Erich’s Cyber Security (and other) Predictions for 2017

Well, this seems to be the time for predictions, so who am I to break tradition? I’m not going to waste valuable time telling you how qualified I am to make these predictions because, it really doesn’t matter. I have given very little thought to these and have researched almost nothing. Only the first group is liable to be true (almost guaranteed as a matter of fact. So, here we go…

Disclaimer: These predictions and opinions are mine and mine alone, not those of my employer.

Group 1 – Pretty Much a Sure Thing

  • Social Engineering Will Continue to Be a Dominant Force in Breaches – Let’s face it, people are going to continue to get phished. Phishing will continue to result in more breaches, lost money and W2’s and ransomware infections. Expect W2 scams to start in January and continue until mid-year. The others will happen constantly.

 

  • The Gunslinger Movie Will Finally Be Released – And even if it sucks, I will like it. I don’t have a choice. It is not likely to ever be redone in my lifetime, and I have waited for so long, it simply can’t suck. This has nothing to do with cyber security, but I don’t really care. It’s on the list.

 

  • Security Awareness Training Will Continue to Be The Best Defense Against Phishing Attacks – Seriously though, the industry will really step up the game this year to combat phishing. As platforms mature, new features designed to get ahead of the bad guys will be released and will significantly reduce click rates. Organizations that did not believe in the value of SAT will have their eyes opened to how effective it can be. Any of you that know me, know that I won’t promote anything I really don’t honestly believe in. It’s why I work for KnowBe4. It works and helps admins in all company sizes.

 

  • Someone You Like Will Die a Horrible Death on Game of Thrones – Like someone in the series? They will die. Prepare for it.

 

 

  • Someone You Like Will Die a Horrible Death on Walking Dead – See above.

 

 

Group 2 – Likely

  • I Will End Up With Another Year of Free Credit Monitoring – The only real question is related to what PII they will lose. My medical records, credit card info or something else entirely? It’s almost exciting to ponder the possibilities. After being impacted by the VA, Target, Home Depot and OPM breaches, I’ve had some sort of free credit monitoring in place for years!

 

  • All Retail Stores Will Be Called Amazon – Much like the story line in the movie Demolition Man predicted with Taco Bell, all retail stores will become Amazon. This will be great when it comes to remembering domain names, as all stores will be Amazon.com, but it’s going to wreak havoc on GPS directions when you want to shop IRL.

 

  • No Less Than 10 Security Vendors Will Try To Convince You That Their Product is All You Need – Marketing departments will be working overtime to convince you that their widget can replace your security staff and let you sleep well at night. Don’t believe the hype. There is no silver bullet. Give the ones that are honest about the issue your time, ignore the rest.

 

  • You Will Try To Restore From Backup, And It Will Fail – Yeah, odds are, if you need your data back, it won’t be there. Remember the 3-2-1 Rule and you can move the odds in your favor.

 

Group 3 – Not Very Likely (a.k.a. Not a chance in the world)

  • The Tampa Bay Buccaneers Will Not Be An Embarrassment.  – The Bucs will leverage Winston to win the division. Fans will be proud of their team and will not have to whisper “the Bucs” while averting their eyes, when asked what team they support.

 

  • No Major Breaches Will Occur in 2017 – Yes, there will be minor ones, but the big ones are over. Organizations will finally take security seriously after 2016. This will allow overworked Infosec pros a chance to get the right tools and staffing to prevent major breaches.

 

  • Celebrities Will Stop Being Involved In Politics – Celebs will finally realize that they are talented in singing/dancing/acting/cooking/being a hopeless case in a reality show, but really don’t understand global politics as much as they think they do. It will occur to them that some people spend a lifetime studying politics and economics to get in the position to have their opinions respected. This is not the same as playing the President on a made-for-TV movie.

 

 

OK, So that’s about all I’m going to try to predict for 2017. Let me know in the comments if you have any predictions of your own.

 

Life on the Road – Cats, Cold and More

My job takes to a lot of places and I love that part of it. Seeing the country and gaining the experiences is something I love to do. There is an old saying about the journey being a big part of the fun. I cannot agree more.

Some of these travel posts are going to sound like complaining. I assure you, they are (probably) not. They are really about the funny stuff I get to see. It’s humorous story telling that may (or may not) embellish a tiny little bit. All of it is based in truth though, and only the details might be, um… “enhanced” a bit.

Having said that, let me give you a little background. I am an airline snob. I admit it. I don’t care much about the hotels I stay in, or the dinners I eat, but I do care about the airline experience. I hate being rushed, I am dismayed by the fact that people often revert to Lord of The Flies like behavior when it comes to air travel.

Take for example the carry on baggage rules. 1 personal item and 1 carry on item. The carry on item is limited in size (stuff it in this box over here and see), but the personal item seems to be magically unimpaired by size restrictions, or at least the rules are unknown and unenforced. I see folks with bags bigger than my checked bag going onboard as a “personal item”. The other thing is animals.

Get These @#&! animals off the @#&! Plane!

Yeah, there was a time when animals travelled in crates in the belly of the plane. Now, it seems, they are everywhere. Comfort dogs, pot-bellied pigs, and worst of all… CATS!

Now, I like cats, but folks, 30,000 ft and 600mph is no place for a feline. Southwest Airlines seems to gather more than it’s fair share of animals. Yesterday was a perfect example. I was going from Tampa to Columbus. I normally avoid Southwest when I can, as I hate the open seating thing, but it was the only direct flight. I get on board as part of the “A” group and take my customary window seat. This was about row 10. Now, with an entire plane full of empty seats, I am joined by a couple with a lovely blue carry-on containing a rather unhappy looking tabby. It’s eyes gleamed yellow out of the mesh on the ends of the soft-sided carrier. For some reason, it looked right at me, right in to my soul. I was scared. Terrified really. I believe my very life was being weighed by that creature (That was likely called something cute, like Fluffy, or Tom, or Mr. Tinkles). For a reason I have yet to understand, I believe the cat blamed me for its current predicament, and it wasn’t happy.

It looked meaner in person!

Why these people decided to sit beside me, in a barely filled plane is still beyond me, but I wasn’t going to move. I was trapped in my windows seat, and any chance of escape involved passing the pointy parts of the Hell-spawn in the seat beside me. I just tried to avoid eye contact.

Another thing that Southwest does well is cater to families. That means children, and children are magically attracted to my part of the plane (whatever part that happens to be), especially when they are going to act up. This was no exception. Little Tommy, (we will use that name) decided he wanted no part of the plane thing without fully exercising his well-developed lungs. When Tommy let loose, even Mr. Tinkles took notice! He was now even less thrilled than before. I began to fear for my life.

Fortunately, the rule says livestock must be stuffed under a seat for takeoff and landing. It seems nobody wants an angry, airborne murder-cat loose in the plane in the case of a rough takeoff/landing. Good idea! Mr. Tinkles got unceremoniously stuffed under the seat much to my relief, now he could only plot the destruction of my Achilles tendons rather than my throat. That was the good part.

The bad part, was that the cat decided to become… “musical” and join Tommy in a serenade of noise that no sound cancelling headphones can dampen. This continued on for most of the flight. Once the cat started, there was no “off” button. He did modulate between simple loud meows and “I’m caught in a blender” yowls, so we had that going for us.

By the time I hit Columbus, I was ready for the 5 degree weather if I could just get off the plane.

I am currently back in the airport waiting to board another tube-of-hades to return to Tampa. I ended up in a “B” boarding group, so I’m hoping for the best. I’ll let you know if the return goes off the rails.

Erich’s “What in the (cyber security) world is going on?” 12-16-16 edition

Holy Crap! Lots of stuff going on in this weeks post. Stay safe out there and please use the buttons on the bottom to share with folks you think can use the info. I’m always up for comments and feedback as well.

If! You! Use! Yahoo! Just! Stop!

Nothing more to say about that. 1 Billion accounts exposed. This is just dumb. Get a Gmail account and move on.

Sneaky little hobbitses. Wicked, tricksy, false!  –  Nymaim using MAC addys to uncover virtual environments & bypass AV

So, the lovely trojan dropper known as Nymaim got smart and is looking at MAC addresses to see if the machine is a Virtual Machine (VM). Since VMs are used a lot as sandbox environments for malware research, it won’t launch if it detects a network card with an OUI associated with a VM. Keep this in mind when testing to see if a file is malicious or uploading to a sandbox for detonation. It may be misleading. On a plus note, if you run thin-clients, you might be better off.

 

Watch for Uber Vomit Scams 

This is a general PSA, but I am hearing about this more often. The way it works is, you get back from a trip somewhere and your card is charged an extra $150 by Uber for a “Clean up fee”. The drivers will sometimes upload pictures of a mess in the back seat as “proof”. This is usually fake, or a reused photo. The scam seems to be gaining steam and folks spend a lot more time out of town, often using an Uber to get to/from the airport. Moving forward, I might start taking cell phone pictures of the car when I get in and out, just for CYA. It’s tough to fight when it’s done and gone, and you have been home for a week. I still love Uber, but drivers are people too, and some are going to be looking to make a fast buck.

 

Security Sessions: Ransomware as a service on the rise 

My CEO, Stu Sjouwerman, did an interview with CSO Online regarding the RaaS (Ransomware as a Service) issue. It’s a quick video, but he talks about some of the trends and how to defend against them. You might already know that I’m a huge KnowBe4 Fanboy, and not just because I work for them. It’s all about helping educate people so they can make better decisions. it’s why I can get behind the company so much.

 

NY AG warns lawyers of phishing campaign

There are some phishing emails going around targeted at lawyers in the New York. It looks like it’s coming from the NY State Attorney General and is designed to get users to open a PDF attachment. An example of the email is here. This is an example of a very targeted spear phishing attack that is not likely to get flagged by spam filters.

 

A New And Scary Double-Ransomware Whammy

Here is a pretty interesting (and crappy) new strain of ransomware. It encrypts the files, then reboots and encrypts the MFT, so it ends up hitting you for a ransom twice. Kinda rotten. Be aware of any PDF saying it’s a job application, especially if it has a link to an Excel file.

 

Amazon shoppers targeted in ‘order cannot be shipped’ scam

Tis the season as I have said before. Packages are flying all over that place, and who doesn’t use Amazon? Scammers are sending emails saying that packages can’t be shipped. The idea is to get you to open an attachment or click a link (as is reported in this story) that leads a person entering credentials or a credit card for “confirmation”. I guess that scammers need to buy presents too, right? This is not new, but given the time of year, it’s very effective.

 

Samsung will be bricking the esploding Note 7 phones on December 19th

Yes, Samsung has decided that while you can own the hardware (as blow-uppy as it may be), they own the software, so they can go ahead and virtually blow up the phones before they physically blow up. An interesting angle on a “voluntary recall”. If you still have a Note 7 <AustinPowersVoice>I too like to live dangerously</AustinPowersVoice> You have until December 19th to return it, lest it become a potentially randomly exploding doorstop. Please “Note” that Verizon is not taking part in the OTA update that will brick these devices, as they figure folks may not have a device to switch to, and (the lawyers, I’m sure) have an issue with leaving someone without a device that can call 911 in an emergency.

 

Netgear Nighthawk Routers vulnerable to badness. 

Netgear Nighthawk R7000, R6400, R8000and R8500 models “might” be vulnerable to a bug provided to them by researcher Andrew Rollins (a.k.a. Acew0rm) on August 25, but only acknowledged after he posted it on December 6th. So much for Netgear supporting responsible disclosure. Basically, bad guys can get root through the devices web server. There is a temp workaround that kills the vulnerable web server process, but it only works until rebooted.

And Finally… A little much needed humor

Santa Gets Hacked! 

 

Erich’s “What in the (cyber security) world is going on?” 12-09-16 edition

Ok, I’m moving these updates to Fridays. Mondays are just, well, Mondays. If you are new to my posts, basically it’s a recap of some key infosec happenings in the past week. Having said that, let’s move ahead:

Infect 2 Others and Get Your Ransomed Files Back Free!

I posted about this earlier today, but the summary is that the jackholes that created the Popcorn Time ransomware strain are offering to decrypt your files free if you just get 2 more people infected and they pay the ransom. It looks like there will be an option to have the software start deleting files if 4
incorrect decryption keys are tried as well. This appears to be a proof of concept at this point, but these often end up in the wild once they get a buyer. I hope they die a slow festering death in the pits of an Alabama outhouse. This video sums up my feelings for these folks: Hanging’s too good for him…

 

Legal raids in five countries seize botnet servers, sinkhole 800,000+ domains… and then they release the leader who disappears. 

So, after taking down the largest malware/phishing ring in recent history, a judge in the city of Poltava, Ukraine released the leader because the prosecutor forget to mention that during the arrest, the leader shot at the cops, including popping a round through the front door. Without that little detail, and the associated “attempted murder of a police officer” charge, he got to walk. In a shocking turn of events, Kapkanov disappeared just as quickly as the Poltava’s prosecutor’s career.


3.2M home routers seized via malicious firmware update

A hacker by the name of BestBuy claims to have used a Mirai botnet to infect 3.2 million home routers on the TalkTalk and Post Office networks. I haven’t heard of any independently confirmed reports of routers actually being infected, but they may not be easy to identify. In the words of security researcher Darren Martyn, “What they just pulled is shenanigans of the highest quality”

 

US Navy Admits To Data Breach, 130,000 Exposed

Yeah, the US Navy exposed info for 130,000 current and previous sailors.  Wonderful. If I’m one of them, I’ll just put it in the stack of other notifications from the government. Maybe I’ll put it right next to my OPM notification.

 

 

Ransomware suspect Pornopoker nabbed in Russia

Let’s hope they don’t screw up and release him as well, although he doesn’t seem to be near the same level as Kapkanov above. He was nabbed while returning from Thailand.

 

Infect 2 Others and Get Your Ransomed Files Back Free!

What a great deal from the writers of “Popcorn Time”. If you just infect 2 other people and they pay the ransom, you can get your files back free.  Indicators also show that there may also be a provision where if you enter an incorrect decryption key more than 4 times, it starts killing your files.  I would love to get ahold of some of these folks and plug their toenails out with with rusty pliers. This video clip pretty much sums up how I feel about these vermin…

New Approach to the Same-Ol Phishing Emails

This is an interesting way to try to get folks to open malicious documents. I really like the macro warning screen angle they use on this. It’s designed to get you to click the button to enable the macro when it’s opened. They also make the email look like you are being brought in to an existing conversation. Pretty slick.

Check it all out at: https://blog.knowbe4.com/phishing-from-the-middle-social-engineering-refined

 

 

 

 

The People Factor: Dealing With Non-Tech Users in a Tech-Heavy World

Me as a Child
Me as a Child

As a tech person, I am pretty comfortable with tech things. My mind works in such a way that I can understand most gadgets and technology with a minimum of effort. I can almost literally picture the mechanics (or electronics) behind the functioning of stuff. It comes very naturally to me. What i have discovered in my years of living in tech is, not everyone sees things the same way as me. I know it’s a fundamental thing, very simple in retrospect, but it has been, and continues to be, a blind spot for me. I have to work to remember this when dealing with non-techies, or I can easily get frustrated.

If you look around, you can see the world being enveloped in tech. VR is going mainstream, we carry around pocket computers that also happen to make phone calls, our cars are rolling, digitally controlled entertainment systems. Some of us embrace and dare I say, enjoy, it. But what about those that do not?

These poor folks are having a heck of a time. Their families, especially the younger ones, are communicating at the speed of light, often times through push communications such as twitter, instagram, etc. Then there is email… so many emails! Gone are the days of licking a stamp and spending $ to communicate with people, now it’s free and every marketer on the planet is sending emails about by the 1000’s without spending a penny on postage. These poor non-tech folks are getting inundated by emails. To compound the problem, the scammers are out there in force as well, filling up the folks email account with scams, malicious links and attachments. These folks are also some of your users.

These folks are fatigued by tech, and now it’s hitting them hard in the workplace as well. Emails require almost immediate response, IM is becoming a productivity tool and the business world is

tire-tracks
 Rubber, Road, Disaster

running at 100 miles an hour. Those same scammers are hard at work here too, only in this case, there is a feeling that they can’t ignore emails like they might in a personal email account. What if it really is an order or a customer service issue? This is the point where potentially disastrous decisions are made. Where the rubber meets the road, if you will.

So what do we do about it? Well, we need to show some empathy to start. While they may not have tech skills, hopefully they have

some other skills that keep them employed. Don’t look down your nose at luddites, it’s just a person with a different set of priorities. We also need to understand that it is our job as security professionals to reduce this risk and own the responsibility. If these folks are falling for phishing, we need to fix it, and we are responsible for teaching them good practices.

Once we own the problem, we can begin to address it. Here are 5 things you can do to be successful:

  1. Be patient. Non-tech folks don’t always have the basic tech skills and experience that we take for granted.
  2. Be positive. These folks are probably a little intimidated by what you are trying to teach them. Encourage them when they do well, but be kind if they mess up.
  3. Give them training and tools. Good awareness training and something as simple as a printed copy of a reminder like this can pay big dividends.
  4. Make them feel like part of a team. Stress that you are all in this together and part of something bigger than the individual
  5. Smile. Remember to smile, especially when teaching them new things. This will put them at ease and build confidence.

If you do these 5 things, it will go a long way to helping non-tech users embrace their role defending the organization against modern threats like Phishing. Good Luck!

looks-like-some-z52hnr

 

Had a great webinar yesterday

I had a great webinar on SecureWorld yesterday alongside Shawn Tuma (Partner, Cybersecurity Attorney, Scheef & Stone, L.L.P.) and Aliki Liadis-Hall (Director of Compliance, North American Bancard) with Craig Spiezle (Executive Director & President, Online Trust Alliance) moderating. We talked about some of the 2016 breaches and how things have changed.

It’s available on-demand now at:

https://www.secureworldexpo.com/resources/2016-breaches-lessons-learned

Check it out!

Tis the Season: Overtime is Authorized!

blocked

That seems to be the current trend for the scammers and bad guys as is evidenced by the above screenshot from one of my Gmail accounts. Between the hustle of the season and the too-good-to-be-true deals, the bad guys are hitting the emails pretty hard. Perhaps it’s for a noble cause such as buying a new hearing aid for dear ol mom, but more than likely, it’s just that they want to take your money for their own personal gain. Either way, it pays to keep your eyes peeled more than ever during this time of year.

 

This means doing some basic things such as looking for the padlock in your browser on sites you are going to make a purchase from. No lock, no buy! See these examples and look for the lock!

secure1    screenshot_2016-11-28-12-55-11

Also, if you receive emails about package delays and/or delivery status with an attachment, DO NOT OPEN THE ATTACHMENT. Instead, if you are really concerned, log in to the account you placed the order from and see if there is an updated order status there. In 99% of cases, if there is a delay, they will include a tracking number in the email (not the attachment). Copy that tracking number (don’t click the link!) and paste it in to Google. It will usually point you in the right direction. If not, go to the website for the shipping company (not from a link in the email) and track it there.

track

Stay safe and have a great holiday season!