Erich’s “What in the (cyber security) world is going on?” 01-19-17 edition

Before we get started on this weeks wrap up of important things in the infosec world, in light of the inauguration tomorrow, I just wanted to remind people to treat each other kindly regardless of political opinions. Politics is no reason to treat others without respect. Let’s be good to one another and see how that makes you feel.

That being said, let’s see what the bad guys are up to:

 

Antivirus Detection Rates Are Tanking

While this doesn’t mean it’s time to yank all the AV off your machines, it is a reminder that endpoint protection should not be your only bacon-saving countermeasures. Many tears have fallen, and much bacon has not been saved due to the “all the eggs in one basket” mentality. Think of the bacon, think of the eggs, and incorporate a defense-in-depth approach that reduces the most risk with the least effort and cost. *cough* *cough* User security awareness training is a huge part of this and is known for it’s bacon-saving properties *cough* *cough*.  I must be hungry.

 

The Brit’s National Healthcare System (NHS) Has Been Walloped in 2016

about 1-in-3 NHS trusts have been hit with ransomware in 2016. 80 per cent if these were targeted by a phishing scheme and Imperial College Healthcare in London was smacked 19 times in just 12 months. This is not new, I have previously talked about this, but it’s a powerful reminder of just how prolific ransomware is, and the fact that most of it is being spread by email. This may be one of the biggest threats to hit the UK since Jeremy Clarkson. Stay safe out there.

 

IRS Issues Warning On New Tax Phishing Attack

Scammers are hitting up tax professionals in an effort to compromise their systems and then use the info to scam others in to sending their financial info, resulting in false returns being filed. This is a pretty interesting 2-part scam. There is a nice email blurb here that you can use to warn folks you know. Be safe and pick up the phone if your info is requested.

 

There is a Very Good Gmail Scam Going Around

Watch for this one. They use a traditional account credential phish to get started, then look through past emails to create new messages to your contacts. They are using email attachment names and subjects similar to ones that have been previously sent by the original victim, so the new victims trust where it came from. Simply teaching people to look at the address bar before they enter any credentials will keep you safe in this attack, sadly not everyone gets good quality awareness training.

 

Here is an Example of a Phishing Email Targeting Navy Federal Users

This shows an example of a .pdf with a malicious link. Keep in mind, the file is not infected so it will pass any AV tests, but following the link will make a person have a rather bad day. In this case a simple link hover shows it’s not legit. This is a simple skill that users really need to know about.

 

Fraud Attempts Around Christmas of 2016 up 31% 

Not a shocker mind you, but attempts at fraudulent digital retail sales was up 31% on an increase of 16% in e-commerce transactions over 2015.

 

The CIA dropped over 930k documents on it’s FOIA Reading Room

That’s over 12 million pages of data. I will not be reading them all, instead I will rely on the interwebs to let me know about the interesting bits, and will pass them along to you. So far, the most interesting thing I saw was a Dilbert cartoon that may have previously contained steganography. Stego fascinates me. It wasn’t even a particularly funny cartoon though.

 

Bad Guys Threaten to Contact Families of Cancer Patients When Ransomware Fails to Make Them $

There is a special place in the circles of Hell for people that mess with orgs like this. This is a cancer treatment org that provides free treatment for those unable to afford it. This was a $43,000 ransom, which can go a long way to providing treatments for folks. One thing to consider here though, I have mentioned before that I expect to see Doxxing and other behaviors like this increase. Since the software takes control of the files when it encrypts it and the bad guys have the keys, there is no reason the data cannot be exfiltrated and decrypted by the bad guys. This is why the HHS says it’s a breach by default. Sadly, I expect to see more of this behavior.

 

Elasticsearch is the Latest Target for Database Ransom Attacks

Like the recent MongoDb attacks, the bad guys are going after unsecured Elasticsearch databases, encrypting them and demanding .2 BTC (about $175) to get you back your data. If you run an Elasticsearch database, it’s time to lock it down. Here is some help to get you started.

 

Sometimes We Need to Rethink our Approach to Things

I have to admit, I LOL’ed at this video. It’s a bit mind boggling to watch, but entertaining. I even got to where I was rooting for the guy a bit.

 

My Brethren are not to be trifled with!

The Cyber Squirrel 1 project released the results of a study at Shmoocon, showing that squirrels top the list of power grid attackers, followed by birds then snakes. I personally have felt the effects of a rodent-related power outage at a previous job. It is rumored that only a smoking tail and pile of ash remained when a squirrel chewed through some wires as a substation, causing a pretty decent outage in Tucson. Furthermore, my brethren have been blamed for the deaths of six people, allegedly (they have not been convicted in a court of law) caused by squirrels downing power lines that then struck people on the ground. “Rodent-related airborne electrocution” would be a pretty crappy cause of death if you ask me. Fear the fur people, fear the fur!

 

I was honored to speak at BSides San Diego last weekend

I was able to present 2 sessions, one was on social engineering and the other specifically on ransomware. The crew did a great job putting the event together, even though the waffle truck broke down several blocks away. Waffles on Wheels, sounds right up my alley! 😀 This picture was taken a little before the social engineering session started. By the time we started, it was standing room only. Thanks everyone for attending.

Chelsea Manning’s sentence was commuted.

I’m not even getting in to the politics of this here. Just know, after a bit over 7 years, Manning is being set free.

I hope you enjoyed this weekly update. See you next week!

Erich’s “What in the (cyber security) world is going on?” 01-12-17 edition

I am running for a spot on the (ISC)2 Board of Directors. Please check out this post and sign my petition if you are a member.  Thanks!

 

Spora ransomware offers future immunity (for a price of course)

This is an interesting strain of ransomware. It offers an option of future “immunity” for a fee. The ransom is calculated and can vary as well. Finally, it uses Windows CryptoAPI for encryption and doesn’t require an outside C&C server infrastructure. This all makes Spora a very unique strain. They even have a really nice victim landing page and offer tech support via chat.

 

Why you shouldn’t trust Geek Squad ever again

There has been quite a stir about this issue and I can see why. These techs are being incentivized to search the computers without a warrant. While I support reporting things if they stumble across something, the way BestBuy is doing this is ripe for abuse and if the techs are actively seeking out things like this, bypasses the rights of the individual with respect to search and seizure. Also, how can you feel confident that the tech wouldn’t plant things to make an extra few bucks for themselves. It’s all a bit too slimy for me.

Heads-Up! Massive New Locky Ransomware Attack Is Coming 

If you have felt like there has been a short break in some ransomware attacks, you aren’t alone. Locky has been pretty quiet for the last few weeks, but it’s not expected to stay that way. Take this slack time to check your backups and get yourself prepared. It’s not going away in 2017, we know that.

Email Slip-Up Exposes 60,000 Bank Customers’ Account Details

In a monumental “Oh crap” moment, an Australian bank let loose of 60,000 of its customers’ account details. The National Australia Bank (NAB) sent confirmation emails to 60k of its customers. They cc:ed themselves on these for record, but sort of messed up their domain name. You see, they cc:ed nab.com instead of nab.com.au. nab.com appears to be a… well… sort of… “dating” site? Whoops. They aren’t really sure if the emails were bounced or what happened to them at this point.

Ransomware extorts Los Angeles school to the tune of $28,000

Los Angeles Community College District (LACDD) ended up paying a ransom of $28k, a choice indicative of not having good backups in place. Weapons-grade backups folks! Test them and monitor them.

ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt

The E-Sports Entertainment Association (ESEA) did not fold to an extortion attempt and the bad guys released about 1.5 million player profiles. There were over 90 fields in each record including registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

DeriaLock ransomware decryptors available

If you were hit with this, there are a couple of decryptors available right now. Check it out if you have been impacted.

Erich’s “What in the (cyber security) world is going on?” 01-06-17 edition

Welcome to 2017! 

Here is to hoping this year will be a fun and prosperous one. I for one am going in to this year with a positive attitude and a smile!

I’ll be doing some speaking this month

I have a webinar on Thursday the 12th at 2pm Eastern, and will be speaking at BSides San Diego on both the 13th and 14th. If you want to hear my melodious voice or meet me in person, I cordially invite you to join me.

Ransomware is targeting HR departments

So, fake job apps are being sent to HR departments in an effort to infect them with ransomware. This is the GoldenEye strain (a Petya variant) that is looking for 1.3 Bitcoins. This appears to come with 2 attachments, a clean .PDF and an Excel file with the payload. If you have trouble, this variant is offering tech support. Isn’t that nice.

Adobe is releasing a Vishing scammers best friend

This is basically being called Photoshop for audio. If you can provide it with about 20 minutes of that persons voice, it can recreate it exactly. That’s bad news for vishing schemes and anything that uses voice recognition for authentication.

Ransomware for good, not evil?

Not sure what to think about this deal. The ransomware unlocks your files for free if you learn a bit about avoiding ransomware in the future. I guess they are thinking they are doing the world a favor, but keep in mind, if you fall under HIPAA, according to the HHS, any infection by ransomware (or any malware) is an incident, and if it affects >500 records, it’s also a breach by default. You can argue out of it, proving the files were already encrypted for example, but nobody needs that kind of trouble.

DFS updated the New York Cyber regulation

Among other things, DFS changed the wording so that they have 72 hours after DETERMINING a breach to notify DFS, as opposed to 72 hours after the incident happened. Given that we usually don’t know that quickly, it was an impossible rule. There are other changes as well, so check it out.

LG helped unbrick the TV

Really, it was pretty simple, but hey, it was nice of them to do it. Maybe the family will be a little more careful what they download in the future.

Watch Facebook for a lot of fake death stories

I’ve seen a metric ton of them flying around. Norman Schwarzkopf and Bob Denver were at least two of them that have been dead for years. Check sources before sharing folks, please?

Microsoft reports that Cerber has been busy

It seems that Cerber attacks have been on the rise over the holidays. Remember to check links before you click on them. Security Awareness Training is still the best defense against this sort of attack, and it’s not expensive. Train your users, PLEASE!

Topps, makers of trading cards, lost a bunch of CC info

Lost data includes names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates and card verification numbers. There is no reason they should be storing CVVs. I’m hoping there is a fine in order for this.

So, I have this email with a Short URL link. What now?

These days, you are liable to see links that are known as “Short URLs” without even realizing it. These are very helpful in situations where you are limited to a certain number of characters or a long URL does not look good, and are now often done by software and social channels automatically. This is wonderful, except that they hide where the link will take you. The bad guys know this, and use it against you in phishing attacks and other Social Engineering ploys. So how do you identify a short URL, and what can you do about it?

Hover here and look at the bottom of your browser. You should see http://bit.ly/2crJXI3

 

Identification:

Short URLs are generally easy to identify as they typically point to domains such as “Bitly.com”, “goo.gl”, “ow.ly”, “tinyurl.com”, “t.co” or something similar. For example, here are links to www.madsqu1rrel.com from each of these:

Now this may not seem like it’s doing much, if anything, but the real power comes when you have a long URL and need it to be more manageable. Take for example the URL, https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/ This links to a webpage at my employer, KnowBe4 but at 75 characters, that’s starting to get pretty long. If I use a URL shortener, this is what it would look like:

 

The Problem and Solution

As you can see, that is quite a difference. A side effect to this is, you can’t see where the link takes you. Make a button link a Small URL, and it is very easy to hide a malicious URL. For example, this button links to the KnowBe4 page, but how can you tell? Hovering over it just gives you the Short URL.

So what do you do? In most cases, adding a “+” sign to the end of the Short URL will take you to a preview page where you can see the full URL. There are exceptions, like TinyURL, that require you to do something different, such as add “preview.” to the beginning of the shortened URL. To get the URL to use, simply hover over the link with your mouse, right-click and choose “Copy Link Address” or a similar choice.

 

Data from https://goo.gl/2OA1y+

Here are some examples of preview links:

On a side note, goo.gl links give an entire analytics view of that Short Url. For example, check out https://goo.gl/2OA1y+ and you can see the data.

Ow.ly and t.co have proven to be a bit more difficult. In this case, using a service such as Unshorten URL  or getlinkinfo.com to preview the link may be your best bet. This will also work with the other short URLs. Once you have pasted the link in to the site, you should be able to see the real website the link is taking you to. If it’s not what you expect, don’t click it!

This may seem difficult at first, but once you have done it once or twice, it’s very easy to make sure you are staying safe from hidden malicious URLs.

 

 

Erich’s “What in the (cyber security) world is going on?” 12-29-16 edition

2016 Isn’t done with us yet

Screw 2016. That’s kind of what I’m feeling. I’m about tired of people passing away this year. The latest celebs are George Michael, Carrie Fisher, Richard Adams and Debbie Reynolds were all lost this week. Even closer to home is the wife of a person I have a lot of respect for, Jack Daniel, who lost his wife of 37 years on Tuesday. I cannot begin to imagine the pain and sadness the close friends and family of all of these people are feeling. I am praying for their peace as they go through these tough times.

I’m going to do something a little crazy

I’m going to run for a spot on the (ISC)2 Board of Directors in 2017. I worked for them for a couple of years as an advocate for the membership, among other things, and I still feel strongly about trying to help folks that carry the CISSP and other (ISC)2 certs so I’m going to make a run at it. I will need 500 emailed petitions be on the election slate. If you are an (ISC)2 member, please check out this link and help me out. It only takes a minute. Thanks

Disk-Killer Malware Adds Ransomware Feature And Charges 220 Bitcoins

Ouch! Your machine is infected by an email attachment. Now it encrypts the snot out of it, and exfiltrates data. I made a call earlier that I expected to see this sort of behavior, but I didn’t expect this kind of price tag. The back story is fascinating as it has evolved from ICS and SCADA attacks. This is worth reading.

 

Makes my neck hurt looking at it

Android ransomware hits a Smart TV

So, this poor souls family got hit with ransomware on their TV and are not happy about it. It seems LG won’t give him the process for a factory reset, and there is some talk about a charge for support. It’s an old set, still running Android, and it would almost certainly need to be sideloaded or rooted to install a 3rd party .apk. I’m not sure what I think about this as they say, “they downloaded an app to watch a movie. Halfway thru movie, tv froze. Now boots to this”. Now, call me crazy, but I have to wonder if the app was something called “Codec.apk” or something similar, and perhaps if the movie they were watching was um… not from trusted channels. Fact is kids, if you DL pirated movies, you might just be opening yourself up to something like this. Not sure if LG has a way for a user to fix this if it really encrypted the file system. Factory reset doesn’t help if the source is encrypted. Just sayin. I do wish there was more info out there, but I think we have heard the last of this.

New iTunes Phishing Emails on the Rise

Watch out for iTunes invoices bearing… attachments or links. If you get an email saying you paid $45 for the Netflix app or $25 for a song (not even a Kanye song is worth that!), don’t click the link. Instead, go directly to iTunes (no really, this link is legit, I promise!) and check your account from there.

How does she have that many followers and I only have about 150?

A Britney Spears Twitter account was hacked

It was an account controlled by her record label and has about 614,000 followers. Since the hackers did this at about 5:00am Eastern Time, nobody seemed to notice. I’m guessing most of the people that still listen to here were still sleeping off a bender at that time of day. Since all of the hacked tweets were gone by 9am, it practically didn’t happen.

Bitcoin hit over $930

That’s a lot for a unicorn/vapor cyber currency. Maybe I’m just old, but I’m not even sure how I feel about this, but I’m done talking about this imaginary money.

(ISC)2 Members – Please support me for the 2017 Board of Directors election

First I want to start by saying thank you for taking the time to read this. Back in January, I announced my intention to run for the (ISC)2 Board of Directors this year.  To do this I need to get 500 signatures on a petition in order to be included on the slate for voting. In the past, the board elections typically took place in November, however for some reason this year they’ve moved it up to the end of July and beginning of August.  This change has impacted my timeline as I must have the 500 signatures submitted by May 31. The compressed timeline was a surprise to many, so I need your help more than ever.

 

Why do I want to do this?

For about two years I worked for(ISC)2 as the Director of Member relations and services. I took this role very seriously and worked very hard to ensure that the members voice was heard, and to try to accomplish things that would impact the members in a positive way. It is my opinion that(ISC)2, as a not-for-profit organization, needs to do a better job serving the membership  in protecting the value of the CISSP and other certifications by making it easier to maintain the certifications, being prudent with the release of new certifications, and providing greater value to the members.

While working for (ISC)2 I began a number of projects to benefit the members, but still have not seen many of them come to fruition. Some have been implemented, such as moving endorsements from the paper process to an online process which is much more streamlined and creating one of the most asked about features from members, the downloadable versions of the.pdf certificates.  Things that still have yet to be done include the implementation of greatly simplified CPE rules process and improvements to the member portal that allow for easier submission and tracking of CPEs. If elected, I will be working to ensure these initiatives do not lose steam.

In addition, many changes have recently been made to the processes related to the certifications, some of which concern me. If elected, I will keep an eye on these changes and any impact they may have while ensuring that the value of (ISC)2 certifications remains second to none.

I travel a lot in my job and speak at a lot of security conferences.  This allows me to meet with security professionals from all around the country and the world, and get their feedback on the certifications, State of the industry, and what is needed to help.  With over 110,000 CISSPs, I honestly believe if we work together, we can make positive changes in the world and the industry.

Finally, I live in the Tampa area where (ISC)2 is based, which will allow me to work very closely with the leadership.

What are my top goals if elected?

  • Ensure the value of the CISSP and other (ISC)2 certs are maintained or improved
  • Make the certification maintenance process easier through simplified CPE guidelines and a better CPE reporting mechanism
  • Meet with other (ISC)2 members, listen to their concerns, and advocate on their behalf within the organization
  • Continue the push for increased transparency and communication between (ISC)2 and its membership
  • Provide tools and resources for security professionals that will make their lives easier and add to the value of holding an (ISC)2 certification

I need your help!

Per the (ISC)2 Bylaws, any member in good standing can be elected if willing to serve per section IV.7:

The name of any qualified person who agrees to serve if elected may be submitted by signed, written petition, of at least 500 members in good standing as of the date of the election announcement, to the Board at least sixty (60) days in advance of the start of the election. Any such petition shall identify the Board seat for which the nominee is to be considered. Nominees received under this process shall be included on the ballot.

This means that I need a petition from 500 (ISC)2 members nominating me for the Board of Directors in order to get on the board election slate. This petition must be emailed to me at [email protected] from the email address you have associated with your (ISC)2 account and must contain your name and member number. I have made a sample email below that you can quickly copy and paste, replacing the key areas with your information.

 

What will I do with your email address?

I will only use the email address for the purpose of verifying your eligibility, communicating directly with you about the election/petition in a brief manner, and will provide it to (ISC)2 with the petition (they already have the email address after all). This is what I expect as far as emails I will send go:

  • I plan to send a short communication once upon submission of the petition
  • A short email as a reminder about a week before voting opens
  • A short email when voting opens
  • A short email with the results of the election (namely if I made it or not)

It is possible that additional emails regarding the status of the submitted petition and/or election will be sent if needed, but I will only do this if really necessary.

The template

If you would like to support me in my bid for the (ISC)2 Board of Directors, please copy and paste the below template in to an email that will come from your email of record with (ISC)2 , replace the bold sections with your information, and send it to [email protected].


(ISC)2 Election Committee,

I, <INSERT NAME>, holding the <INSERT (ISC)2 CERTIFICATION(S)> certification, petition that Mr. Erich Kron, CISSP #392400 be included on the 2017 Board of Directors election slate. I have sent this email from my email address of record associated with my certification and will continue to be a member in good standing for the election in 2017.

Sincerely,

<Name><Member Number>

 


Thank you very much for your support!

-Erich

 

 

 

Erich’s “What in the (cyber security) world is going on?” 12-22-16 edition

Posting a little early this week due to the holiday. Merry Christmas, and may you have a great Whatever Holiday You Celebrate!

I released my 2017 predictions. 

Don’t tell anyone, but I really just pulled some stuff out of my backside, but figured I was on the hook to do something. I think they are pretty accurate if you take the categories in to account. Your help not holding me accountable for any of these predictions is appreciated. At least it’s entertaining. Javvad Malik’s are much more relevant.

 

Free CryptXXX decrypter was released. 

Thanks to the folks at Kaspersky Lab, a free tool to decrypt your files hit with CryptXXX has been released. This may or may not be the reason for the “1/2 price for the holidays” offer from the bad guys. I’m thinking it is and thrilled about it. Hopefully they will coal, or reindeer poop in their stockings this year. They deserve it.

 

Free unlock code for Padlock Screenlocker

BleepingComputer reported the unlock code for Padlock Screenlocker is ajVr/G\RJz0R and that the files are not actually deleted. Let’s keep this sort of thing coming!

 

Community Health Plan of Washington exposed 380,000 PHI records

The bad guys were there almost a year and got about 380k PHI records. That’s just sad.”It appears that names, addresses, dates of birth, Social Security numbers and certain coding information related to health care claims may have been accessed” but “Banking and credit information was not contained in the data“. Well, isn’t that just lovely. Personally, I’d rather lose a CC# than my SSN.

 

Columbia County schools victim of data breach

The affected server did not contain student data, but did have “confidential employee information, including names, Social Security numbers, birthdates and more“. In the several weeks since discovery, “Investigators could not confirm if any of that information was copied or compromised“. In other words, they can’t figure out if you are compromised or not. Good luck with that.

There is a patch for the Netgear routers vuln

Go get it if you are affected. That is all!

 

Social engineering is easy

Not a newsflash, but this video and this video show just how easy it is. This is why you need Security Awareness Training. Teach people that they are targets. It’s important.

 

 

 

 

 

L.A. County hit with a phishing attack – 750k records

Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees back in May. “Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.” But look at the bright side, it was WAY back in May and now you get a year of free credit monitoring. Sadly, your SSN is valid for more than a year and once it’s out there…

 

Just in time for Christmas, a Galaxy Note 7 fireplace. 

I love this. Words fail me with how much I love this. The ringtone music is a wonderful touch. Have I mentioned that I love this?