NOTE: This is a repost of something I initially posted to LinkedIn on September 12, 2016. I will be consolidating a number of older posts to my blog in the near future. Enjoy.

As I am here at the (ISC)2 Security Congress which is collocated with the ASIS International annual convention in Orlando, I am once again struck by the growing crossover between the information and physical security worlds.

For those that do not know, ASIS is an association dedicated to education and advancement of operational security professionals around the world. Their annual conference features a huge expo hall with every type of physical/operational security gadget you could ever want. There are a plethora of security cameras, gate systems, sensors and even weapons here on the ASIS side of the conference. The “3 G’s” (Guns, Gates and Guards) are the bread and butter of ASIS.

(ISC)2 on the other hand is a cybersecurity certification organization most well-known for the CISSP certification. They also have information security vendors on the expo hall floor.

These two are joined together because as the lines between traditional security and information security start to blur, both sides need to be educated. More and more, these two worlds are colliding and it makes me think about the level of training these security guards and other law enforcement individuals receive with respect to social engineering, especially on the cyber side. Why does it matter if they can spot phishing type attacks or other electronic social engineering? Well, these folks are the front line of security and more and more, their tools are living in cyberspace. These individuals can control gates, cameras and entry points remotely from 100s of miles away in a SOC. Often times, the very control of these gates, cameras or sensors is transmitted to “The Cloud” and then relayed to or from the internet-connected device that is being controlled. A large number of camera systems are IP-based, doors are even networked and controlled by computers and IP-based networking.

To top it off, many physical security manufacturers are not agile enough to provide patches to zero-day software vulnerabilities as quickly as infosec vendors, which leaves the devices vulnerable for extended periods of time. Often these vulnerable systems are on the same network as the rest of the organization’s information technology assets. This is a recipe for disaster, much like what happened with Target where the attack on the POS credit card machines started with vulnerabilities in the HVAC systems.

Imagine if you will, ransomware stopping an organization’s ability to control ingress and egress from buildings or parking lots or even worse, the bad guys being able to control it themselves. How about the ability to remotely deploy an active vehicle barrier system or silence the sensors on the fences?

Untrained individuals can allow this to happen by simply clicking on a malicious link or opening the wrong attachment. Once the bad guys are in, the network is their oyster. This is why, as these digital and physical worlds collide, it is more important than ever to ensure the very people who are guarding our buildings and property are aware of the electronic threats as well as the physical ones.

Cloud-based risk is nothing new to us IT folks, but for those that employ high-tech tools for your operational security, take the time to assess the risk these pose and train your employees to resist the threat they may not be aware of.

Sadly the Swiss company disclosed about 2,400 employees W2’s to scammers. The employees were in Jeffersonville, Indiana; Oregon, Ohio; Bloomsburg, Pennsylvania; and Aiken, South Carolina; and at its North American headquarters in Farmington Hills, Michigan. At least 1 employee already found their taxes having been filed by the scammers.

OK, this is a VERY packed edition of the weekly wrap up of security stuff.

Amazon S3 went down for a while

There was a collective cry of pain and the echoing sound of SLAs being violated when Amazon’s S3 service went down. To top it off, their dashboard showed that all things were warm and fuzzy for quite some time. The official word was,  that the outage is due to “high error rates with S3 in US-EAST-1,”. By “high error rates”, they meant all hell was breaking loose somewhere. This prompted a lot of fun on the Twitters as folks weren’t so happy about things being up in flames around them. Imagine that.

Cloudpets leaked a bunch of data because they are idiots

 I’m a bit peeved at this since my youngest daughter (and therefore me) has one of these. Luckily we didn’t do much with it, but for those that have, recordings and info was leaked due to poor security. It even seems they were warned about in advance. This really does make sad because the little buggers are adorable and are a great idea for those who travel a lot, or are deployed.

Android Ransomware Wants Victims To Speak The Unlock Code

Lockdroid is throwing out a new twist. What could possibly go wrong here? Think about how often you have been annoyed by trying to get a machine to understand your voice. Imagine that after you have been ransomed. You are really screwed if you are Scottish (language warning)!

Torrent spread macOS ransomware spotted in the wild. Decryption doesn’t work even if you pay

It looks like this Mac ransomware is spreading by posing as a software license crack in torrents. The bad news is, even if you pay, the dev doesn’t have the key to decrypt the files. Another lesson to stay away from illegitimate software.

Spora Ransomware Chat Logs posted

This is an interesting read if you want to see what happens with the Spora ransomware chat help. Looks like no chance to negotiate price, but you can get some time.

Cloudbleed strikes: If You Use Any Of These Sites, Reset Your Password Now

Cloudflare had a memory leak, so if you went to any of the 5 million sites impacted between 09-22-2016 and 2-18-2017, your passwords, private messages, API keys, and other sensitive data may have been leaked. The list of affected sites is here.

American Senior Communities Falls For A W2 Scam. 17,000 Employees Affected

The scam happened in mid-January, but they didn’t realize it until employees started having trouble filing returns in mid-February. This is the third Central Indiana employer in less than a month to fall for W2 scams. Monarch Beverage Co. and Scotty’s Brewhouse also fell for it, with the employee at Monarch having done the same thing last year.

Sometimes I just want to shake people until they get it and put training and procedures in place to stop this sort of thing. It’s really not that hard or expensive to implement.

W2 scams are no joke and really mess with the employees. Please be careful when handling this sort of info.

Do You Know What Your Cyber Insurance Really Covers?

This is just a reminder to be aware of what is and isn’t covered by your cyber insurance. I highly recommend that you speak with an agent and do a review of the coverages BEFORE it hits the fan. I recently learned that while notification can be the most expensive part of a breach, it’s often not covered by default in the policy. To add to that, cyber insurance is still in its infancy, so coverage is rarely standardized. Don’t blame the insurance companies for this as it’s a very new type of risk, it’s your job to know, with their help, what you are paying for.

Take for example the P.F. Chang’s breach. The $1.7 million cost of defense against customer lawsuits were covered, but the roughly $2 million in fees and fines imposed by credit card issuers to pay for notifications to cardholders, reissuance of credit cards, and other costs was not. It really pays to know what coverage you have.

Maine Credit Union Members Victims Of ATM Skimmer

Downeast Federal Credit Union found a skimmer on an ATM after several members called to report fraudulent charges. A skimmer was found on the ATM at the credit union’s Lincolnville Avenue branch. The Belfast Police Department has checked all Downeast FCU ATM machines and found no additional skimmers.

Ransomware recovery time is longer and more expensive than most think

Here are some pretty ugly numbers and a look in to why I am so obsessed with helping people avoid infection. The sad part is, you can protect yourself pretty well with basic “security 101” stuff like  segmenting the network, “least privilege” access, weapons-grade backups and quality awareness training/simulated phishing. You don’t need to burn money to protect yourself.

• 85 percent of those infected had systems forced offline for at least a week
• 1/3rd of cases resulted in data being inaccessible for a month or more
• 15 percent found that their data was completely unrecoverable
• 63 percent of orgs have no official ransomware policy in place
• About 50 percent of victims paid more than £3000 ($3700) in ransom
• SMBs usually paid  between £500 ($621) and £1500 ($1864)

Roxana Police Department is done cleaning up after ransomware attacks

I swear, small town police departments can’t wait to get hit by ransomware. I keep seeing it over and over again. In this case, “the work of sophisticated hackers who seek out vulnerabilities in digital networks, enter computer systems and encrypt important data…” (a.k.a. a piece of malware sent in a phishing email) was inconvenient rather than crippling. Based on the article and the lack of desire to share any info, along with the sensationalizing of the attack above, I’d say they are pretty embarrassed about it.

Madison, WI Requires “Unique Locking Devices” On Gas Pumps Due To Skimmers

I can’t say that I like a lot of government involvement and additional regulations, but I appreciate that they are trying to stop the issue. It’s far too easy for folks to install skimmers and while this doesn’t solve the issue or counter skimmer overlays, it does take a step to help. Locally here in Florida, I have seen attendants at more than one Speedway station checking the pumps daily and putting on tamper seals. I have told them I appreciated the effort.

VISA warns for Flokibot Spear Phishing Infections

So, it looks like a new malware variant identified as “Flokibot” is hitting the Caribbean and LATAM. The malware is focused on point-of-sale (PoS) devices and, like so many other types of malware, is being spread predominantly by phishing email. I will be personally volunteering to go look at this threat, especially in the Caribbean, on behalf of my company. It may take a while to investigate. You know, weeks, maybe months…

So, it looks like a new malware variant identified as “Flokibot” is hitting the Caribbean and LATAM. The malware is focused on point-of-sale (PoS) devices and, like so many other types of malware, is being spread predominantly by phishing email. I will be personally volunteering to go look at this threat, especially in the Caribbean, on behalf of my company. It may take a while to investigate. You know, weeks, maybe months…

I can’t say that I like a lot of government involvement and additional regulations, but I appreciate that they are trying to stop the issue. It’s far too easy for folks to install skimmers and while this doesn’t solve the issue or counter skimmer overlays, it does take a step to help. Locally here in Florida, I have seen attendants at more than one Speedway station checking the pumps daily and putting on tamper seals. I have told them I appreciated the effort.

I swear, small town police departments can’t wait to get hit by ransomware. I keep seeing it over and over again. In this case, “the work of sophisticated hackers who seek out vulnerabilities in digital networks, enter computer systems and encrypt important data…” (a.k.a. a piece of malware sent in a phishing email) was inconvenient rather than crippling. Based on the article and the lack of desire to share any info, along with the sensationalizing of the attack above, I’d say they are pretty embarrassed about it.

Here are some pretty ugly numbers and a look in to why I am so obsessed with helping people avoid infection. The sad part is, you can protect yourself pretty well with basic “security 101” stuff like  segmenting the network, “least privilege” access, weapons-grade backups and quality awareness training/simulated phishing. You don’t need to burn money to protect yourself.

• 85 percent of those infected had systems forced offline for at least a week
• 1/3rd of cases resulted in data being inaccessible for a month or more
• 15 percent found that their data was completely unrecoverable
• 63 percent of orgs have no official ransomware policy in place
• About 50 percent of victims paid more than £3000 ($3700) in ransom
• SMBs usually paid  between £500 ($621) and £1500 ($1864)

Those are pretty ugly numbers folks. My company has a free Ransomware Hostage Rescue Manual that can help prepare for this, as well as a free ransomware simulator you can use to check your endpoint protection settings and capabilities. Please, for the love of all that is good in the world, do something to prepare for ransomware attacks. No matter the size of your company, you need to be ready. Not to sound like a sales pitch, but the KnowBe4 platform starts at only about a buck per month/per user and gives you unlimited training and phishing with a really easy to use platform, so things that can make a big difference (and it really does!) aren’t even that expensive.