Category Archives: Security Practices

Magically, Carriers Can Stop Spam Robo Calls

For years U.S. telephone carriers have said that they can’t stop spam callers.  Truth is that they make a lot of money from either sending or receiving these calls, so they had zero incentive to figure out a way to stop it.

The problem would decrease a lot if you could believe the information that caller ID was providing you because you could (a) tell if you knew the person who was calling you and (b) you could not answer calls if you didn’t recognize the number.

How many times have you received a call that shows with the area code and exchange (the first 6 digits of a phone number) that looks like it came from your neighborhood.

Caller ID was created decades ago and has zero security in it.    Add to that the fact that adding security costs money to the carriers with no added revenue and you can see why they haven’t done anything about it.

But Congress passed the TRACED Act late last year and this gives the FCC more power to go after phone spammers, it extends the statute of limitations for DoJ to go after spammers and it requires carriers to add security to Caller ID at no cost to subscribers.  It also allows the FCC to fine carriers for first offenses, something the FCC cannot do in most cases.

Magically, when the carriers figured out that they might get fined or even prosecuted, it only took them a couple of months to design at least a partial solution.  This is one of those cases where we don’t want perfect to get in the way of good.

Since most calls are now digital, the current plan, called SHAKEN/STIR, requires Caller ID info to be digitally signed at the source and digitally checked at the destination.

I noticed a couple of months ago that Verizon is now flagging calls as potential spam and is giving me the option to mark any call that I receive as potential spam.  Interesting what happens when the money equation changes.

The FCC *JUST* released rules that require carriers to implement SHAKEN/STIR on the digital portion of their network (such as cell phones) by June 30th of next year.  There is a one year delay for small carriers that may not be able to financially get it done by that date.

Then carriers have to deal with the old analog phone calls.

So while this is far from perfect, the big spammers are all digital because they need to make thousands of calls a hour in order to be profitable crooks.  This new regulation should significantly help this problem.

As long as the FCC keeps the pressure up on the carriers, things should improve over the next couple of years.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather

Your Home Internet Router – Are You Inviting Hackers to the Party?

Your home Internet connection router or modem is the front line of defense against Internet intruders.

Think of it as soldiers “manning the wall”, armed to the teeth, ready to repel intruders.

At least, hopefully repelling intruders.

But what if, instead of that scenario, your guards had turned into Benedict Arnold and were working for the other side?

Probably not intentionally, but in fact.

So what should you do to keep your Internet “guard” on your side rather than on the other side?

Here is a list of recommendations.  At least part 1.

Many times, the Internet gateway, if it is provided by your ISP (internet service provider), is not a great piece of hardware.  Sometimes it is okay, but often not so much.

If you have the option to provide your own device, that is likely a much more secure solution. 

In either case, change the password that you were given for the device.  Many times, for ISP provided devices, they have a back door, so changing the password doesn’t help much, but it might.

If your ISP has a device on your network that they can get into, likely they can see most of your traffic, both local and on the Internet.  Even if it is encrypted, although that is harder.

Next make sure the firmware (software) in the device is up to date.  Typically, if you can log into the device, you can find a menu option to check for software updates.  A couple of years ago I was working on a device for a customer and discovered the firmware was 7 years old.  And there were no updates.  This qualifies as one of those “not so much” devices.  It just means that the manufacturer doesn’t care about security because they are not liable.

If you do go out and buy your own modem or router, check the vendor’s history on software updates.  If  in general, they are pushing out regular updates, likely they will do so for the device that you buy.  Also check out reviews online.

Sometimes Internet providers don’t isolate you from the Internet at all – they don’t care either;  they are not responsible.  Probably somewhere in the fine print it warns you.  In a place you don’t read.

You can find out if your computer is on the Internet directly, but that is beyond the scope of this blog post – you may need to ask one of your geeky friends to do that for you. 

A better way to protect yourself is to add your own hardware firewall between your ISP’s device and all of your computers.  That way you are in control.  If possible, select a firewall that updates it’s software automatically.  We can provide recommendations.

Assuming that you don’t live alone – and even if you do – there are likely many devices on your network at home.  Could be as simple as your cable set top box or a Ring video doorbell.  Or it could be your kids’ computers.  Or any number of other devices.  Those devices can also represent a security risk.  Make sure they are all patched too.  Sometimes that is hard.  You really have to do it anyway.

If you can isolate your work device from the rest of those other devices, that is really best.  It may take some IT support to do it, but if security is important, it is worth it.  It could be as simple as buying a dedicated WiFi access point for your work computer or plugging it into a different port on the firewall  – it will likely take some expertise to figure it out, but only one time.

These are some basics;  there are a lot more, but start there.  Another day, more on the subject.

Of course, you can always contact us for assistance.

Facebooktwitterredditlinkedinmailby feather

Working from Home Security Challenges / Coronavirus

The bad guys did not waste any time using the Coronavirus pandemic to attack folks who are suddenly Working From Home (WFH) or Studying From Home (SFH).  Here is some information to help those of you who are WFH to navigate the perilous path.

Given that many WFH programs were created out of nothing in almost zero time or scaled up from zero to 60, it is no surprise that there might be a security hole or two.

This applies not only to employees working from home but also to students attending school from home.

First of all, hackers are pumping out tons of malicious emails themed around Coronavirus.  The malicious emails are compromising systems with password stealing malware and remote access back door software, among other goodies.  And don’t forget that old favorite – ransomware.  More on that later in this post.

Given how stressed people are, they are likely to forget their security training.

Another challenge for WFH/SFH – making sure that all devices are fully patched.  That is going to fall more on the end user now.  Companies who have fully automated that are in better shape, but lots of organizations are not set up for that.  THIS INCLUDES PHONES AND TABLETS!

Another problem is home and public WiFi.  At work, the company can control the setup of company WiFi, but at home it is a bit of the wild west.

For example, when was the last time you patched your WiFi server and your Internet router, modem or firewall?

When did you last have a security expert check the security configuration of those devices?

If your company uses older, in the office systems, they likely do not work very well for remote workers.  There is no quick fix for this.  It is fixable, but the fix requires new hardware and employee training.

Companies who are in regulated industries such as healthcare, finance or defense have additional problems.  How do you continue to comply with the security laws and regulations that these industries have to comply with?  In fact, in many of these industries employees are not allow to work remotely by regulation or law.

To make matters worse, in many cases, IT doesn’t have the right tools to securely assist workers who are no longer at the office.  If an employee uses a virtual private network (VPN) to connect to their work network, it usually makes it even more difficult for IT to securely connect back to them in order to provide tech support.  Even in cases where it does work technically, many times the company has not bought the right support tools to make this possible.

Of course employees who are using their mobile devices more open up yet another attack vector.  Many phones and tablets are horribly out of date when it comes to security patches.  Many phone manufacturers do a crappy job or releasing patches and for older phones – say more than 2 years old – many times the manufacturer says they are no longer supported and leave the user wide open to a whole raft of attacks.

Companies need to conduct a risk assessment of the remote work environment to make sure that they understand what new risks the company is accepting.

Companies need to consider whether they even have enough security software licenses such as VPN connections.  Employees will create unsafe workarounds if the company can’t provide them tools that are secure.

Here is a screenshot of a malicious email.  It pretends to be from the CDC, but the email address in the red box shows that this is not the real CDC.  The URL in the second red box looks like it is from the CDC, but if you hover over it, it turns out that it is not.

Cybercriminals sent this coronavirus phishing email, which was designed to look like it came from the U.S. Centers for Disease Control and Prevention. Courtesy of Kapersky.

The spam emails might claim to provide information on the Coronavirus or perhaps provide a way for people to contribute to those who need help.  Unfortunately, the only one these people are helping are themselves.

KnowBe4 published a picture of an email containing a QR bar code asking for donations (see below).  If you want to make the folks in China or North Korea rich, you should donate.

coronavirus_donation-1

This piece of spam, also from KnowBe4, asks you to watch a Coronavirus video.

covid19_spam-scam-1a

It promises secret information that the government isn’t telling you.  If you buy their book for $37.00.

That is actually good because some of them tell you that you need to update your software in order to view this secret video.  In fact the update is software that infects your computer, steals your passwords, empties your bank account, encrypts all of your data or some combination of the above.

In the following email, if you just click on the link, some  dude will tell you everything you need to know about the Coronavirus and how to stay alive.  NOT!

coronavirus_info-1a

Suffice it to say, this is a bit of a mess and it is not likely to get any better soon.

Companies will, unfortunately in this time of uncertainty, need to up their security spending.  The alternative might be a bit of a train wreck.

If you do need help or have security questions.  Please reach out to us.  After all, we are staying home to stay safe :).

Information for this post came from Threatpost, GCN, the US Secret Service and KnowBe4.

Facebooktwitterredditlinkedinmailby feather

Cyberspace Solarium Commission Warns of “Catastrophic Cyberattack”

The U.S. Federal Cyberspace Solarium Commission issued its long awaited report last week and warned of a “catastrophic attack that leaves the nation in tatters”.  While right now everyone is worried about Covid-19, this represents a longer term problem that won’t be fixed in a few months.

The report creates a vivid hypothetical attack and is written from the point of view of an unnamed U.S. legislator.

Kind of like with Covid-19, in this hypothetical attack “everything went so wrong, so fast”.

In the narrative, the Potomac River is polluted by toxic chemicals from  treatment plants that were hacked, an attack on the city’s floodwater management system leaves an oily sludge in the front of the Lincoln Memorial, the debris of drones litters the city after they were hijacked and crashed into crowds like torpedoes and finally there is a toxic rail accident in Baltimore after the control system was compromised.

The report also provides a slew of recommendations – many of which will be hard to swallow.

For example, to better secure Internet of Things devices, the report suggests moving away from a “first to market” philosophy to one with better security.  I predict that will only happen if laws hold companies financially liable for their insecurity – something that has already started in California.

In fact, the report recommends that final goods assemblers be held responsible for damages as a result of cybersecurity incidents.

It makes suggestions around changing Sarbanes Oxley to include more cybersecurity requirements.

Another recommendation is for the government to clean up its own act.  Currently there are a lot of cooks in the federal government’s cybersecurity kitchen and that is creating a lot of confusion.

It also suggests that Congress reorganize its committees that really don’t deal well with cybersecurity.  I think we need to reorganize the Congress people and find some who understand the problem, but that is a separate issue.

The report goes on and makes a lot more recommendations, but now it is up to the federal government to actually act.  The alternative is the response we currently have to Covid-19, which is, in my opinion, a bit of a train wreck in slow motion.

One way or other, these cyberattacks will continue and increase, as we are already seeing during the Covid-19 pandemic.  During this pandemic, hospital and government systems are being hit by cyberattacks, slowing response and distracting first responders from their mission.  Source: Verdict

Facebooktwitterredditlinkedinmailby feather

Microsoft Working to Reduce Spam Emails

DMARC is a technology that is designed to reduce the amount of spam that makes it into your mailbox.  It provides an email’s recipient with instructions on how to validate a sender’s email.

Unfortunately, it is a voluntary standard for both the sender and the receiver and if the sender doesn’t have DMARC setup then there is nothing for the receiver to test.

In addition, if the policy tag is set to none, then the recipient is supposed to do nothing, even if the DMARC tests fail.

Microsoft is working on adding a feature to Office 365’s Advanced Threat Protection that will automatically block sender domains that failed the DMARC test.

Currently, the antispam rule allows administrators to allow domains regardless of the domain’s reputation.

This new feature will override the allow and block all domains that fail DMARC.

THE RULE IS PLANNED TO BE ADDED AROUND THIS APRIL.

Initially, email that fails will be marked as spam and handled according to the spam rules.

This will be coupled with another feature to block malicious content regardless of custom configurations, unless manually overridden.

Here is the problem.

Even if you are not an Advanced Threat Protection (ATP) customer.

Even if you are not an Office 365 customer.

Even if you don’t use Microsoft tools.

This WILL affect you.

If the company you are sending an email TO is  using Office 365 ATP and they follow the recommended default configuration, if your configuration fails, your email will go into the junk box.

Your mission, should you decide to accept it – actually whether you decide to accept or not – is to make sure that your DMARC configuration is set up correctly.

Source: Bleeping Computer

Facebooktwitterredditlinkedinmailby feather

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.

THAT MEANS THAT THIS QUALIFIES AS A DATA BREACH.

While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

Facebooktwitterredditlinkedinmailby feather