It’s That Wonderful Time of Year (for the scammers)

It’s that time of year for hot cocoa, elves on some shelves and in some German families such as mine, some Gluhwein. Along with that inevitable trio comes another seasonal thing… holiday scams.

Starting in November and running right past New Year’s Day, these scams are as predicable as the winter solstice. This year the release of two next-generation game consoles are fueling the fire. Every year there is a hot new item that folks just HAVE to have. When I was a kid, there was a Six Million Dollar Man action figure I just had to have (My wonderful dad drove over 125 miles each way, from Tucson to Phoenix and back to get me one), for my little sis, it was a Cabbage Patch Kid and even as adults, it was the Wii and Balance Board. This year it’s the PS5 and the Xbox Series X taking the world by storm.

These “must have” items drive scams to whole new levels. From shipping boxes with bricks to ripping people off with Cashapp and other online payment services, the hits keep coming. On top of that, scammers have a great source for phishing emails enticing people to click on links promising to have items in stock (in fake online storefronts) and other scams that convince people that a service they have can find them in stock. Finally, the fake shipping scams trick people in to thinking their purchases are not being delivered for some reason, using the email to steal credentials or click on links to malware-laden websites. There are literally a million ways to scam during this season.

After the big day, expect to see scams related to refunds or newly stocked items that are going after the holiday money or gift cards that many people receive instead of physical presents. Then we head right into tax scam season. Oh joy.

So what can we do about this? First, share this information with others. Make sure your family and friends know to be on guard during this time, give them resources to help spot these scams, such as this and this, and most importantly, be there to offer advice when they have questions.

If we all work together through the holidays, we can keep them bright and cheerful. Then we can prep for the upcoming battle with the tax scammers.

The Nation-State Cybercrime Problem

I’m an older American guy, and I grew up in the world of the Cold War where every enemy on TV or in the movies was a Russian. We had movies like “Red Dawn,” “FireFox,” “The Hunt for Red October” and many more. Then, the world changed and the Cold War era ended as we knew it. The question is, did the war ever actually end, or did it just evolve?

There is no doubt that the world has changed and evolved in many ways since those days when we all feared physical attack from the enemy. An important evolution in the warfare we remember is the shift to virtual attacks. These attacks cost the U.S. billions of dollars in financial losses and many more billions in defensive costs each year. We’re losing our digital Information almost as fast as we generate it, and this will impact us throughout our lifetimes. It used to be much more difficult for an adversary to gain information about a person in any usable intelligence format. It involved significant manpower to follow, track and otherwise monitor an individual. In the modern world, this has become so much simpler, as we continue to grow our digital footprint every day. The days of thick manila envelopes full of papers, traditional dossiers on people or stealthy microfilm cameras whisking away our information are gone. Now, it is all a bunch of ones and zeros in easily searched databases.  

Sadly, threats don’t stop with simple information theft. Cybercrime in the forms of business email compromise scams and ransomware are making huge amounts of money every year. While many of the gangs that partake in these attacks are independent, many also have an association with nation-states. Sometimes the association is loose, and sometimes the attackers may actually be part of the offensive forces of that nation state. In the past decade, we have seen several groups tied to nation-states unmasked and charged with crimes. Rarely, if ever, will this result in actual arrests, however it does send a message that they have been caught and are known. 

Some examples of this are when the U.S. charged 5 Chinese state actors with hacking in 2014. These five hackers from Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA) were charged with numerous crimes and are said to have targeted America’s nuclear power, metals and solar products industries with the intent to steal trade secrets and intellectual property that would be   valuable to China. In other words, China used their military cyber capabilities for economic gain. 

In the latest example, six Russian Main Intelligence Directorate (GRU) soldiers have been charged with hacking and cybercrime charges allegedly linked to almost a billion dollars in losses through ransomware attacks and ploys to disrupt the 2017 French elections and the 2018 winter Olympic Games. These six Russian soldiers are said to be responsible for some of the most devastating ransomware attacks we have seen, including the NotPetya ransomware variant, which was not really ransomware at all, as it lacked the ability to decrypt its victims files, but was in fact a destructive tool. 

Given Vladimir Putin’s rise to power from the KGB, it is no surprise that Russia has developed some highly advanced cyber warfare and espionage capabilities. China and Russia are not alone, however. Iran and North Korea are also known to have skilled teams of state-sponsored or trained groups that are focused on stealing money or information and disrupting the economies and activities of other countries.  

The lesson behind all of this is that there is a war going on, but it is not the kind of visible war we are used to. Many day-to-day citizens likely have no idea about the capabilities of these groups or the damage their efforts have caused. As security professionals, we have an obligation to be aware of these dangers and to educate people, especially those in the leadership roles within organizations, but we must do this without sounding like we support the idea of tinfoil hats. Stories like those mentioned here, where the U.S. government has charged foreign countries with this sort of criminal activity, are ways to introduce others to the idea that these battles are taking place through credible sources. From there, we educate people about the mechanisms of these attacks, especially phishing and social engineering attacks that target people and seem to work extremely well. This helps us build our case for the protections needed within our organizations and underlies the severity of the challenges we face.

Who knows, maybe if we continue to bring light to the subject, we will get that sequel to the FireFox movie after all. 

VISA Warning of Malware on Gas Pumps


This is tough to combat since it’s not a skimmer, but malware. I’ve seen some local places deploying chip technology on the pumps, but many still just use the mag stripe.

If it asks you to leave the card in the slot during authorization, at least it’s using the chip.

Other tips to consider when paying at the pump:

  • Use pumps closest to the cashier and front doors. Bad guys don’t like to work where good guys have visibility, so skimmers tend to be at far-away pumps
  • Use credit cards over debit cards if in doubt. It’s easier to deal with a compromised credit card than having your bank account emptied
  • When in doubt, pay inside 


Facebook Video Scam – “I Uploaded pictures of….”

This is not the first of its kind I’ve seen, but they follow the same basic script. I think it’s interesting that they use an existing, obviously compromised account (this one was established in 2007) to post in closed FB groups. 

They are smart enough to leave the single comment with a deceptive icon (YouTube in this case), then turn off commenting so it can’t be shouted down by other members of the group. It pretty much becomes up to the group admin to kill the post, but that might take a while.

The TinyURL link takes you to a link at where it appears to run Adobe Flash, however we are still looking at what exploit or payload it’s trying to push.

These same types of scams are often used to prompt people to install a “codec” (Software to view a type of video) in order to view the video, but it’s actually malware. Big surprise there, right? 

Just keep an eye open for these types of scams as they are getting more and more common.

Secure and Portable, is the SecureUSB KP the Ticket?

Have you ever found yourself in need of a way to keep some files or data secure while still needing them to be portable? In today’s modern world these two requirements seem to go hand-in-hand more often. Given the damage done to organizations and individuals through data breaches caused by misplaced or stolen data, it’s no wonder that an entire market of secure, easy to use and portable storage devices is developing and growing.

Perhaps, if these devices had been available at the time, my personal data would not have been lost by the Veterans Administration (VA), saving them $20 million, and even more importantly, the unfortunate incident regarding Santa and the “Naughty List” could have been avoided, along with countless similar incidents. 

The Product

I travel, I mean, I travel a LOT. Part of my job is doing talks at security and IT conferences all across the US. When I travel, I carry potentially sensitive information with me, (Scans of my drivers license, passport, some passwords and service recovery passcodes, etc.) just in case I lose a wallet, get locked out of accounts, etc. My paranoid nature keeps me from carrying any of this unencrypted, and my travel schedule keeps me wanting to carry the lightest, smallest devices possible. This is why I chose smaller USB keys over the larger portable drives (which also require another cable to haul along). Your mileage may vary.

Up until now, I’ve been using a USB 2.0 version of the 16GB Ironkey Basic S1000 (< link) USB drive but have found myself feeling tight on storage and a little limited by it’s implementation. While at the RSA conference this year, I ran across SECUREDATA, Inc., which had some devices that really sparked my interest. While they had a number of different products, I was immediatly drawn to the SecureUSB KP (< link), which I will refer to as “SecureUSB” from here on out. When they asked me if I would be willing to test it out for a month or so and give them my feedback, I accepted.

** For the record, while I received this as a evaluation drive, I am returning it to them when I’m done with it and they did not not pay me to do this review. They simply asked for my feedback, good or bad.**  

I have to say, there is something really sexy about about the smooth lines and brushed aluminum finish of the Ironkey (Yes, I just called a USB Key “sexy”), but the SecureUSB is no slouch either, it’s just different. Visually the SecureUSB looks larger than the IronKey, but when set side by side, it’s not. I’ve actually done this more than once just because my eyes do trick me. I think it’s the difference between the uninterrrupted case of the IronKey and the obvious PIN keys that are present on the SecureUSB, however even with the cover on the SecureUSB it just looks bigger to me. Maybe it’s black color as well. 

My Testing

Let’s be clear, this review is about the usability or “experience” using the drive and it’s value as compared to some other options, it is not an in-depth security or ruggedness review. For that reason I will not be security testing the FIPS 140-2 Compliant Design or IP 57 dust/water resistance claims. The focus of this review is how well the device works, especially when compared to some other options. The SecureUSB drives are available in several sizes including 8GB for about $79, 32GB for about $129 or 64GB versions for about $159

Build Quality

The first thing I noticed is the that build quality of the drive feels pretty good. The drive is almost all black with a blue o-ring at it’s base and a blue and white logo painted or silkscreened (not just a sticker) on the cover.

On the front of the drive itself are the buttons which are a matte black with white numbers and letters. They feel like they are made from a rubber-like material, but not cheap. On the back end, there is an area where you could attach this to a keychain, lanyard or something similar. I find this is a nice touch so I don’t lose the device. Nearest the USB-A connector is a small semi-transparent window that houses the status LEDs.

The back of the drive has a QR code, serial number and other information that is again, either painted or silk screened on. It doesn’t feel cheap like stickers do.

The USB-A connector us really unremarkable and has the telltale blue insert that tells you that this is a USB 3 device.

Unlocking the Drive

To unlock the drive, you simply press the key button, then enter the PIN number (default is 11223344) using the buttons and press the key button again within 10 seconds. Once unlocked you have 30 seconds to put in a computer or it locks itself again. This process is pretty simple, but I did have to refer to the quickstart guide once when I forgot the process.

The drive does support a “User” PIN and a separate “Admin” PIN. These PINs must be 7-15 digits long, cannot contain only consecutive numbers (e.g. 11111111) and cannot be just consecutive numbers (e.g. 2345678)

To avoid brute-force attacks, if you mess up and enter the wrong PIN ten times in a row, regardless of how much time has passed, the encryption keys are deleted and the data is gone. This is true even if you set an “Admin” PIN, the files are gone, so be careful here.

Admin Mode

Speaking of the “Admin” PIN, the drive has a bunch of features you can use in the “Admin” mode that are nice if you are deploying in an organization. I did not use these features myself, but they are documented in the manual.

The Admin can reset the user password and do some other neat things like adjust timeout to locking and other things as well. In addition, the drive can be opened in a read-only mode by either the user or the admin.

One thing that I find a bit odd is that according to the documentation whenever you unlock the drive with the “Admin” Pin, it resets the “User” PIN to default. NOTE – Secure Data reached out to me and mentioned that the documentation may not be clear here. This is what they said, I have no way to test this, but have no reason to doubt it either – “That sentence is trying to explain that when the Admin PIN is first set up, it will reset the User PIN”. So the key difference is, when the Admin PIN is first set up, the user PIN is reset, not any time the Admin PIN is used. Good to know.

Using the Drive

In my time using the drive, I found it to be pretty easy to use and downright convenient when I wanted to grab something off it quickly. As I mentioned, I have been using an IronKey, but that requires running a small program to connect to the drive, then mount another partition, using 2 drive letters and taking some extra time to get to the files.

IronKey Unlock Software

This can be a bit cumbersome if you just want to grab a file. Similarly, I have used simple USB-3 drives and VeraCrypt with the same issue. You have to run a program first, then unlock the drive. having a PIN on the device is much more convenient. This feature could also allow you create a bootable device that is encrypted when not in use. Unlock the drive, stick in the machine and tell the BIOS to use it as a boot device and you are in business. This simply can’t be done with the other options that require software to unlock them (although you could use them to run a VM).


Ultimately, as I said, this review is about usability, value and the overall experience.

After using the device for a little while, I have to say that I’m impressed. Of the features I used, the device did everything it said it would without complaint. Remembering the process for unlocking and making PIN changes, etc. may take some time to get used, but the basic functionality is great.

While the IronKey still wins the day from a sheer beauty aspect, the SecureUSB is far from ugly. Speed wise, I typically got around 100MBps during sustained file copies, which is something my current IronKey (remember it’s USB 2.0) can’t even come close to. 

SecureUSB Speed
Cheap Microcenter Drive on a Ryzen 7 2700 machine

While I really liked the drive, in the end I felt that at around $129.00 the cost was very reasonable for what you get, especially compared to the IronKey, however for someone that doesn’t use something like this often, or doesn’t need FIPS validation, using a cheap USB 3.1 thumb drive like this Microcenter 32GB version for under $4, encrypted with VeraCrypt might be a viable solution as well although it certainly lacks the “cool factor” that the SecureUSB does and is considerably slower. 

Several options, only two are cool

I’d say if you are in the market for a hardware encrypted USB thumb drive, it would benefit you to give the SecureUSB KP (< link) a serious look. I really enjoyed my time with it and will be sad to see it go.

Final Note, I linked to items on Amazon with an affiliate link. If you found value in this review and decide to get one I would appreciate you following the link. Any little bit helps. Thanks

Do you know what types of files your mail servers are blocking? Here’s a free tool to help

I’ll start by saying that I don’t think I have ever written a blog post about one of our free tools here at KnowBe4. It’s not that I don’t like the other tools or think that they lack usefulness (quite the opposite actually), it’s just that this new one really sticks out for me. I see this as a very handy tool for email admins or those security folks that want to close some doors in their email system (or even just figure out what’s really happening with the filters).

Having said that, I would like to introduce you to the newest free tool in the KnowBe4 lineup, the Mailserver Security Assessment, or MSA as it is affectionately known around here. This handy (and again, FREE) tool is designed to test your email filters and give you an idea what can pass and what is blocked at that level. This is not a tool designed to test your email servers configuration, other than the filtering parts, but given the proliferation of email attacks through phishing these days, it’s a pretty good idea to know what can get to your users and what can’t. From there you can make some changes, test, lather, rinse, repeat until you have things the way you would like.

The way it works is simple. You sign up for the free tool on the website which generates an email that will take you to the assessment page. This is actually performing one step on its own, confirming that you can indeed receive emails from the test servers in the first place. After all, if you can’t receive the basic email, all of the others are bound to fail.

Once at the assessment page, you can choose which emails you want to test by checking the box next to the email type. Once you have picked your email types, just click, “Start Assessment” and the magic happens. Now, within a few minutes the tool will send you an email from each of the categories you chose. If you receive the email, you know it’s not filtered, if you didn’t and it doesn’t show an error in the tool, you can be pretty confident that it was filtered. It’s really that simple.

Pick your emails or “select all”

Start the assessment

Check for failures in the console

Check your inbox for the messages that made it

In my case, it was interesting to see that although my main mail server did not filter these, when I used Gmail to pull it into my Inbox, Gmail did filter them. Something to keep in mind when you are testing, and if you are using various clients. Check it all the way through.

How handy is that compared to trying to configure your own emails to test this? I encourage you to check the tool and use it to make sure you are blocking the particularly nasty stuff, like the venerable, “Zipped Word Document w/ Macro”. That’s not something I would expect to see as a requirement in most situations. 🙂

Currently, the tool can perform 40 different tests by sending 40 different emails of the following types. Use it in good health!

Transport Encryption Test Excel File  Executable (EICAR Sample)
Email w/ Soft SPF Failure Excel File w/ Macro  Executable (EICAR Sample) (Zipped)
Email w/ Hard SPF Failure Excel File w/ Macro (Zipped)  Executable (EICAR Sample) (Zipped w/ Password)
Email w/ Punycode Domain (IDN Homograph) Excel File w/ Macro (Zipped w/ Password)  HTML (Link)
Spoofed Email (From address) PowerPoint  HTML (Auto-Redirect)
Transport Encryption Test PowerPoint w/ Macro  HTML (Auto-Redirect) (Zipped)
Spoofed Email (Altered domain) PowerPoint w/ Macro (Zipped)  HTML (Auto-Redirect) (Zipped w/ Password)
Spoofed Email (Reply address)  PowerPoint w/ Macro (Zipped w/ Password)  JavaScript
Word Document PDF File  JavaScript (Zipped)
Word Document w/ Macro PDF File w/ Script  JavaScript (Zipped w/ Password)
Word Document w/ Macro (Zipped) PDF File w/ Script (Zipped)  PowerShell Script
Word Document w/ Macro (Zipped w/ Password)  Executable (Dialog Box)  PowerShell Script
 Word Document w/ OLE inserted Executable  Executable (Dialog Box) (Zipped)  PowerShell Script (Zipped)
 Executable (Dialog Box) (Zipped w/ Password)  PowerShell Script (Zipped w/ Password)