Erich’s “What in the (cyber security) world is going on?” 12-29-16 edition

2016 Isn’t done with us yet

Screw 2016. That’s kind of what I’m feeling. I’m about tired of people passing away this year. The latest celebs are George Michael, Carrie Fisher, Richard Adams and Debbie Reynolds were all lost this week. Even closer to home is the wife of a person I have a lot of respect for, Jack Daniel, who lost his wife of 37 years on Tuesday. I cannot begin to imagine the pain and sadness the close friends and family of all of these people are feeling. I am praying for their peace as they go through these tough times.

I’m going to do something a little crazy

I’m going to run for a spot on the (ISC)2 Board of Directors in 2017. I worked for them for a couple of years as an advocate for the membership, among other things, and I still feel strongly about trying to help folks that carry the CISSP and other (ISC)2 certs so I’m going to make a run at it. I will need 500 emailed petitions be on the election slate. If you are an (ISC)2 member, please check out this link and help me out. It only takes a minute. Thanks

Disk-Killer Malware Adds Ransomware Feature And Charges 220 Bitcoins

Ouch! Your machine is infected by an email attachment. Now it encrypts the snot out of it, and exfiltrates data. I made a call earlier that I expected to see this sort of behavior, but I didn’t expect this kind of price tag. The back story is fascinating as it has evolved from ICS and SCADA attacks. This is worth reading.

 

Makes my neck hurt looking at it

Android ransomware hits a Smart TV

So, this poor souls family got hit with ransomware on their TV and are not happy about it. It seems LG won’t give him the process for a factory reset, and there is some talk about a charge for support. It’s an old set, still running Android, and it would almost certainly need to be sideloaded or rooted to install a 3rd party .apk. I’m not sure what I think about this as they say, “they downloaded an app to watch a movie. Halfway thru movie, tv froze. Now boots to this”. Now, call me crazy, but I have to wonder if the app was something called “Codec.apk” or something similar, and perhaps if the movie they were watching was um… not from trusted channels. Fact is kids, if you DL pirated movies, you might just be opening yourself up to something like this. Not sure if LG has a way for a user to fix this if it really encrypted the file system. Factory reset doesn’t help if the source is encrypted. Just sayin. I do wish there was more info out there, but I think we have heard the last of this.

New iTunes Phishing Emails on the Rise

Watch out for iTunes invoices bearing… attachments or links. If you get an email saying you paid $45 for the Netflix app or $25 for a song (not even a Kanye song is worth that!), don’t click the link. Instead, go directly to iTunes (no really, this link is legit, I promise!) and check your account from there.

How does she have that many followers and I only have about 150?

A Britney Spears Twitter account was hacked

It was an account controlled by her record label and has about 614,000 followers. Since the hackers did this at about 5:00am Eastern Time, nobody seemed to notice. I’m guessing most of the people that still listen to here were still sleeping off a bender at that time of day. Since all of the hacked tweets were gone by 9am, it practically didn’t happen.

Bitcoin hit over $930

That’s a lot for a unicorn/vapor cyber currency. Maybe I’m just old, but I’m not even sure how I feel about this, but I’m done talking about this imaginary money.

(ISC)2 Members – Please support me for the 2017 Board of Directors election

First I want to start by saying thank you for taking the time to read this. Back in January, I announced my intention to run for the (ISC)2 Board of Directors this year.  To do this I need to get 500 signatures on a petition in order to be included on the slate for voting. In the past, the board elections typically took place in November, however for some reason this year they’ve moved it up to the end of July and beginning of August.  This change has impacted my timeline as I must have the 500 signatures submitted by May 31. The compressed timeline was a surprise to many, so I need your help more than ever.

 

Why do I want to do this?

For about two years I worked for(ISC)2 as the Director of Member relations and services. I took this role very seriously and worked very hard to ensure that the members voice was heard, and to try to accomplish things that would impact the members in a positive way. It is my opinion that(ISC)2, as a not-for-profit organization, needs to do a better job serving the membership  in protecting the value of the CISSP and other certifications by making it easier to maintain the certifications, being prudent with the release of new certifications, and providing greater value to the members.

While working for (ISC)2 I began a number of projects to benefit the members, but still have not seen many of them come to fruition. Some have been implemented, such as moving endorsements from the paper process to an online process which is much more streamlined and creating one of the most asked about features from members, the downloadable versions of the.pdf certificates.  Things that still have yet to be done include the implementation of greatly simplified CPE rules process and improvements to the member portal that allow for easier submission and tracking of CPEs. If elected, I will be working to ensure these initiatives do not lose steam.

In addition, many changes have recently been made to the processes related to the certifications, some of which concern me. If elected, I will keep an eye on these changes and any impact they may have while ensuring that the value of (ISC)2 certifications remains second to none.

I travel a lot in my job and speak at a lot of security conferences.  This allows me to meet with security professionals from all around the country and the world, and get their feedback on the certifications, State of the industry, and what is needed to help.  With over 110,000 CISSPs, I honestly believe if we work together, we can make positive changes in the world and the industry.

Finally, I live in the Tampa area where (ISC)2 is based, which will allow me to work very closely with the leadership.

What are my top goals if elected?

  • Ensure the value of the CISSP and other (ISC)2 certs are maintained or improved
  • Make the certification maintenance process easier through simplified CPE guidelines and a better CPE reporting mechanism
  • Meet with other (ISC)2 members, listen to their concerns, and advocate on their behalf within the organization
  • Continue the push for increased transparency and communication between (ISC)2 and its membership
  • Provide tools and resources for security professionals that will make their lives easier and add to the value of holding an (ISC)2 certification

I need your help!

Per the (ISC)2 Bylaws, any member in good standing can be elected if willing to serve per section IV.7:

The name of any qualified person who agrees to serve if elected may be submitted by signed, written petition, of at least 500 members in good standing as of the date of the election announcement, to the Board at least sixty (60) days in advance of the start of the election. Any such petition shall identify the Board seat for which the nominee is to be considered. Nominees received under this process shall be included on the ballot.

This means that I need a petition from 500 (ISC)2 members nominating me for the Board of Directors in order to get on the board election slate. This petition must be emailed to me at [email protected] from the email address you have associated with your (ISC)2 account and must contain your name and member number. I have made a sample email below that you can quickly copy and paste, replacing the key areas with your information.

 

What will I do with your email address?

I will only use the email address for the purpose of verifying your eligibility, communicating directly with you about the election/petition in a brief manner, and will provide it to (ISC)2 with the petition (they already have the email address after all). This is what I expect as far as emails I will send go:

  • I plan to send a short communication once upon submission of the petition
  • A short email as a reminder about a week before voting opens
  • A short email when voting opens
  • A short email with the results of the election (namely if I made it or not)

It is possible that additional emails regarding the status of the submitted petition and/or election will be sent if needed, but I will only do this if really necessary.

The template

If you would like to support me in my bid for the (ISC)2 Board of Directors, please copy and paste the below template in to an email that will come from your email of record with (ISC)2 , replace the bold sections with your information, and send it to [email protected].


(ISC)2 Election Committee,

I, <INSERT NAME>, holding the <INSERT (ISC)2 CERTIFICATION(S)> certification, petition that Mr. Erich Kron, CISSP #392400 be included on the 2017 Board of Directors election slate. I have sent this email from my email address of record associated with my certification and will continue to be a member in good standing for the election in 2017.

Sincerely,

<Name><Member Number>

 


Thank you very much for your support!

-Erich

 

 

 

Erich’s “What in the (cyber security) world is going on?” 12-22-16 edition

Posting a little early this week due to the holiday. Merry Christmas, and may you have a great Whatever Holiday You Celebrate!

I released my 2017 predictions. 

Don’t tell anyone, but I really just pulled some stuff out of my backside, but figured I was on the hook to do something. I think they are pretty accurate if you take the categories in to account. Your help not holding me accountable for any of these predictions is appreciated. At least it’s entertaining. Javvad Malik’s are much more relevant.

 

Free CryptXXX decrypter was released. 

Thanks to the folks at Kaspersky Lab, a free tool to decrypt your files hit with CryptXXX has been released. This may or may not be the reason for the “1/2 price for the holidays” offer from the bad guys. I’m thinking it is and thrilled about it. Hopefully they will coal, or reindeer poop in their stockings this year. They deserve it.

 

Free unlock code for Padlock Screenlocker

BleepingComputer reported the unlock code for Padlock Screenlocker is ajVr/G\RJz0R and that the files are not actually deleted. Let’s keep this sort of thing coming!

 

Community Health Plan of Washington exposed 380,000 PHI records

The bad guys were there almost a year and got about 380k PHI records. That’s just sad.”It appears that names, addresses, dates of birth, Social Security numbers and certain coding information related to health care claims may have been accessed” but “Banking and credit information was not contained in the data“. Well, isn’t that just lovely. Personally, I’d rather lose a CC# than my SSN.

 

Columbia County schools victim of data breach

The affected server did not contain student data, but did have “confidential employee information, including names, Social Security numbers, birthdates and more“. In the several weeks since discovery, “Investigators could not confirm if any of that information was copied or compromised“. In other words, they can’t figure out if you are compromised or not. Good luck with that.

There is a patch for the Netgear routers vuln

Go get it if you are affected. That is all!

 

Social engineering is easy

Not a newsflash, but this video and this video show just how easy it is. This is why you need Security Awareness Training. Teach people that they are targets. It’s important.

 

 

 

 

 

L.A. County hit with a phishing attack – 750k records

Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees back in May. “Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.” But look at the bright side, it was WAY back in May and now you get a year of free credit monitoring. Sadly, your SSN is valid for more than a year and once it’s out there…

 

Just in time for Christmas, a Galaxy Note 7 fireplace. 

I love this. Words fail me with how much I love this. The ringtone music is a wonderful touch. Have I mentioned that I love this?

 

 

 

 

Erich’s Cyber Security (and other) Predictions for 2017

Well, this seems to be the time for predictions, so who am I to break tradition? I’m not going to waste valuable time telling you how qualified I am to make these predictions because, it really doesn’t matter. I have given very little thought to these and have researched almost nothing. Only the first group is liable to be true (almost guaranteed as a matter of fact. So, here we go…

Disclaimer: These predictions and opinions are mine and mine alone, not those of my employer.

Group 1 – Pretty Much a Sure Thing

  • Social Engineering Will Continue to Be a Dominant Force in Breaches – Let’s face it, people are going to continue to get phished. Phishing will continue to result in more breaches, lost money and W2’s and ransomware infections. Expect W2 scams to start in January and continue until mid-year. The others will happen constantly.

 

  • The Gunslinger Movie Will Finally Be Released – And even if it sucks, I will like it. I don’t have a choice. It is not likely to ever be redone in my lifetime, and I have waited for so long, it simply can’t suck. This has nothing to do with cyber security, but I don’t really care. It’s on the list.

 

  • Security Awareness Training Will Continue to Be The Best Defense Against Phishing Attacks – Seriously though, the industry will really step up the game this year to combat phishing. As platforms mature, new features designed to get ahead of the bad guys will be released and will significantly reduce click rates. Organizations that did not believe in the value of SAT will have their eyes opened to how effective it can be. Any of you that know me, know that I won’t promote anything I really don’t honestly believe in. It’s why I work for KnowBe4. It works and helps admins in all company sizes.

 

  • Someone You Like Will Die a Horrible Death on Game of Thrones – Like someone in the series? They will die. Prepare for it.

 

 

  • Someone You Like Will Die a Horrible Death on Walking Dead – See above.

 

 

Group 2 – Likely

  • I Will End Up With Another Year of Free Credit Monitoring – The only real question is related to what PII they will lose. My medical records, credit card info or something else entirely? It’s almost exciting to ponder the possibilities. After being impacted by the VA, Target, Home Depot and OPM breaches, I’ve had some sort of free credit monitoring in place for years!

 

  • All Retail Stores Will Be Called Amazon – Much like the story line in the movie Demolition Man predicted with Taco Bell, all retail stores will become Amazon. This will be great when it comes to remembering domain names, as all stores will be Amazon.com, but it’s going to wreak havoc on GPS directions when you want to shop IRL.

 

  • No Less Than 10 Security Vendors Will Try To Convince You That Their Product is All You Need – Marketing departments will be working overtime to convince you that their widget can replace your security staff and let you sleep well at night. Don’t believe the hype. There is no silver bullet. Give the ones that are honest about the issue your time, ignore the rest.

 

  • You Will Try To Restore From Backup, And It Will Fail – Yeah, odds are, if you need your data back, it won’t be there. Remember the 3-2-1 Rule and you can move the odds in your favor.

 

Group 3 – Not Very Likely (a.k.a. Not a chance in the world)

  • The Tampa Bay Buccaneers Will Not Be An Embarrassment.  – The Bucs will leverage Winston to win the division. Fans will be proud of their team and will not have to whisper “the Bucs” while averting their eyes, when asked what team they support.

 

  • No Major Breaches Will Occur in 2017 – Yes, there will be minor ones, but the big ones are over. Organizations will finally take security seriously after 2016. This will allow overworked Infosec pros a chance to get the right tools and staffing to prevent major breaches.

 

  • Celebrities Will Stop Being Involved In Politics – Celebs will finally realize that they are talented in singing/dancing/acting/cooking/being a hopeless case in a reality show, but really don’t understand global politics as much as they think they do. It will occur to them that some people spend a lifetime studying politics and economics to get in the position to have their opinions respected. This is not the same as playing the President on a made-for-TV movie.

 

 

OK, So that’s about all I’m going to try to predict for 2017. Let me know in the comments if you have any predictions of your own.

 

Life on the Road – Cats, Cold and More

My job takes to a lot of places and I love that part of it. Seeing the country and gaining the experiences is something I love to do. There is an old saying about the journey being a big part of the fun. I cannot agree more.

Some of these travel posts are going to sound like complaining. I assure you, they are (probably) not. They are really about the funny stuff I get to see. It’s humorous story telling that may (or may not) embellish a tiny little bit. All of it is based in truth though, and only the details might be, um… “enhanced” a bit.

Having said that, let me give you a little background. I am an airline snob. I admit it. I don’t care much about the hotels I stay in, or the dinners I eat, but I do care about the airline experience. I hate being rushed, I am dismayed by the fact that people often revert to Lord of The Flies like behavior when it comes to air travel.

Take for example the carry on baggage rules. 1 personal item and 1 carry on item. The carry on item is limited in size (stuff it in this box over here and see), but the personal item seems to be magically unimpaired by size restrictions, or at least the rules are unknown and unenforced. I see folks with bags bigger than my checked bag going onboard as a “personal item”. The other thing is animals.

Get These @#&! animals off the @#&! Plane!

Yeah, there was a time when animals travelled in crates in the belly of the plane. Now, it seems, they are everywhere. Comfort dogs, pot-bellied pigs, and worst of all… CATS!

Now, I like cats, but folks, 30,000 ft and 600mph is no place for a feline. Southwest Airlines seems to gather more than it’s fair share of animals. Yesterday was a perfect example. I was going from Tampa to Columbus. I normally avoid Southwest when I can, as I hate the open seating thing, but it was the only direct flight. I get on board as part of the “A” group and take my customary window seat. This was about row 10. Now, with an entire plane full of empty seats, I am joined by a couple with a lovely blue carry-on containing a rather unhappy looking tabby. It’s eyes gleamed yellow out of the mesh on the ends of the soft-sided carrier. For some reason, it looked right at me, right in to my soul. I was scared. Terrified really. I believe my very life was being weighed by that creature (That was likely called something cute, like Fluffy, or Tom, or Mr. Tinkles). For a reason I have yet to understand, I believe the cat blamed me for its current predicament, and it wasn’t happy.

It looked meaner in person!

Why these people decided to sit beside me, in a barely filled plane is still beyond me, but I wasn’t going to move. I was trapped in my windows seat, and any chance of escape involved passing the pointy parts of the Hell-spawn in the seat beside me. I just tried to avoid eye contact.

Another thing that Southwest does well is cater to families. That means children, and children are magically attracted to my part of the plane (whatever part that happens to be), especially when they are going to act up. This was no exception. Little Tommy, (we will use that name) decided he wanted no part of the plane thing without fully exercising his well-developed lungs. When Tommy let loose, even Mr. Tinkles took notice! He was now even less thrilled than before. I began to fear for my life.

Fortunately, the rule says livestock must be stuffed under a seat for takeoff and landing. It seems nobody wants an angry, airborne murder-cat loose in the plane in the case of a rough takeoff/landing. Good idea! Mr. Tinkles got unceremoniously stuffed under the seat much to my relief, now he could only plot the destruction of my Achilles tendons rather than my throat. That was the good part.

The bad part, was that the cat decided to become… “musical” and join Tommy in a serenade of noise that no sound cancelling headphones can dampen. This continued on for most of the flight. Once the cat started, there was no “off” button. He did modulate between simple loud meows and “I’m caught in a blender” yowls, so we had that going for us.

By the time I hit Columbus, I was ready for the 5 degree weather if I could just get off the plane.

I am currently back in the airport waiting to board another tube-of-hades to return to Tampa. I ended up in a “B” boarding group, so I’m hoping for the best. I’ll let you know if the return goes off the rails.

Erich’s “What in the (cyber security) world is going on?” 12-16-16 edition

Holy Crap! Lots of stuff going on in this weeks post. Stay safe out there and please use the buttons on the bottom to share with folks you think can use the info. I’m always up for comments and feedback as well.

If! You! Use! Yahoo! Just! Stop!

Nothing more to say about that. 1 Billion accounts exposed. This is just dumb. Get a Gmail account and move on.

Sneaky little hobbitses. Wicked, tricksy, false!  –  Nymaim using MAC addys to uncover virtual environments & bypass AV

So, the lovely trojan dropper known as Nymaim got smart and is looking at MAC addresses to see if the machine is a Virtual Machine (VM). Since VMs are used a lot as sandbox environments for malware research, it won’t launch if it detects a network card with an OUI associated with a VM. Keep this in mind when testing to see if a file is malicious or uploading to a sandbox for detonation. It may be misleading. On a plus note, if you run thin-clients, you might be better off.

 

Watch for Uber Vomit Scams 

This is a general PSA, but I am hearing about this more often. The way it works is, you get back from a trip somewhere and your card is charged an extra $150 by Uber for a “Clean up fee”. The drivers will sometimes upload pictures of a mess in the back seat as “proof”. This is usually fake, or a reused photo. The scam seems to be gaining steam and folks spend a lot more time out of town, often using an Uber to get to/from the airport. Moving forward, I might start taking cell phone pictures of the car when I get in and out, just for CYA. It’s tough to fight when it’s done and gone, and you have been home for a week. I still love Uber, but drivers are people too, and some are going to be looking to make a fast buck.

 

Security Sessions: Ransomware as a service on the rise 

My CEO, Stu Sjouwerman, did an interview with CSO Online regarding the RaaS (Ransomware as a Service) issue. It’s a quick video, but he talks about some of the trends and how to defend against them. You might already know that I’m a huge KnowBe4 Fanboy, and not just because I work for them. It’s all about helping educate people so they can make better decisions. it’s why I can get behind the company so much.

 

NY AG warns lawyers of phishing campaign

There are some phishing emails going around targeted at lawyers in the New York. It looks like it’s coming from the NY State Attorney General and is designed to get users to open a PDF attachment. An example of the email is here. This is an example of a very targeted spear phishing attack that is not likely to get flagged by spam filters.

 

A New And Scary Double-Ransomware Whammy

Here is a pretty interesting (and crappy) new strain of ransomware. It encrypts the files, then reboots and encrypts the MFT, so it ends up hitting you for a ransom twice. Kinda rotten. Be aware of any PDF saying it’s a job application, especially if it has a link to an Excel file.

 

Amazon shoppers targeted in ‘order cannot be shipped’ scam

Tis the season as I have said before. Packages are flying all over that place, and who doesn’t use Amazon? Scammers are sending emails saying that packages can’t be shipped. The idea is to get you to open an attachment or click a link (as is reported in this story) that leads a person entering credentials or a credit card for “confirmation”. I guess that scammers need to buy presents too, right? This is not new, but given the time of year, it’s very effective.

 

Samsung will be bricking the esploding Note 7 phones on December 19th

Yes, Samsung has decided that while you can own the hardware (as blow-uppy as it may be), they own the software, so they can go ahead and virtually blow up the phones before they physically blow up. An interesting angle on a “voluntary recall”. If you still have a Note 7 <AustinPowersVoice>I too like to live dangerously</AustinPowersVoice> You have until December 19th to return it, lest it become a potentially randomly exploding doorstop. Please “Note” that Verizon is not taking part in the OTA update that will brick these devices, as they figure folks may not have a device to switch to, and (the lawyers, I’m sure) have an issue with leaving someone without a device that can call 911 in an emergency.

 

Netgear Nighthawk Routers vulnerable to badness. 

Netgear Nighthawk R7000, R6400, R8000and R8500 models “might” be vulnerable to a bug provided to them by researcher Andrew Rollins (a.k.a. Acew0rm) on August 25, but only acknowledged after he posted it on December 6th. So much for Netgear supporting responsible disclosure. Basically, bad guys can get root through the devices web server. There is a temp workaround that kills the vulnerable web server process, but it only works until rebooted.

And Finally… A little much needed humor

Santa Gets Hacked! 

 

Erich’s “What in the (cyber security) world is going on?” 12-09-16 edition

Ok, I’m moving these updates to Fridays. Mondays are just, well, Mondays. If you are new to my posts, basically it’s a recap of some key infosec happenings in the past week. Having said that, let’s move ahead:

Infect 2 Others and Get Your Ransomed Files Back Free!

I posted about this earlier today, but the summary is that the jackholes that created the Popcorn Time ransomware strain are offering to decrypt your files free if you just get 2 more people infected and they pay the ransom. It looks like there will be an option to have the software start deleting files if 4
incorrect decryption keys are tried as well. This appears to be a proof of concept at this point, but these often end up in the wild once they get a buyer. I hope they die a slow festering death in the pits of an Alabama outhouse. This video sums up my feelings for these folks: Hanging’s too good for him…

 

Legal raids in five countries seize botnet servers, sinkhole 800,000+ domains… and then they release the leader who disappears. 

So, after taking down the largest malware/phishing ring in recent history, a judge in the city of Poltava, Ukraine released the leader because the prosecutor forget to mention that during the arrest, the leader shot at the cops, including popping a round through the front door. Without that little detail, and the associated “attempted murder of a police officer” charge, he got to walk. In a shocking turn of events, Kapkanov disappeared just as quickly as the Poltava’s prosecutor’s career.


3.2M home routers seized via malicious firmware update

A hacker by the name of BestBuy claims to have used a Mirai botnet to infect 3.2 million home routers on the TalkTalk and Post Office networks. I haven’t heard of any independently confirmed reports of routers actually being infected, but they may not be easy to identify. In the words of security researcher Darren Martyn, “What they just pulled is shenanigans of the highest quality”

 

US Navy Admits To Data Breach, 130,000 Exposed

Yeah, the US Navy exposed info for 130,000 current and previous sailors.  Wonderful. If I’m one of them, I’ll just put it in the stack of other notifications from the government. Maybe I’ll put it right next to my OPM notification.

 

 

Ransomware suspect Pornopoker nabbed in Russia

Let’s hope they don’t screw up and release him as well, although he doesn’t seem to be near the same level as Kapkanov above. He was nabbed while returning from Thailand.

 

Infect 2 Others and Get Your Ransomed Files Back Free!

What a great deal from the writers of “Popcorn Time”. If you just infect 2 other people and they pay the ransom, you can get your files back free.  Indicators also show that there may also be a provision where if you enter an incorrect decryption key more than 4 times, it starts killing your files.  I would love to get ahold of some of these folks and plug their toenails out with with rusty pliers. This video clip pretty much sums up how I feel about these vermin…

New Approach to the Same-Ol Phishing Emails

This is an interesting way to try to get folks to open malicious documents. I really like the macro warning screen angle they use on this. It’s designed to get you to click the button to enable the macro when it’s opened. They also make the email look like you are being brought in to an existing conversation. Pretty slick.

Check it all out at: https://blog.knowbe4.com/phishing-from-the-middle-social-engineering-refined