20,000 Scottrade Bank Customers Data Inadvertently Exposed To The Public

Erich Kron Leave a comment
Image Credit: Chris Vickery

Whoops. MacKeeper researcher Chris Vickery spotted the exposed data on March 31st while running searches against the s3.amazonaws.com domain. The unencrypted domain included 59,000 rows of data including sensitive stuff like SSN’s and internal data such as unencrypted credentials for credit report sites. On a plus side, after being informed, the database was secured quickly, but it shouldn’t have happened in the first place.

 

 

 

 

Richmond Indiana Housing Agency Loses A Month Of Data In Ransomware Attack

Erich Kron Leave a comment

Richmond’s housing agency was hit by ransomware demanding an $8,000 ransom. They are not paying, but had to bite the bullet and understand that they have lost a month worth of data. It is noted that, “some of the system’s parts of were outdated and no longer as secure as they were when first installed”. That reads to me like a lot of words that essentially say that the software is outdated and probably unpatched.

“Weapons-Grade” Backups? What does that mean exactly?

Erich Kron Leave a comment

So, one of the things I preach in my talks about ransomware is the need for “Weapons-Grade” backups. I want to talk a bit about what that means, and why it’s so important. This is not meant to be a complete guide to backups, but it is meant to get you to think a bit about the risk you are at with respect to your data. Further more, I’ll tell you how many of these concepts can be applied at home as well.

Why all the worry?

We all have a lot of things in life that are competing for our limited amount of time. In order to understand why we should dedicate some of that time to making sure we are backed up, we need to understand the risks being faced today. The top 4 things that increase my grey hair count are:

  • Ransomware/malware that destroys or holds data hostage
  • Hardware failure that results in loss of data
  • Intentional or unintentional destruction or changes to data
  • Physical theft of the data

You might notice a pattern here. All of them result in losing data. Not a big surprise given the topic. This is not an exhaustive list of how data can be lost, but it covers enough for this article. You should also be familiar with the 3-2-1 Rule before we go on.

Common Backup Methods and Pros/Cons:

  • Copy to tape – Not usually used at home and often not in small businesses. This involves a tape backup drive and special magnetic data storage tapes to keep your data safe. In some cases, you can use the software built-in to the operating system to back up to tape, but often you will want some 3rd party software to help. Accessing individual files from tape is pretty slow compared to other modern storage devices, so typically it is used for long-term backups, or even backups of other backups (remember the 2 media rule) that have been made to a disk. Backing up to tape is a method that has saved a lot of tears from falling. Like anything else though, restoring from tape can fail, so it is important to test these regularly. Finally, tape backups are pretty easy to move offsite compared to some other methods.
  • Copy files to another device – A lot of organizations have turned to backing up data to another computer or a Network Attached Storage (NAS) device, across the company network. You can do this with individual files or in backup sets, like you usually do with tape.  When accessing individual files, this is usually much faster than tape, but is typically not as easy to store offsite. You can use external hard drives to do this is well and they are easier to move and store offsite than a NAS. It is very important if you are doing this, that you keep these files isolated from your regular network and test the ability to restore often. This can save them from being encrypted by ransomware that is network aware. A lot of people have found themselves in a bad place when their backups are found to be encrypted as well.
  • Synchronizing/Replicating files – There are a number of cloud solutions out there that allow you to synchronize files. These include services such as Dropbox and One Drive and can have some. You can also use tools such as Robocopy, SyncToy and rsync locally. The cloud solutions are a good way to get files offsite in case of physical theft or destruction, however it is not foolproof. For one thing, many newer types of ransomware will look for these services and try to attack them as well as the local machine. Similarly, replication between sites is not the same as backing up. In this case if the file is infected or encrypted by ransomware at “Site A” and is replicated to “Site B”, that means that both copies of your files are infected or encrypted. Take for example THIS STORY where the Police Chief says, “Our automatic backup started after the infection, so it just backed up infected files”. That is a sign of replication as opposed to actually running backups.

Pitfalls and Fails

  • Not checking the logs – I see a lot of admins that set up the backups, monitor them for a little while, and then stop watching logs. This is a recipe for much wailing and gnashing of teeth. If something goes wrong with your backups, alarm bell should sound, lights should flash, and pagers/smartphones should be going nuts. It’s really that important. If you get a lot of false alerts, you need to tune your alerts, but don’t tune them out.
  • Not reviewing what is being backed up – I also see where backup jobs are set up but when new folders are added or the architecture changes, the backup jobs aren’t updated to include the changes. The result here is a lot of files and folders don’t get backed up. You need to review your folders and compare them to what you expect is being backed up on a regular basis. The more critical the data, the more often this needs to happen.
  • Failing to test the ability to restore -More than one sysadmin, including myself, have felt the sinking feeling when backups fail to restore. If you haven’t experienced it, this is something really don’t want to experience. Although it takes time, it is vitally important to test your ability to restore files. Sometimes you can pick critical folders to test on but on occasion, maybe even monthly, I recommend that you restore the full backup set and ensure all of the files you expected are there.
  • Not having enough space to restore – Something that folks often forget to look at is, do they have enough space to restore their files without deleting the old ones. This can be important when it comes to retaining the forensic evidence. If you follow the previous step and test your restores, you should already know if you have the space for this. One option is to move the old files to inexpensive external drives or other non-enterprise storage, so this really doesn’t have to be a financial burden.
  • Backups are network accessible – I’ve heard of this happening several times where they have good backups, however they’re accessible on the network. What happens is the ransomware encrypts the backups as well, leaving these folks in a pickle. Make sure that any backups you have are not accessible on the network. Isolate them however you need to, for example, on a VLAN that only the backup server has access to. This can really save your day if you get a particularly nasty strain of ransomware.

Backup Software

Commercial backup software can get pretty expensive pretty quickly. Well I can’t specifically recommend any single solution because your needs may vary, it doesn’t hurt to look at options such as Code 42’s Crashplan. I use the free version of Crashplan at home to keep all of my stuff backed up. I like the fact that I can back up to a friend or families house and they can back up to me, and it’s all encrypted prior to transmission. In addition, it’s hard to beat free. Don’t discount the use of tools such as rsync, Robocopy, and Synctoy as well for replication of files or backups to other destinations.

If you follow these tips and tricks and you give your backups the attention they deserve, this can make your life a lot easier in the case of a ransomware infection.

 

Stay safe out there!

Android Ransomware Targets Russian Language Users

Erich Kron Leave a comment

This new variant, discovered by Zscaler, appears to target Russian speaking Android owners. It’s a cloned version of popular apps that is uploaded to 3rd party app stores. It waits 4 hours before kicking off a bunch of popup screens and finally holding the phone for ransom.  While the ransom demand is low at about $8-$10 (500 Russian rubles), it’s still a good lesson to only download apps from legit stores.

 

Skype Ads Are Spreading Ransomware

Erich Kron Leave a comment

It looks like some malicious ads made their way to Skype this week. These ads push a download that is made to look like a Flash update, but instead reaches out and downloads malware, most likely ransomware. It looks like the domains used for Command and Control are currently offline, which is a good thing.

Just remember that it’s better to go to the Adobe Flash website to download updates, or even use the daily obnoxious update notifications in your taskbar, as opposed to clicking on something pushed to you through a browser.

 

 

CISO Exchange West Event – Sunday Was Speaking and Eating

Erich Kron Leave a comment

Having survived the night and getting some good sleep, I was ready to tackle the day. Being that I did not actually speak until 3:30pm, I had plenty of time to prepare so I decided to take a walk around and grab some breakfast.

A typical view across the table for the road warrior

San Francisco is a very beautiful place. My hotel was right beside the Moscone Center and across from the YBCA (Yerba Buena Center for the Arts) which has a beautiful park setting and backs up to some shopping. I ended up eating breakfast at the iconic “Mel’s Drive-In” and continued to enjoy the area.

On my way back, I stopped by where the event was, checked in and made sure I knew how it was going to work. I like to make sure I am ready for issues, which proved to be a good idea later. I spent the next couple of hours in the hotel room checking and replying to emails while waiting.

At about 2:45 I suited up and headed down to the conference. When I got to my room, they had a laptop already set up, however the slides that were loaded were old, they were also in 4:3 format when I usually use 16:9. I’m really not sure where the deck came from (they looked like ones I used at another event for these folks a few months ago), but the race was on to correct the issue. When you do this sort of work, nothing is surprising, so you simply adapt and overcome. I had to do a high-speed rework of the slides I had in to 16:9 format since the projector and screen were 4:3. I got it done, but barely. My mad skillz in PowerPoint bailed me out. 🙂

The session went well with a lot of interactive discussion. I didn’t make it through the whole deck, but I had expected that if we had good Q&A so it was fine. I even got to meet a gentleman I recently did a webinar with. It was very cool.

Even the garlic is cooked in garlic sauce

After the session, I hung out at our booth for a bit and learned some from the sales guys. From there, it was dinner time. I suggested that we go to “The Stinking Rose” for dinner. This is another iconic SF place to eat, and the general premise is to cook everything in garlic. Even the garlic is garlic roasted. Good times and good eats with my sales brethren. At dinner I was introduced to a drink called “Grappa” which is the grape waste products from making wine. Basically, they take the dead, crushed husks of the grapes after pressing for wine and let it rot (aka ferment) and squeeze the juice out of it. It tastes just as bad as you may imagine.

From there, it was walking back to the hotel to catch some sleep (in the warm pink glow of the Buddha of course) so I could get up and get to the airport for my 8am flight.

Tampa to San Fran for the CISO Exchange West event

Erich Kron Leave a comment

Yesterday was one of the longer trips I’ve had in a while. This trip was from Tampa two DFW, then To San Francisco. It’s a pretty long day of travel when you’re going across the country like that, and that just means more opportunities for interesting things.

In this case, we started out in Tampa boarding a “Super 80” aircraft. Now let me tell you, there is nothing super about a “Super 80”. It’s about 116 years old and considered a narrow-body. That means two seats on one side of the aisle and three seats on the other. This is an updated version of the DC-9 and was launched back in 1979.  Let this be a reminder to me to double-check the aircraft when I book flights.

 

So I got on the plane, and got to my seat. For me this is the most important part. I just want to get in my seat let everyone board and relax. As we were all loaded up and getting ready to head out, I started hearing some noises even through my Bose headphones. It was sobbing and hysterical crying from the gal two rows ahead of us.  My first reaction was to be a little annoyed, thinking that this was just a case of someone afraid to fly. However, it became fairly clear that it was more than that. I was able to discern some phrases related to somebody passing away, So I felt a bit bad for her. I felt even worse for the people sitting next her, who did not know her and were now quickly becoming a part of the drama.  I personally was in flight heaven, because the middle seat in My row was empty. Once that was clear to me, I could deal with just about anything… so I thought.

 

Mah knees!

About an hour into the three-hour flight, the person in the seat in front of me decided to recline. This was not a gentle action, this was more of the action of an angry Hun who’s decided to lay back. If I hadn’t had anything on my tray table, it would’ve been game over. Another side effect of the ”Super 80 “ is that the seats were apparently designed to recline completely into somebody’s lap. Maybe things were more friendly back in the 1930s when these planes first took to the sky, but I was practically gaining a family member here. This did not deter her however, and we spent the rest of the flight like this. I have to admit, I was a bit annoyed around landing time, as the attendance did not have her put her seat up for landing. Now for me, it seems like if the seat is even slightly reclined they’re all over me like a pack of wild hyenas when it comes time to land.
So we made it on the ground safely, and as we’re getting ready to deplane, any sympathy I had for the lady that had been crying was lost. Now I was a sailor and supported the Army for a long time, but the string of obscenities coming from her mouth, very loudly, would’ve made a 1st Sergeant blush. There was a lady about two rows ahead of her who I’m pretty sure was filing her toothbrush down to a shiv so she could shank the lady as she walked by.  If looks could’ve killed, this lady would’ve been vaporized where she stood.

 

Not a bad view at all

Having survived this flight, I was able to move onto my next connection to San Francisco. This was mostly uneventful, with exception of the boarding. What was unusual was, the TSA was at the gate in force. They did an identification recheck on everyone boarding, Then as we went down the hall toward the plane, they had a dog sniffing every person, and Johnny McBigKnuckles standing at the end of the walkway. I’ve never been so intimidated by rubber gloves. This flight was on an Airbus 321, which was a world of difference. Everything is better on those planes including the in-flight entertainment.  Over the next four hours or so flying, I did watch the Deepwater Horizon movie and thought it was pretty good. We landed without incident, And I was able to find an Uber pretty quickly. The ride into town was mostly uneventful, with the exception of the driver who thought he was in some sort of race. Let me tell you, in the hills of San Francisco, a fast driver can give you all the butterflies in your belly you ever need.

 

First hotel I’ve been to with a glowing statue in my room

I’m staying in a very nice hotel called ”The W” in downtown San Francisco. It’s a very nice hotel, but a little more upscale than I’m comfortable with. I’m a blue-collar meeting potatoes sort of guy, in these folks are all refined and whatnot. On a plus note, my hotel room is full of booze, and a very interesting glowing Buddha.  At five bucks for a bottle of water, I can’t imagine how much they get for the Patron.

 

This bed was one of the more comfortable ones I’ve been in at hotels. My sleep was therefore fantastic and my dreams were filled with happy visions filled with the soft pink light of the glowing Buddha. I was up a bit early as expected due to the time change. I’m trying not to adjust since I’m only going to be here through tomorrow.

 

Today should be a lot of fun as I’m doing a very interactive talk. I really like the sorts of events. I look forward to sharing with you how my day goes tonight or tomorrow morning. Thanks for reading.

 

 

 

 

Welcome to “Stories From The Road”

Erich Kron Leave a comment

Yea though I walk through the valley of flights, I fear no evil…

Well, that’s not exactly true. You see, I do a lot public speaking and therefore travel a lot. Some things do cause me some stress, maybe not exactly fear, but definitely stress.

Mostly this revolves around the fact that I am an airline snob. Yep, I will freely admit that when I fly, I place a high value on the experience. You see, I really hate the traveling part of travel. More specifically, I hate the flying. I’m not afraid to fly, but the experience is not pleasant or exciting for me. I love interacting with the people once I reach my destination, but until that point, I could do without the travel part.

I have decided to document my travels a bit because they can be pretty entertaining. Who knows, maybe we can even learn a thing or 2. Either way, I hope we can have some fun with this. These will be documented under the “Stories from the road” category.

If you want to make sure you don’t miss any of these future episodes, subscribe to this blog up on the top right and you can get notified of my updates via email.

Select Restaurants Inc. Victim Of A Large Credit Card Breach Through POS Vendor

Erich Kron Leave a comment

Select Restaurants Inc., which owns a number of other brands, appears to have suffered a POS malware related breach. POS vendor 24×7 Hospitality Technology notified customers that its system was compromised after being hit with PoSeidon malware, which grabs data of swiped cards.

It will be interesting to see where the liability comes to rest here. A couple of things are in play as Select Restaurants obviously outsources CC processing, however if EMV processing was not enforced or available from the vendor and that would have rendered PoSeidon malware ineffective, the banks may go after the vendor for the cost of card reissuance.

Could be interesting to watch

Brands under Select