running the software.  If it is in the cloud and therefore technically owned by a cloud service provider like Amazon or Microsoft, it is still a target.

Information for this post came from Bleeping Computer.



Facebooktwitterredditlinkedinmailby feather

Sextortionists Shift Scare Tactics

Sextortion is the act of convincing vulnerable people, often teenagers, to provide the sextortionist with sexually explicit photographs and videos under the threat of releasing other embarrassing material, such nude pictures that may already privately exist in the victim’s email, text messages or private social media.

The attacker does this by convincing the victim that they have hacked into their victims digital life and already have what is there.

99% of the time, this is a complete scam,but scared people do desperate things – like sending (more) sexually explicit material to the attackers in the hopes of getting them to not publicly release material the hackers claim to have.  The hacker asks for a fraction of a bitcoin in payment.

One new tactic – including so called “legitimate” passwords to say, the user’s email account, in the pitch message.  These passwords are often legitimate in the sense that the user used it at one time.  This lends credibility to the pitch and the panicked victim does not think through how the hacker may have gotten that password. The attacker likely got the password from one of the thousands of cyber breaches.

So what should you do?  Well, there is before you get a request and after you get a request from a hacker.

Before, you should practice good cyber hygiene.  Install patches promptly for all software, stay away from sketchy web sites, choose good passwords, etc.

Second, enable two factor authentication – using either a text message to your phone as the second authentication factor, or, better yet, using one of the authenticator apps such as  Facebook authenticator or Google authenticator as the second factor.

For parents, talk with your kids about the risk of taking pictures that if, in the wild, would embarrass themselves or worse.

Finally, parents need to talk to their kids about sharing compromising pictures and videos with others, no matter how  much they think they are in love and no matter how many promises the other person makes.  Understand that kids may be under amazing social pressure to conform – do not underestimate that.

After the fact, kids need to trust their parents, even though they are embarrassed, confused and scared.  Parents need to work beforehand to get kids to understand that this is not something they can deal with by themselves.

Unfortunately, you may need to get legal advice and you should definitely not believe the hackers.  One suggestion:  ask for a sample of the photos that they claim to have.  If the hack is legit – likely it is not – then you need to decide what to do.  The police are going to say that you should go to them and that is probably an OK idea, but unless the hacker is someone you know, I would not get your hopes up.  

On the other hand, it may be someone your child knows.  In that case, you need to understand your options and a lawyer may be helpful.  Releasing so-called revenge porn is a crime in many states.

Certainly prevention is easier than dealing with something after the fact and there are no easy answers as kids, especially, tend to do unexpected things.  Discussing and planning is likely a good idea.

Source: Threatpost.



Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

Third Party (Vendor) Cyber Risk Management Rears its Ugly Head AGAIN!

This seems to be a recurring topic, but it doesn’t seem to be getting any better, so I will leap back into the fray.

Last month Ticketmaster announced they had a breach and they led people to believe that it was isolated and that it had something to do with their software.

According to RiskIQ, the breach at Ticketmaster is due to a third party vendor named Inbenda, but that is just one vendor affected – the one that Ticketmaster uses.

Tools that may be affected or infected include Magento, Powerfront and Opencart.  Payment services including Braintree and Verisign may be being targeted.

The attack has been refined over time since 2016.

RiskIQ has identified 800 infected websites including some from very big companies.

Magecart, which is what they are calling the attack itself, continues to expand and some of the infected tools could capture 10,000 victims at a time.

So what do YOU do?

First of all, you need to identify all of the third party software that you use and that your contract developers use.  This includes software that is integrated into the various software products and tools that are installed on the servers where the products run.  It doesn’t matter if the software is commercial or open source.

Then you need to create a vendor cyber risk management program.  That will measure the overall cyber security awareness and preparedness of each vendor.

YOU need to make sure that these vendors are on top of bugs in their systems and then you need to make sure that your IT and development teams have created a way to be alerted BOTH when bugs are found and then when patches are released.

Finally, you need to make sure that ALL patches are installed on all machines.  Depending on the piece of software affected, it may require a completely new build from the vendor and then a reinstall of the product.  Make sure that you understand what is required because it may not be obvious.

Then, of course, you need to test the patch to make sure that it really fixed the bug.  They don’t always!

If this seems like a pain in the &^%$#, it is.  Sorry.

And, you need to do this for each software product from each vendor.  On each computer on which it is installed.

That is why many companies don’t have a vendor cyber risk management program and why many companies get caught in breaches like this.  Sometimes they don’t even know that they are vulnerable or that they have been compromised.

Information for this post came from RiskIQ.

Facebooktwitterredditlinkedinmailby feather

Why Your Incident Response Program is Critical

Police think that hackers hacked the pumps at a Detroit area gas station allowing drivers to get free gas.

Ten cars figured it was okay to steal gas from “The Man” to the tune of about 600 gallons.  While 600 gallons of gas is not the end of the world, it does make a point.

The article said that the gas station attendant was unable to shut off the pump that was giving away free gas for 90 minutes until he used something called an emergency kit.

This happened at 1:00 in the afternoon – in broad daylight, a few minutes from downtown Detroit, so this is not a “in the dark of night in the middle of nowhere” kind of attack.

One industry insider said that it is possible that the hackers put the pump into some kind of diagnostic mode that had the pump operate without talking to the system inside the booth.

In the grand scheme of things, this is not a big deal, but it does make a point.

If the gas station owner had an incident response plan, then it would not have taken 90 minutes to turn off the pump.

For example, the circuit breakers that power the pumps in the tanks are in the booth where the person is.  I PROMISE that if you turn off the power to the pumps, you will stop the flow of free gas.  Then you can put a sign on the pumps that say that you are sorry, but the pumps are not working right now.

This time is was a gas station, but next time, it could be much worse.

But the important part is that you need to have an incident response plan.

The article said that the didn’t call the police until after he figured out how to turn off the pump after 90 minutes.  Is that what the owner wants to happen?

It doesn’t say if he talked to the owner during that 90 minutes.

Is there a tech support number he should have called to get help?

Bottom line is that even a low tech business like a gas station needs a plan.

You have to figure out what the possible attacks are.  That is the first step.

Then you have to figure out what the course of action should be for each scenario.

After that, you can train people.

Oh yeah, one last thing.  How do you handle the scenario that you didn’t think about?

That is what incident response plans need to be tested and modified.  Nothing is forever.

Information for this post came from The Register.



Facebooktwitterredditlinkedinmailby feather