Tag Archives: ransomware

Security News for the Week Ending October 11, 2019

Medical Practice Closes After Ransomware Attack

Wood Ranch Medical is closing their doors permanently after a ransomware attack.  The attackers not only encrypted the practice’s data, but also its backups.

In April 2019, the Brookside ENT and Hearing Center in Battle Creek also closed after a ransomware attack.

Ransomware attacks are just one reason why businesses should keep at least one backup off-site and off-line.  Source: Security Week

 

Reductor Malware Bypasses Encryption

Kaspersky, the Russian anti-malware vendor that has been banned for use by the US government, reported a new malware attack that bypasses encryption on a user’s PCs using a very novel technique.  Rather than crack the crypto, the attack compromises the random number generator on the computer, affecting the crypto algorithm and making the encryption easy to break.  Very creative.  Source: The Register

 

vBulletin Developers Release Patches for 3 More High Severity Vulnerabilities

Right after patching the critical vulnerability that took down Comodo, the developers of vBulletin have released even more patches.  This time is it a remote code execution (RCE) flaw and two SQL injection (SQLi) attacks.  vBulletin runs on at least 100,000  web sites.  While these vulnerabilities are not at bad as last week’s, you should patch them soon.  Source: The Hacker News.

 

Feds Hit the Mob with Cyberstalking Charges

A jealous mobster put a GPS tracker on his girlfriend’s car.  The mobster, a captain in the Colombo crime family and 20 of his friends were charged with racketeering, loansharking, extortion and, oh yeah, cyberstalking.  The story sounds like a Hollywood B movie, but it is, apparently, real.  Read the story here.

 

Colorado Records Another First

In response to the Intelligence Community’s assessment of foreign interference in the 2016 election, reports of attempted interference in 2018 and reports from Defcon that every one of the voting machines that they tried to attack was vulnerable, Colorado Secretary of State Jena Griswold banned counting ballots using printed barcodes.  Griswold says that a barcode is not a verifiable paper trail if the voter has no idea what it says.  Colorado’s voting machine vendor, Dominion, has agreed to provide a software upgrade for free that will print out darkened circles next to the vote instead.  Unfortunately, nothing is perfect and this doesn’t go into effect until after the 2020 election.  Now that Dominion has agreed to provide the software upgrade for free,other states will likely follow.  Source: CNN .

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending October 4, 2019

Just a Wee Bit Over the Top

There is a nut job who bought an old cold war era bunker in Germany and turned it into a “bullet-proof” hosting center similar to what we see in Russia and elsewhere – where they let you host anything, legal or otherwise.

Apparently the Germans got tired of this guy, who calls himself HRH Prince Sven Olaf of CyberBunker-Kamphuis and thinks he runs his own country.

The overkill part is that they sent in 600 paramilitary troops to arrest him and a dozen of his employees who were this bunker.  I wonder how much that cost them.  Source: The Register

Hacker GnosticPlayers Steals User Info From Zynga – 218 million people

This guys seems to be on a mission.  After stealing about a BILLION (yup, that’s right) userids already, he just added 200+ million Zynga gamers to the mix.  While the information isn’t super sensitive, this points to how weak security is in many places.  Source: The Hacker News

Demant Hearing Aids Expects to Spend $95 Million Due to Ransomware Attack

In case you tend to dismiss ransomware attacks, Demant, the Danish hearing aid manufacturer, says that an unidentified cyber incident will cost them between $80 million and $95 million, due to lost sales as the outage (likely ransomware) impacting shipping, receiving and production.  Source: ZDNet

TEN More Hospitals Hit By Ransomware Attacks

Three hospitals in Alabama and seven more hospitals in Australia have been hit by ransomware.  In the Alabama attacks, ambulances are being redirected to other hospitals and if someone walks into the ER, they will stabilize the patient and transfer him or her elsewhere.

The hospitals in Australia also say that patient services are being affected.  Source: ARS Technica

 

Baltimore Did Not Have Backups For Key Files

Baltimore lost a lot of key data because it did not have effective backup policies.  Users were storing the only copy of data on their local hard drives.

While it is fun to criticize Baltimore, when is the last time that your company actually tested that you have readable backups for **ALL** of your key data, including and especially, data stored in the cloud.

Baltimore is going to spend about $10 million and lose an additional $8 million in revenue due to the attack.  Source: Dark Reading

Facebooktwitterredditlinkedinmailby feather

Windows 10 Offers New Anti-Ransomware Feature

Back in May Microsoft released Windows 10 Build 1903, AKA the May 2019 update.  Suffice it to say, Microsoft has had more than its share of problems with 1903, so if you are not there yet, I would not install it.  It is quite embarrassing for Microsoft that more than 90 days after the release, it is still not ready for prime time.

However, one they get things figured out, they have got a new feature in 1903 that seems very cool and that is an anti-ransomware feature.

Given how pervasive ransomware has become, anything that you can do the reduce the attack surface seems like a good idea.

One feature that I am not going to talk about today called Windows Sandbox, which is a lightweight virtual machine that you can use to run untrusted software.  More on that another day.  (FYI, none of my machines have updated themselves to 1903.  I threw caution to the wind and forced an update on one machine.  Have my fingers crossed).

In the meantime, I am going to talk about Ransomware Protection.

This feature comes in two parts and, FYI, as is usually the case with new features, this feature comes DISABLED by default.

Part one is called CONTROLLED FOLDER ACCESS.  If Controlled Folder Access is turned on, all changes to any folders that you specify will be blocked, unless you specifically allow it.  This means that if some malware tries to write to, say, your Windows folder, it will be stopped cold.

Part two is called RANSOMWARE DATA RECOVERY.  This backs up your files to One Drive so that you can recover an older version from Microsoft’s cloud.

To turn on Ransomware Protection, click on START and then type WINDOWS SECURITY in the search box.

Security app

Then click on VIRUS & THREAT PROTECTION.

Security app

Scroll down to ransomware protection.

Ransomware

And click on manage ransomware protection.

Enable ransomware

Turn on Controlled Folder Access and also log in to One Drive.

Ransomware protection enabled

You can now configure Controlled Folder Access.

Given this is somewhat complicated, you may want to ask your IT person to help you with this.

In the end, however, this seems like a great feature.

Source: Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 23, 2019

Remember That Vague Client Alert Earlier This Week?

For those of you who are clients, you received an out of cycle client alert on Tuesday (they usually come out on Wednesday) providing a copy of the Homeland Security Alert on the Sodinokibi ransomware going after Managed Service Providers or MSPs.   It now appears that the attack on Texas towns (see below) is based on an attack on the MSP hosting the systems of those municipalities.  Assuming that is true (The state of Texas is being very vague on the whole situation), that could explain why DHS issued the alert at this time.  To reiterate the recommendation in the alert – make sure that your MSPs’ security programs are up to the task.  In the case of Texas, one town has announced that the attacker wants that town to pay $2.5 million in ransom.  Source: Bleeping Computer.

20 Texas Towns Hit by Ransomware.  Wait 23.  Wait …..

Cities and towns across the country have been hit by a wave of ransomware attacks, but of course, everything is bigger in TEXAS.

While the press release is very short on details, the Governor has called out the Texas Military Department (that is the combination of the Army National Guard, the Air National Guard and the Texas State Guard, which is an organized militia as defined in the Constitution) along with the experts at Texas A&M University (The Aggies have a world class cybersecurity capability) to help the cities impacted deal with the situation.  While Colorado was the first state to activate the National Guard to help with a cyber attack, Texas is now the third (after Louisiana) in what may become a trend. Source: KUT, Austin’s Public Radio Station. 

IRS Notifies Thousands of Cryptocurrency Traders of Back Taxes and Penalties

Not wanting to leave money – even digital money – on the table, the IRS has sent out letters to thousands of cryptocurrency traders who did not report the trades on their tax returns assessing them  taxes and penalties along with the threat of possible criminal prosecution.  Not a big surprise, but if you thought you could escape the tax man…  Of course, if you are trading peer to peer, then it is 100% unlikely that the tax man will ever find you.  Source: CNBC.

 

Huawei Goes Into Full Battle Mode

Huawei CEO Ren Zhengfei sent a memo to the company that says, in light of the US bans, that it was time for the company to go into full battle mode, making references to the military bible, The Art of War.

As President Trump effectively admitted, the ban on Huawei has only a little to do with national security and all to do with his trade war, by continuing to suspend the ban – which is affecting US companies bottom lines and user’s security.

In the mean time, Huawei says that it will build 60,000 5G base stations this year and 1.5 million next year – all without any US components.  Since other countries continue to buy Huawei equipment and US rural cell carriers say that that it will cost them more than a billion dollars to replace Huawei equipment which they do not have – meaning that they will dramatically slow 5G deployments.

Currently the US is lagging in 5G deployment and despite the President’s wishes that this is not so, this is not likely to change any time soon.  Read the details of this dance here.

 

Plan for End of Life of Software Support

End-of-life in software and hardware means no more security fixes and given the number of fixes we see every month, using software and hardware that is no longer supported is not a good plan.  No more patches does not mean no more flaws – just no more fixes for those flaws.  Hackers count on that fact.  Here is what is coming up to the end of life soon:

Python 2 on January 1, 2020 (about 4 months)

Windows 7 on January 14, 2020 (also about 4 months)

Windows Server 2008 and 2008 R2 also on January 14, 2020 (4 months).  As an incentive to get you to migrate to Azure, if you migrate your Windows 2008 servers to Azure before January 14th (and therefore pay Microsoft monthly cash), they will support Server 2008/2008 R2 for three more years.

For states with cybersecurity and privacy laws that say that you have to take reasonable measures to protect your data, it will be hard to defend in court, if you have to, that using unsupported software is taking reasonable measures.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Cloud Service Providers Are Not Immune from Ransomware

You moved your applications to the cloud.  Now you don’t have to worry about managing IT systems.  The headaches are someone else’s.

Well sort of.

Here is what customers of Quickbooks cloud hosting provider iNSYNNQ are seeing when they try to log on:

This is what they have been seeing for the last three days.

The hosting provider experienced the ransomware attack on July 16.

The company’s web site says that they are now beginning to restore user’s data but the process will take a while.

They are saying that some files (they are not saying how many) were encrypted and they hope that you made your own backups.  They are trying to figure out how to deal with those encrypted files.

And, oh yeah, from now on you should probably make your own backups.

And what, exactly, am I paying you for?

So what does this mean for you?

Lets assume for the moment that you are not an iNSYNQ customer, since most of the planet is not.  And, I suspect, many of their current customers will not be their current customers for long.

First, DO NOT assume that because you moved something to the cloud, things are not your responsibility any more.  Kind of like your self driving car. You better be ready to stomp on the brakes in case your car makes a mistake.

Check your cloud service provider’s TERMS OF SERVICE.  Likely it says that they are not responsible for many things.  Make sure that, for those things, you have a plan.

Many cloud service providers have a “shared responsibility” model at the core of their offerings.  That means that they acknowledge that they are responsible for some things, but you are responsible for others.  Make sure that you know who is responsible for what.

Understand what the provider’s guarantee is regarding uptime.  iNSYNQ has been down for 7 days and says that it will be more days before they are back up – possibly minus your data.   Most of the time it says that they will get things working again as best they can, but with no time frame.  Is that going to work for your business.  In this case, it is the client’s accounting software.  Is not being able to write checks a problem?  Is not being able to run payroll going to bother anyone?  Is losing years worth of financial data going to upset your investors, your regulators and your customers?

DO YOU HAVE A PLAN FOR WHAT TO DO IN A CASE LIKE THIS?

Lastly, does the provider offer a guarantee?  Often they will not charge you for the time they were down.  Lets say they charge you $200 a month for their service and they are down for two weeks.  Likely that means that they want you to pay your bill for the month, but they will very generously give you a $100 credit on that bill.

DOES THAT COVER YOUR PAIN?  I DIDN’T THINK SO.

Maybe your accounting software is not terribly important you?

What about your web site?

Or your manufacturing software?

Or whatever else you moved to the cloud.

Understanding the risk is a good thing.  I strongly recommend it.

Source:  The iNSYNQ website, here and here.

 

Facebooktwitterredditlinkedinmailby feather