Category: Information Security

I am running for a spot on the (ISC)2 Board of Directors. Please check out this post and sign my petition if you are a member.  Thanks!

 

Spora ransomware offers future immunity (for a price of course)

This is an interesting strain of ransomware. It offers an option of future “immunity” for a fee. The ransom is calculated and can vary as well. Finally, it uses Windows CryptoAPI for encryption and doesn’t require an outside C&C server infrastructure. This all makes Spora a very unique strain. They even have a really nice victim landing page and offer tech support via chat.

 

Why you shouldn’t trust Geek Squad ever again

There has been quite a stir about this issue and I can see why. These techs are being incentivized to search the computers without a warrant. While I support reporting things if they stumble across something, the way BestBuy is doing this is ripe for abuse and if the techs are actively seeking out things like this, bypasses the rights of the individual with respect to search and seizure. Also, how can you feel confident that the tech wouldn’t plant things to make an extra few bucks for themselves. It’s all a bit too slimy for me.

Heads-Up! Massive New Locky Ransomware Attack Is Coming 

If you have felt like there has been a short break in some ransomware attacks, you aren’t alone. Locky has been pretty quiet for the last few weeks, but it’s not expected to stay that way. Take this slack time to check your backups and get yourself prepared. It’s not going away in 2017, we know that.

Email Slip-Up Exposes 60,000 Bank Customers’ Account Details

In a monumental “Oh crap” moment, an Australian bank let loose of 60,000 of its customers’ account details. The National Australia Bank (NAB) sent confirmation emails to 60k of its customers. They cc:ed themselves on these for record, but sort of messed up their domain name. You see, they cc:ed nab.com instead of nab.com.au. nab.com appears to be a… well… sort of… “dating” site? Whoops. They aren’t really sure if the emails were bounced or what happened to them at this point.

Ransomware extorts Los Angeles school to the tune of $28,000

Los Angeles Community College District (LACDD) ended up paying a ransom of $28k, a choice indicative of not having good backups in place. Weapons-grade backups folks! Test them and monitor them.

ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt

The E-Sports Entertainment Association (ESEA) did not fold to an extortion attempt and the bad guys released about 1.5 million player profiles. There were over 90 fields in each record including registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

DeriaLock ransomware decryptors available

If you were hit with this, there are a couple of decryptors available right now. Check it out if you have been impacted.

I am running for the (ISC)² Board of Directors in 2017, and need to collect 500 emailed signatures for the petition. See why I want to take on this volunteer responsibility and how you can help in THIS POST. It only takes a moment and I really appreciate it.

YES, I WANT TO HELP!

Thanks,

Erich

Welcome to 2017! 

Here is to hoping this year will be a fun and prosperous one. I for one am going in to this year with a positive attitude and a smile!

I’ll be doing some speaking this month

I have a webinar on Thursday the 12th at 2pm Eastern, and will be speaking at BSides San Diego on both the 13th and 14th. If you want to hear my melodious voice or meet me in person, I cordially invite you to join me.

Ransomware is targeting HR departments

So, fake job apps are being sent to HR departments in an effort to infect them with ransomware. This is the GoldenEye strain (a Petya variant) that is looking for 1.3 Bitcoins. This appears to come with 2 attachments, a clean .PDF and an Excel file with the payload. If you have trouble, this variant is offering tech support. Isn’t that nice.

Adobe is releasing a Vishing scammers best friend

This is basically being called Photoshop for audio. If you can provide it with about 20 minutes of that persons voice, it can recreate it exactly. That’s bad news for vishing schemes and anything that uses voice recognition for authentication.

Ransomware for good, not evil?

Not sure what to think about this deal. The ransomware unlocks your files for free if you learn a bit about avoiding ransomware in the future. I guess they are thinking they are doing the world a favor, but keep in mind, if you fall under HIPAA, according to the HHS, any infection by ransomware (or any malware) is an incident, and if it affects >500 records, it’s also a breach by default. You can argue out of it, proving the files were already encrypted for example, but nobody needs that kind of trouble.

DFS updated the New York Cyber regulation

Among other things, DFS changed the wording so that they have 72 hours after DETERMINING a breach to notify DFS, as opposed to 72 hours after the incident happened. Given that we usually don’t know that quickly, it was an impossible rule. There are other changes as well, so check it out.

LG helped unbrick the TV

Really, it was pretty simple, but hey, it was nice of them to do it. Maybe the family will be a little more careful what they download in the future.

Watch Facebook for a lot of fake death stories

I’ve seen a metric ton of them flying around. Norman Schwarzkopf and Bob Denver were at least two of them that have been dead for years. Check sources before sharing folks, please?

Microsoft reports that Cerber has been busy

It seems that Cerber attacks have been on the rise over the holidays. Remember to check links before you click on them. Security Awareness Training is still the best defense against this sort of attack, and it’s not expensive. Train your users, PLEASE!

Topps, makers of trading cards, lost a bunch of CC info

Lost data includes names, addresses, email addresses, phone numbers, credit or debit card numbers, card expiration dates and card verification numbers. There is no reason they should be storing CVVs. I’m hoping there is a fine in order for this.

These days, you are liable to see links that are known as “Short URLs” without even realizing it. These are very helpful in situations where you are limited to a certain number of characters or a long URL does not look good, and are now often done by software and social channels automatically. This is wonderful, except that they hide where the link will take you. The bad guys know this, and use it against you in phishing attacks and other Social Engineering ploys. So how do you identify a short URL, and what can you do about it?

 

Identification:

Short URLs are generally easy to identify as they typically point to domains such as “Bitly.com”, “goo.gl”, “ow.ly”, “tinyurl.com”, “t.co” or something similar. For example, here are links to www.madsqu1rrel.com from each of these:

• Bitly: http://bit.ly/2iAHqA7
• goo.gl: https://goo.gl/BzpCDZ
• ow.ly: http://ow.ly/Ibn9307tMnD
• TinyURL: http://tinyurl.com/hkgw5lo

Now this may not seem like it’s doing much, if anything, but the real power comes when you have a long URL and need it to be more manageable. Take for example the URL, https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/ This links to a webpage at my employer, KnowBe4 but at 75 characters, that’s starting to get pretty long. If I use a URL shortener, this is what it would look like:

• Bitly: http://bit.ly/2crJXI3 (21 characters)
• goo.gl: goo.gl/ON5FBw (13 characters)
• ow.ly: http://ow.ly/O4iy307tNGp (24 characters)
• TinyURL: http://tinyurl.com/jbu5n38 (26 characters)

 

The Problem and Solution

As you can see, that is quite a difference. A side effect to this is, you can’t see where the link takes you. Make a button link a Small URL, and it is very easy to hide a malicious URL. For example, this button links to the KnowBe4 page, but how can you tell? Hovering over it just gives you the Short URL.

So what do you do? In most cases, adding a “+” sign to the end of the Short URL will take you to a preview page where you can see the full URL. There are exceptions, like TinyURL, that require you to do something different, such as add “preview.” to the beginning of the shortened URL. To get the URL to use, simply hover over the link with your mouse, right-click and choose “Copy Link Address” or a similar choice.

 

Here are some examples of preview links:

• Bitly: http://bit.ly/2crJXI3+
• goo.gl: goo.gl/ON5FBw+
• TinyURL: http://preview.tinyurl.com/jbu5n38

On a side note, goo.gl links give an entire analytics view of that Short Url. For example, check out https://goo.gl/2OA1y+ and you can see the data.

Ow.ly and t.co have proven to be a bit more difficult. In this case, using a service such as Unshorten URL  or getlinkinfo.com to preview the link may be your best bet. This will also work with the other short URLs. Once you have pasted the link in to the site, you should be able to see the real website the link is taking you to. If it’s not what you expect, don’t click it!

This may seem difficult at first, but once you have done it once or twice, it’s very easy to make sure you are staying safe from hidden malicious URLs.

 

 

Posting a little early this week due to the holiday. Merry Christmas, and may you have a great Whatever Holiday You Celebrate!

I released my 2017 predictions. 

Don’t tell anyone, but I really just pulled some stuff out of my backside, but figured I was on the hook to do something. I think they are pretty accurate if you take the categories in to account. Your help not holding me accountable for any of these predictions is appreciated. At least it’s entertaining. Javvad Malik’s are much more relevant.

 

Free CryptXXX decrypter was released. 

Thanks to the folks at Kaspersky Lab, a free tool to decrypt your files hit with CryptXXX has been released. This may or may not be the reason for the “1/2 price for the holidays” offer from the bad guys. I’m thinking it is and thrilled about it. Hopefully they will coal, or reindeer poop in their stockings this year. They deserve it.

 

Free unlock code for Padlock Screenlocker

BleepingComputer reported the unlock code for Padlock Screenlocker is ajVr/G\RJz0R and that the files are not actually deleted. Let’s keep this sort of thing coming!

 

Community Health Plan of Washington exposed 380,000 PHI records

The bad guys were there almost a year and got about 380k PHI records. That’s just sad.”It appears that names, addresses, dates of birth, Social Security numbers and certain coding information related to health care claims may have been accessed” but “Banking and credit information was not contained in the data“. Well, isn’t that just lovely. Personally, I’d rather lose a CC# than my SSN.

 

Columbia County schools victim of data breach

The affected server did not contain student data, but did have “confidential employee information, including names, Social Security numbers, birthdates and more“. In the several weeks since discovery, “Investigators could not confirm if any of that information was copied or compromised“. In other words, they can’t figure out if you are compromised or not. Good luck with that.

There is a patch for the Netgear routers vuln

Go get it if you are affected. That is all!

 

Social engineering is easy

Not a newsflash, but this video and this video show just how easy it is. This is why you need Security Awareness Training. Teach people that they are targets. It’s important.

 

 

 

 

 

L.A. County hit with a phishing attack – 750k records

Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees back in May. “Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.” But look at the bright side, it was WAY back in May and now you get a year of free credit monitoring. Sadly, your SSN is valid for more than a year and once it’s out there…

 

Just in time for Christmas, a Galaxy Note 7 fireplace. 

I love this. Words fail me with how much I love this. The ringtone music is a wonderful touch. Have I mentioned that I love this?

 

 

 

 

Well, this seems to be the time for predictions, so who am I to break tradition? I’m not going to waste valuable time telling you how qualified I am to make these predictions because, it really doesn’t matter. I have given very little thought to these and have researched almost nothing. Only the first group is liable to be true (almost guaranteed as a matter of fact. So, here we go…

Disclaimer: These predictions and opinions are mine and mine alone, not those of my employer.

Group 1 – Pretty Much a Sure Thing

• Social Engineering Will Continue to Be a Dominant Force in Breaches – Let’s face it, people are going to continue to get phished. Phishing will continue to result in more breaches, lost money and W2’s and ransomware infections. Expect W2 scams to start in January and continue until mid-year. The others will happen constantly.

 

• The Gunslinger Movie Will Finally Be Released – And even if it sucks, I will like it. I don’t have a choice. It is not likely to ever be redone in my lifetime, and I have waited for so long, it simply can’t suck. This has nothing to do with cyber security, but I don’t really care. It’s on the list.

 

• Security Awareness Training Will Continue to Be The Best Defense Against Phishing Attacks – Seriously though, the industry will really step up the game this year to combat phishing. As platforms mature, new features designed to get ahead of the bad guys will be released and will significantly reduce click rates. Organizations that did not believe in the value of SAT will have their eyes opened to how effective it can be. Any of you that know me, know that I won’t promote anything I really don’t honestly believe in. It’s why I work for KnowBe4. It works and helps admins in all company sizes.

 

• Someone You Like Will Die a Horrible Death on Game of Thrones – Like someone in the series? They will die. Prepare for it.

 

 

• Someone You Like Will Die a Horrible Death on Walking Dead – See above.

 

 

Group 2 – Likely

• I Will End Up With Another Year of Free Credit Monitoring – The only real question is related to what PII they will lose. My medical records, credit card info or something else entirely? It’s almost exciting to ponder the possibilities. After being impacted by the VA, Target, Home Depot and OPM breaches, I’ve had some sort of free credit monitoring in place for years!

 

• All Retail Stores Will Be Called Amazon – Much like the story line in the movie Demolition Man predicted with Taco Bell, all retail stores will become Amazon. This will be great when it comes to remembering domain names, as all stores will be Amazon.com, but it’s going to wreak havoc on GPS directions when you want to shop IRL.

 

• No Less Than 10 Security Vendors Will Try To Convince You That Their Product is All You Need – Marketing departments will be working overtime to convince you that their widget can replace your security staff and let you sleep well at night. Don’t believe the hype. There is no silver bullet. Give the ones that are honest about the issue your time, ignore the rest.

 

• You Will Try To Restore From Backup, And It Will Fail – Yeah, odds are, if you need your data back, it won’t be there. Remember the 3-2-1 Rule and you can move the odds in your favor.

 

Group 3 – Not Very Likely (a.k.a. Not a chance in the world)

• The Tampa Bay Buccaneers Will Not Be An Embarrassment.  – The Bucs will leverage Winston to win the division. Fans will be proud of their team and will not have to whisper “the Bucs” while averting their eyes, when asked what team they support.

 

• No Major Breaches Will Occur in 2017 – Yes, there will be minor ones, but the big ones are over. Organizations will finally take security seriously after 2016. This will allow overworked Infosec pros a chance to get the right tools and staffing to prevent major breaches.

 

• Celebrities Will Stop Being Involved In Politics – Celebs will finally realize that they are talented in singing/dancing/acting/cooking/being a hopeless case in a reality show, but really don’t understand global politics as much as they think they do. It will occur to them that some people spend a lifetime studying politics and economics to get in the position to have their opinions respected. This is not the same as playing the President on a made-for-TV movie.

 

 

OK, So that’s about all I’m going to try to predict for 2017. Let me know in the comments if you have any predictions of your own.

 

Holy Crap! Lots of stuff going on in this weeks post. Stay safe out there and please use the buttons on the bottom to share with folks you think can use the info. I’m always up for comments and feedback as well.

If! You! Use! Yahoo! Just! Stop!

Nothing more to say about that. 1 Billion accounts exposed. This is just dumb. Get a Gmail account and move on.

Sneaky little hobbitses. Wicked, tricksy, false!  –  Nymaim using MAC addys to uncover virtual environments & bypass AV

So, the lovely trojan dropper known as Nymaim got smart and is looking at MAC addresses to see if the machine is a Virtual Machine (VM). Since VMs are used a lot as sandbox environments for malware research, it won’t launch if it detects a network card with an OUI associated with a VM. Keep this in mind when testing to see if a file is malicious or uploading to a sandbox for detonation. It may be misleading. On a plus note, if you run thin-clients, you might be better off.

 

Watch for Uber Vomit Scams 

This is a general PSA, but I am hearing about this more often. The way it works is, you get back from a trip somewhere and your card is charged an extra $150 by Uber for a “Clean up fee”. The drivers will sometimes upload pictures of a mess in the back seat as “proof”. This is usually fake, or a reused photo. The scam seems to be gaining steam and folks spend a lot more time out of town, often using an Uber to get to/from the airport. Moving forward, I might start taking cell phone pictures of the car when I get in and out, just for CYA. It’s tough to fight when it’s done and gone, and you have been home for a week. I still love Uber, but drivers are people too, and some are going to be looking to make a fast buck.

 

Security Sessions: Ransomware as a service on the rise 

My CEO, Stu Sjouwerman, did an interview with CSO Online regarding the RaaS (Ransomware as a Service) issue. It’s a quick video, but he talks about some of the trends and how to defend against them. You might already know that I’m a huge KnowBe4 Fanboy, and not just because I work for them. It’s all about helping educate people so they can make better decisions. it’s why I can get behind the company so much.

 

NY AG warns lawyers of phishing campaign

There are some phishing emails going around targeted at lawyers in the New York. It looks like it’s coming from the NY State Attorney General and is designed to get users to open a PDF attachment. An example of the email is here. This is an example of a very targeted spear phishing attack that is not likely to get flagged by spam filters.

 

A New And Scary Double-Ransomware Whammy

Here is a pretty interesting (and crappy) new strain of ransomware. It encrypts the files, then reboots and encrypts the MFT, so it ends up hitting you for a ransom twice. Kinda rotten. Be aware of any PDF saying it’s a job application, especially if it has a link to an Excel file.

 

Amazon shoppers targeted in ‘order cannot be shipped’ scam

Tis the season as I have said before. Packages are flying all over that place, and who doesn’t use Amazon? Scammers are sending emails saying that packages can’t be shipped. The idea is to get you to open an attachment or click a link (as is reported in this story) that leads a person entering credentials or a credit card for “confirmation”. I guess that scammers need to buy presents too, right? This is not new, but given the time of year, it’s very effective.

 

Samsung will be bricking the esploding Note 7 phones on December 19th

Yes, Samsung has decided that while you can own the hardware (as blow-uppy as it may be), they own the software, so they can go ahead and virtually blow up the phones before they physically blow up. An interesting angle on a “voluntary recall”. If you still have a Note 7 <AustinPowersVoice>I too like to live dangerously</AustinPowersVoice> You have until December 19th to return it, lest it become a potentially randomly exploding doorstop. Please “Note” that Verizon is not taking part in the OTA update that will brick these devices, as they figure folks may not have a device to switch to, and (the lawyers, I’m sure) have an issue with leaving someone without a device that can call 911 in an emergency.

 

Netgear Nighthawk Routers vulnerable to badness. 

Netgear Nighthawk R7000, R6400, R8000and R8500 models “might” be vulnerable to a bug provided to them by researcher Andrew Rollins (a.k.a. Acew0rm) on August 25, but only acknowledged after he posted it on December 6th. So much for Netgear supporting responsible disclosure. Basically, bad guys can get root through the devices web server. There is a temp workaround that kills the vulnerable web server process, but it only works until rebooted.

And Finally… A little much needed humor

Santa Gets Hacked!