Ethereum Hit With Another Heist, This Time $8.4 Million

Ethereum has really been feeling the sting lately as yet another theft, this time $8.4 million, hits the cryptocurrency. While I love the fact that cryptocurrency is a stand alone entity not backed any specific country or nation, it’s value depends greatly on the security around it and the confidence people have in it. While $8.4 million isn’t a huge number by monetary standards when you compare it to things like CEO Fraud at about $5.3 billion lost in the last few years, or ransomware which is running at about $1 billion per year, it is a big when you consider the reputational damage to cryptocurrency as a whole.

Market info for Ethereum as of July 25, 2017

Think of it this way, investors have done a lot to boost and stabilize the price of Bitcoin and Ethereum as they are seeing a return on the investment. Investors don’t mind some risk as that comes with the territory, but when sums like this are lost several times in the course of a few weeks, it shakes the trust.

Consider that the total value of Ethereum is about $19,141,290,491 at the time of this writing and about $47,000,000 of that has been stolen in the last month. That can shake the confidence a bit. Looking at the price graph, it’s being reflected.

Unless these losses are stabilized, cryptocurrency is in danger of taking several steps backward with respect to its reputation and value to investors. This in turn will impact it’s value even more significantly.

Whoops! Wells Fargo Releases Info On 50k People

So first it was the deal with Sweden, and now this with Wells Fargo. Let today be a lesson in how not to outsource certain business functions. In this case with Wells Fargo, it seems 1.4 GB of data involving about 50,000 individuals was accidentally sent in response to a request from an attorney for some banking documents on an individual. Wells Fargo is blaming a third-party for not properly screening the data on the disk.

While I get that, it’s important to understand that when you outsource any of your processes, that does not mean you’re totally off the hook. In this case obviously Wells Fargo is the one ending up in the headlines as opposed to the contracted company. On the other hand, I personally don’t think that is undeserved. To send 1.4 gigabytes worth of data in response to a rather limited request for a single individual seems a bit excessive to me. Why couldn’t they have limited that considerably prior to sending it to the third-party? We may never know.

Just remember this when you’re hiring outside parties to handle sensitive information. “Regulators, meanwhile, have started a probe into the data breach…” is not something you want to hear or read about in the paper.

 

Sweden Screwed Up Big Time Resulting In Sensitive Data Disclosure

In what’s amounting to a pretty significant slip-up, Swedish Transportation Authority appears to have provided quite a bit of sensitive information to a group in the Czech Republic. What is really surprising to me is that they are outsourcing so much of their potentially sensitive data offshore.

While I understand the attractiveness of outsourcing some IT functions, when your data is this significant and personal, steps must be to be taken to better secure it. Coming from a Department of Defense background, there were certain things that we would never allow non-citizens or offshore third-party entities to see. In this case, all of the vehicle information, including that of military and police, were provided to groups in the Czech Republic without a reasonable screening process.

More surprising than that, is the fact that their firewalls and much of their communications is being managed from Serbia. Really? There are times when the transfer of risk or management of Information Technology functions make sense. We see this all the time in a smaller scale with respect to cloud computing, but again there are times where saving a few dollars is not worth the risk of exposing the data.

Can you imagine if here in the US, the Transportation Authority, or even State MVDs outsourced the data processing and storage to an outside country like say, North Korea? This is pretty much like what’s Sweden is doing when Outsourcing firewalls and such to Serbia and having the Czech Republic deal with their Transportation Authority data. Perhaps tensions aren’t quite as high between those countries as the US and North Korea, but my understanding is they aren’t exactly in lockstep either.

Think about this when you’re looking at cloud providers. Understand where the data is going, who is processing it and the nature of the data and sensitivity as well. Require background checks for people who are handling sensitive information. Don’t be that guy or gal that makes the news like this.

*WARNING* – Headlines From Yesterday Make Great Phishing Ammo For Today

It’s Friday morning and after a pretty intense Thursday, just want to send out a little warning to folks. Yesterday we lost a great musician and “The Juice” is about to be loose. These are two pretty significant headlines. What does that mean? Well it means the scammers are going to be using this against people.

Be ready for phishing emails related to these two stories. Pretty much any time there’s a major event inboxes are flooded with stuff like this. This is pretty typical since social engineering is really about leveraging our emotions against us.

Now I have to admit, music hasn’t played a huge role in my life but it has many others so this hits home for many especially given the fact that it’s a suicide. With respect to OJ, I think most of us that are old like me remember the low-speed chase in LA and the ensuing legal battle, more than what he actually got locked up for. Either way these things relate to a number of us across different generations and that makes them great ammo.

I suggest that if you haven’t already, send some simulated phishing emails to your users related to these subjects. The idea is to inoculate them before they get the one with a malicious attachment. My company KnowBe4, has already been all over this today and already has templates made to deal with this sort of thing. If you’re a customer, use them.

Stay safe out there folks, and let those users know that this may be coming.

Ransomware Attack In Atlanta’s Peachtree Neurological Clinic Sheds Light On Persistent Breach

The Look When You Find Out You Have Been Breached… For Over A Year.

So when is a ransomware attack a good thing? How about when it uncovers a previous breach where someone has been in your system for over a year. That’s exactly what happened to Peachtree Neurological Clinic in Atlanta. While they didn’t pay the ransom, they did find out someone had been in their system since February of 2016.

Now, they haven’t said how many patients data may be disclosed and breach hasn’t been added to the HHS breach tool, but it looks like names, Social Security numbers, driver’s licenses, addresses, phone numbers, medical data, prescriptions and/or health insurance data are at risk. That’s a lot of data on a person. This should be an interesting one to watch.

How long would this have gone on if it wouldn’t have been for the ransomware attack? Who knows. See, there is a silver lining sometimes. 🙂

Getting Ready For Vegas and Austin, Texas

Well folks, Hacker summer camp is right around the corner. While I won’t be able to be there for all of it, I will be there for a couple of days at Black Hat. I’m returning this year once again as a booth babe in the KnowBe4 booth. Unfortunately before Defcon starts, I have to be in Austin to wrap up the 12 days of Sysmas which is being put on by Spiceworks in honor of SysAdmin Day in the 28th. It’s going to be a ton of fun, but it’s also going to be a very long week.

So the deal is, I’ll be there Wednesday and Thursday in the booth doing demos and stuff like that. we have Kevin Mitnick signing books on Wednesday evening, and we’re handing out these truly epic KnowBe4 axes. We have an axe to grind with ransomware. Kind of catchy huh? I’m going to have a bunch of goofy puns for that. Maybe I’ll even axe you a question about it. 

I can’t wait for this fun!

I’m going to warn everyone right now, this next week is going to take an awful lot of energy drinks to survive. For the record, the white Monster energy drinks or the white Rockstar energy drinks are my favorites. Just saying, you show up to our booth with one of those for me, and I’m going to take care of you as best I can. If I’m in a really good mood, I might even sign your forehead with a sharpie. Hey, I’m just cool like that.

Since I arrive Tuesday at about midnight, I’m not going to be doing much then. I might be up for something Wednesday night, but it’s going to depend on how the day goes. Apparently I’m expected to work at this thing. Thursday, I have to leave straight from Black Hat and head to Austin, Texas for the “SysAdmin Day edition of On the Air” on Friday morning. that’s going to be a ton of fun, especially since I’ll probably be giddy and such from a lack of sleep. Tune in if you’re feeling it. I love the Spiceworks group as they tend to live life to its fullest. It’s going to be at 10 a.m. Central, so 9 a.m. Vegas time. That means flip open your laptop and watch it while you nurse your hangover. Hey, we’re giving away a Nintendo switch, so you might even get lucky there.

On a serious note, if you want to talk shop and ransomware or social engineering, come hit me up in the booth. I would love to have discussions about it. likewise if you were looking for anyone to interview during the show, I’m happy to offer my expertise. it’s not every day you get a security guy that’s this charming, good-looking, and humble all in one package. 🙂

 

 

Tennessee City’s Emergency Services Hit By WannaCry

It’s July, how do you still have machines vulnerable to this? It’s not like this hasn’t been publicized. Yeah, I get it, patching can be a pain, but really? They should have had mitigations in place.

FTA: “Norville says most of the affected data is not retrievable, and it is unclear if any significant files have been lost. Two file servers and 19 computers within the police department’s system were breached.”

Reject the Tech: Technology Isn’t Always The Best Answer in Cybersecurity

Before I even start, I have to admit that I’m every bit as guilty of this as anyone else. I love tech and gadgets and have been dazzled, then disappointed before. As I was thinking about this, I was picturing stones flying around my own glass house, so don’t take this personally if you find yourself looking back in the mirror as well. After all, GI Joe flooded my childhood with messages of, “knowing is half the battle.” It’s what we do with the knowledge that will let us prevail in the other half of the battle. Hopefully my experiences and bad decisions can help some of you.

Now that I have that off my chest, I can go ahead and tell you that if you are investing time and money in high-tech “solutions” without addressing non-technical or low-tech solutions, you are really screwing up. Yep, 100% screwing the pooch, making a mess of it, etc., etc., etc., so stop it!

 

The Hook

If you haven’t noticed already, those signs you see at the airport, the ads in magazines, the internet, or anywhere else are put together by a special type of person called a “Marketer”. These people aren’t evil on purpose, but I see a lot of them going to the “dark side” (I hear they have cookies). It could be the pressures of lead generation or competition, but whatever it is, some fall in the dark well of snake oil sales. They start making ridiculous claims like, “With our WAF, data breaches are a thing of the past” or “The ‘cloud’ will fix all of your ailments”. When you see these people at trade shows, they even begin to believe their own rhetoric and will pitch it to you with a confident smile on their face. What’s worse is, you may start to believe it yourself. Your executives may start to believe it, your boss may start to believe it. Best case, big $ goes out the door and your security situation still hasn’t improved dramatically. Worst case, big $ goes out the door and you are in worse shape than when you started.

 

Avoiding the Gut Punch

How do you avoid this unpleasant experience? It will take a conscious effort of will to step back and see through the smoke.

First, if something says it’s a “solution”, put on your skeptical hat and hold on to it. In security there is reduction of risk, but I have never seen a professed “solution” be an actual end to something meaningful. Many times I have seen a “solution” open up a whole other can of worms that was unexpected.

Second, compare to other similar devices/platforms and see if the fancy new feature is just different wording for something already being done by someone else. If there is a key feature that gets you all spun up, don’t assume you know what it actually is doing. I have convinced myself that things are going to do one thing, when in fact they do something altogether different, simply because I really WANTED them to do what I thought they meant. Make sure you take a deep breath and understand the limitations of the feature you are so hot for. It can save many tears down the road.

Sometimes the right tools are being used wrong

Third, understand how things are going to work together. There are few things worse than getting a new device only to find out that managing it takes a lot of time and effort because nothing integrates with your current infrastructure.

Finally, and most importantly, consider if you are trying to throw a high-tech fix at a low-tech or no-tech problem. In many cases, risk can be decreased dramatically through policy, procedure or easy architecture changes. Sometimes you are using the tool wrong and can’t even see it.

 

Examples of Your Hair-Brained Scheme? 

Let’s use ransomware attacks as an example. Not only has WannaCry and Petya/NotPetya caused issues, but Cerber and others have been doing it for a long time. Let’s look at some easy things that would have made these attacks less of an issue, maybe even trivial, had they been done.

Patching – MS17-010 was exploited in a couple of these, but other patched vulnerabilities have been exploited time and time again. Most of the time, 0-days are not what is used, it’s old exploits on vulnerable machines. Sure patches are a pain to keep up with, but time spent here can pay of greatly. Imagine if MS17-010 was applied globally before WannCry, it would have been a minor nuisance rather than a global event. Review your patching process and give it the attention it deserves. If you can’t patch, using mitigating controls or isolate the device from anything it doesn’t NEED to communicate with.

Network Segmentation – It still boggles my mind how many “flat” networks are out there. These days, the cost of segmenting networks is nearly trivial and the implementation is well understood. What is segmentation, simply put it’s the practice of limiting communication between devices or groups of devices. Consider this, does your receptionist need to be able to get to a login screen for your SQL server? Does finance need to get to the Development environment? Does Dev even need a direct connection to Production? Anywhere you can limit this communication, you provide a mechanism of containment. Now if your receptionist launches malware, it can’t ever reach important resources. Clean up is now easier and real damage avoided. With a little planning and work you can significantly limit how far malicious programs or hackers can get within your network for little or no cost. WannaCry spread by being able to get to servers on port 445. Had they been segmented damage would have been much more contained.

Backups – Sure you get the email every day/week that says your backups ran, but do you really read the email and have you ever tested your backups by restoring them? Maybe the backup successfully backed up 40kb worth of data, but nothing else. If the job is whacked and it only thinks it’s supposed to backup 40kb, it’s going to tell you it was successful. Make sure you know what’s going on. I suggest restoring some random critical data at least once a month and ensuring you can get it. This will help you understand the time it takes and the process so you aren’t doing it when the world is on fire and the pressure is on. Also, do a full restore at least twice a year. Make sure it all works. Backups are a great way to fight ransomware and the ability to quickly restore would have made WannaCry just a nuisance.

Have An Incident Response Plan – Figuring out how to respond sucks when you are in the middle of it all. Put some effort in to having a plan that at least covers the basics for common scenarios. Having things like contact information for execs, law enforcement and online resources can really help take some pressure off when responding to an event. Know where your software and licensing is in case you need to reload things. Know how to reach your vendors or cloud providers and have that documented. Something will eventually go wrong, so be ready when it does.

Get Visibility In One Place – If at all possible, get your logs, alerts and events feeding in to some sort of a SIEM or central spot. Easy stuff like firewall logs or endpoint protection alerts going to one place can make a huge difference in your ability to notice and identify potential attacks or events. For example, if a bunch of your endpoint protection agents start throwing alerts, you can spot it quickly and take action. This is one of the more technical things I do think needs to be done, however the cost does not have to be significant. Look in to ELK Stack (aka Elastic Stack) or AlienVault OSSIM for free ways to get some visibility in to your network. A quick reaction can significantly reduce damage in an attack.

Work On Your Organizations Security Culture – Teach your users how to spot phishing attacks and avoid falling for scams. Changing the security culture of your users is one of the best ways to avoid attacks. People need to know that they are targets so then can protect themselves. They need to know what to look for in order to spot attacks and have a way to report them quickly. Understand that you may not be the best person to put training together. We tend to be technical people and that does not always resonate with the users. Employ other departments, such as marketing if you are going to do it on your own, or better yet use a 3rd party like my company KnowBe4 to do it for you. It’s not expensive and it works well. Reminding users that attacks like ransomware impact them at home as well can really help them pay attention in the training. Fostering an attitude of helpfulness from the security/IT team will go a long way to getting the users to want to engage. Don’t shame folks when they screw up, and they will. Instead, reward them for doing the right thing. Kudos at a company meeting or in a company-wide email or even a pizza party for the department that does the best, can really impact the culture. Have fun with it and remember that it’s a scary topic for some folks, so they may need a little reassurance before they start to play well with others. Be patient and the reward can be great.

If you put some effort in to the things I have listed above, you can significantly improve your security posture with very little cost. When looking for ways to solve problems, try to separate yourself from the marketing hype and focus on the task at hand. See if there is another way to accomplish your goal and keep your mind open to all options, not just the shiny ones.