Let’s stop phishing and go fishing!

Phishing fishing

Summer is a time for having fun. I happen to love fishing. However, in the world we live in today, fishing gets no news – and phishing gets all the news. In order to provide some useful information of the various types of phishing attacks, I want to share an excellent posting from the Malwarebytes Blog here. Wendy Zamora did an excellent job of going through the various types of phishing attacks that you must learn to recognize. The recent events nationally and internationally show the importance of being able to recognize a phishing email. Events with the DNC, corporate data breaches and the like are gaining widespread notoriety on a daily basis – news stories are abundant. This post is required reading – so please share it with your employees, coworkers and family members. Another targeted group is senior citizens using computers- so please make sure that you share this with older family members and friends. All of our clients who are on our managed services plan for remote monitoring and maintenance, get the premium version of Malwarebytes  included with their monthly remote monitoring package. If you are interested in learning more about how we help with PCs and networks for your business- either click here or give us a call at 847 329 8600.

Posted: June 26, 2017 by 
Last updated: June 23, 2017

Dear you,

 It appears you need to update your information. Click here to tell us all your secrets.

 No really, it’s totally safe. We’re not going to steal your identity, we swear.

If only phishing attempts were that obvious.

Instead, these days it’s hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let’s go back to the first instance of phishing.

The Nigerian prince and early phishing

Back in the early days of the Internet, you could marvel at your “You’ve Got Mail” message and freely open any email that came your way. You’d get one email a day, tops, from your new best friend you met in the “grunge 4EVA” chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn’t cross your mind that going online could bring about danger.

Then came the Nigerian prince.

Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation’s longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as “urgent” or “private,” and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.

Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.

Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”

The evolution of phishing

While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.

fry phishing

“Phishers had no other choice but to evolve and improve on where they fell short,” says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. “Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones.”

Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

So how can we learn from these lessons? Let’s start by identifying the different types of phishing in use today.

Types of phishing

The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.

Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.

Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.

Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.

Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.

And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.

There truly are a lot of phish in the sea.

So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.

Something’s phishy if:

  • The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
  • The URL shown on the email and the URL that displays when you hover over the link are different from one another.
  • The “From” address is an imitation of a legitimate address, especially from a business.
  • The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
  • The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
  • Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account with be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment,” says Umawing.
  • The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
  • The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

If you suspect or can verify that you’ve been phished, it’s best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)

Now the next time someone attempts to scam you with fraudulent emails, you won’t have to wonder if the message is for real. You’ll scope out a phish hook, line, and sinker.

Your Step by Step Guide to Mitigating and Preventing a Ransomware Virus in your Small/Medium Business

With the recent epidemic of ransomware viruses (up over 600% in 2016 and with the newest batch of exploits wreaking havoc internationally), I thought it would be a good idea to go through the basic guidelines for mitigating and containing ransomware for your small to mid sized business. There are plenty of additional pieces to putting this together completely so please reach out to me if you would like some assistance. Some of these are simple recommendations and this is by no means a complete list. But, then again, eat healthy, exercise regularly and don’t smoke are simple recommendations – and if you don’t follow them, you know what to expect.

  1. Use a reputable multi vector end point security – Use anti virus programs like Webroot/Kaspersky/McAfee/Avast. Don’t be penny wise and pound foolish. Buy a proper license for each machine. Keep it updated for all new definitions. Keep it current and get one that is constantly being updated. No one program is going to be 100% effective. Also, make sure that you have a program that detects malware. Malwarebytes Premium is my favorite. Again – go for the full paid version and don’t try to cut corners on freemium or freeware versions. An ounce of prevention is worth a pound of cure.  You need protection that is going to detect phishing from spam, detect unsafe websites and web browser protection.
  2. Put strong back up procedures in place– you should have back ups in place with a return point objective that you can live with. That means that you should have back ups both onsite on a device and in the cloud. Both of the back ups should be constantly tested for verification and the process should be monitored. When this is successfully in place, in case of an outbreak, you can restore to the last back up that was unaffected. Please note: tape drives, USB sticks, and removable hard drives are not adequate for business applications. You need a proper belt and suspenders- a properly sized on premise device that is backed up to the cloud.
  3. Make sure that you are updating your operating system and plug ins regularly – the current round of ransomware is exploiting unpatched and un-updated Windows vulnerabilities. We update our clients with whitelisted patches and updates from Microsoft. Make sure that you are constantly updating your operating system. Make sure that you are scheduling your updates properly- for all of your computers and all of your devices. Make sure you update all of your computers- even those that you may use less frequently. For example, we use micro pc’s in our conference room- for use with our large screen monitors. All of those units must be updated regularly.
  4. Make sure that your firewall is regularly updated and maintained– your firewall should be under contract and updated with the very latest definitions. Your firewall is all that stands between you and the virus filled Internet. We recommend Watchguard because it is constantly being updated and maintained – and it includes best of breed components that would be too expensive to buy separately bundled in.
  5. Disable autorun- make sure that you disable autorun for everyone!!Yes, autorun is useful. Yes, it is also used by viruses and malware to propagate itself throughout a network. In these dangerous times, disable it.
  6. Stop making everyone an Admin!! – administrators should be admins. However, if you give everyone admin rights, you open yourself up to more damage. User should be users and admins should be admins. Period.
  7. Enforce secure passwords– believe it or not, people use stupid passwords. Enough with stupid. If you want to get infected, use a simple password. If you don’t use a secure password (strong with characters, alphanumeric and symbols). Better yet, have your users get a password manager app.
  8. When relevant, encourage the use of two factor authorization– if you have compliance requirements (HIPAA or PCI) definitely use two factor authorization.
  9. Disable RDP– remote desktop protocol is used by all sorts of viruses and malware to gain access. If you don’t need it or don’t know what it is, disable it.
  10. Educate EVERYBODY– even if your office is a handful of people- but especially if you have less sophisticated users- education of the threat is important. Your staff should know what phishing, spear phishing and how to recognize and avoid suspicious emails. Incorporate this into your onboarding of new employees or have a meeting about this. If you would like a recommendation for videos, send me an email and I will send you a recommended list. Along with that, add pertinent sections to your employee manual about bringing your own device onto the network, using “free”USB drives, and clicking on links in emails.

Like I said, this is by no means a comprehensive list. I have learned Mark Twain may have had the last word. “It’s not what you know that gets you in trouble, it’s what you know for sure that just ain’t so”. The world of viruses and malware is changing. Yesterday’s method may be overcome in an instant and you have to keep on top of it. If you need help- just let me know!

 

The Feds just wiped out your online privacy…

Your ISP, browsing history, and what to do about it

Your ISP, browsing history, and what to do about it

Posted: April 4, 2017 by

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

 

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

 

Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

 

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

Prime Telecommunications Leverages State-of-the-Art Cybersecurity Techniques and Tools to Protect Customers

Prime Telecommunications, Inc., a leading provider of unified communications, announced today that the company is leveraging state-of-the-art cyber security techniques and tools to protect customers from cyber attacks that have become a daily occurrence in the small to mid-sized business marketplace. The company has been at the forefront of cybersecurity for many years and has taken their expertise to an entirely new level, well beyond their competition. Prime Telecommunications protects businesses from several key cybersecurity threats.

The first threat facing organizations is phishing. Phishing is essentially, using fake links to lure users into offering up sensitive information, by posing as an authority. Hackers can embed malicious links into emails, attachments or images, which usually lead to another page that requests the sensitive information, which will later be used against the user. One of the most creative ways hackers have found to attack SMBs is to call in and impersonate IT staff or Network Administrators, asking for specific information off the employee’s computer to resolve a potential “virus.” The employee will usually comply and supply the information, giving the hacker the exact keys they need to infiltrate the system.

The next area of concern is mobile security. As web traffic continues to migrate from PC to mobile, hackers have followed suit by redirecting their efforts to mobile attacks, as well. At an organization, whereby users are encouraged to BYOD (bring-your-own-device) to the network, this increases the exposure for network attack exponentially. SMBs need to be on the lookout for attacks from third party apps, mobile malware and unsecured public Wi-Fi locations. For example, employees will use their phone at an unsecured Wi-Fi hotspot to work but they won’t realize that the network is rigged to enable hackers with easy access to sensitive apps, data and information on any phones connected to that particular unsecured Wi-Fi hotspot. In many cases, users will be attacked without even realizing that the attack has happened.

The last area for an SMB to monitor is malvertising. This threat is where hackers embed malware within advertisements, landing pages or even directly on reputable websites. Sites that offer advertising on a massive scale, such as Facebook, have a tough time regulating online security throughout the buying process. Facebook can do its best to ensure that the links on Facebook aren’t malicious; however, they have no access to monitoring the pages that those advertisements lead to, once the user has left Facebook. Malvertisers can embed a code on an advertisement which leads to a dummy checkout page or a fake application page, which phishes all of the sensitive information that the hacker needs to launch an attack.

“These threats all point to the importance of SMBs consulting with an expert in the cybersecurity field,” stated Vic Levinson, President at Prime Telecommunications. “We are well-equipped to deal with threats like these, in addition to the new threats that will undoubtedly arise over the coming years. For any business that leverages technology as one of its key productivity drivers, it pays to have a team like Prime Telecommunications to face the hackers of the world.”

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/06/2016 06:29 PM EDT
Original release date: September 06, 2016 | Last revised: September 28, 2016

Systems Affected

Network Infrastructure Devices

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco’s description of the evolution of attacks on Cisco IOS devices.

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.

It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:
  • Implement Principles of Least Privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.
Virtual Separation of Sensitive Information        

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:
  • Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use VPNs to securely extend a host/network by tunneling through public or private networks.

2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

Recommendations:
  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.

Recommendations:
  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
  • Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
  • Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and VTY lines.
  • Implement robust password policies and use the strongest password encryption available.
  • Protect router/switch by controlling access lists for remote administration.
  • Restrict physical access to routers/switches.
  • Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

Recommendations:
  • Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
  • Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
  • Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.

Recommendations:
  • Segregate standard network traffic from management traffic.
  • Enforce that management traffic on devices only comes from the OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

Recommendations:
  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

 

Shadow Broker Exploits
Vendor CVE Exploit Name Vulnerability
Fortinet CVE-2016-6909 EGREGIOUSBLUNDER Authentication cookie overflow
WatchGuard CVE-2016-7089 ESCALATEPLOWMAN Command line injection via ipconfig
Cisco CVE-2016-6366 EXTRABACON SNMP remote code execution
Cisco CVE-2016-6367 EPICBANANA Command line injection remote code execution
Cisco CVE-2016-6415 BENIGNCERTAIN/PIXPOCKET Information/memory leak
TOPSEC N/A ELIGIBLEBACHELOR Attack vector unknown, but has an XML-like payload
beginning with <?tos length=”001e.%8.8x”?
TOPSEC N/A ELIGIBLEBOMBSHELL HTTP cookie command injection
TOPSEC N/A ELIGIBLECANDIDATE HTTP cookie command injection
TOPSEC N/A ELIGIBLECONTESTANT HTTP POST parameter injection

 

References

Revision History

  • September 6, 2016: Initial release
  • September 13, 2016: Added additional references

Prime Telecommunications Educates Customers on Password Protection Policies to Keep Their Businesses Safe

PasPassword Managementsword management has become increasingly important with daily attacks from hackers specifically targeting SMBs (Small and Medium sized businesses) . For example, 6 million LinkedIn account passwords were compromised just a couple of years ago and the list of breach has grown dramatically since. Anyone who has been using major social media sites, like LinkedIn, may have received a notification in the past couple months forcing them to reset their passwords. This is the result of the colossal breach in Internet security and Prime Telecommunications has taken the initiative to advise businesses on how to protect themselves.

As the Internet continues to expand in complexity, so do its vulnerabilities. In order for business owners to protect their organizations, they need to utilize best practices in password security. Here are some steps that business owners can take immediately.

Never Use the Same Password Twice: One of the most effective ways to prevent breaches is also the simplest; never use the same password for multiple accounts. Strong, unique passwords, with symbols, numbers and capital letters are usually far more effective than anything else.

Enable Two-Step Authentication/Verification: This is one of the other simple ways that a business can instantly upgrade the security of their entire network, by simply passing a company policy. Two-step password authentication essentially means that when a user logs into their account, they’ll be required to confirm that log-in attempt by replying to a text message or phone call. This best practice makes it much harder for hackers to impersonate the true account owner because it requires them to have access to multiple accounts before their hacking attempts can be effective.

Stay Vigilant Against Phishing: Hackers have long relied on phishing, a common strategy in which a hacker attempts to defraud an online account holder of financial information by posing as a legitimate company. For example, a hacker will gain access to your account information by purchasing your email and password on the black market and then they will log into your email and send a desperate email to one of your contacts, posing as you. “John! My transmission just blew and I’m stranded out here. My phone is about to die. Can you send me $2,000 to this account? I’ll pay you back as soon as I get into town.” Users need to constantly remain vigilant against attacks like this because they are prevalent and have proven effective over the years.

“While these are a few proactive steps a company can take in the right direction, they are only a mere shadow of what is possible if they work with a true managed IT services provider, like Prime Telecommunications, who is regularly monitoring, maintaining and optimizing the security of every device on a business’s network,” stated Vic Levinson, President of Prime Telecommunications. Prime Telecommunications partners with SMBs that need to secure a competitive advantage with advanced technology and want to remain focused on growing their business, instead of keeping up on the latest in online security. “That’s our job,” said Mr. Levinson.

 

Prime Telecommunications Educates Customers on Ransomware

watchguard-1

Prime Telecommunications, Inc., a leader in unified communications, announced today that they have launched a ransomware awareness campaign. The purpose of the campaign is to quickly educate business owners in understanding one of the latest threats now facing small to mid-sized businesses (SMBs). Ransomware is a specific variation of malware, that is growing in popularity amongst hackers and Prime Telecommunications is doing its best to alert business owners of this new tactic. Prime Telecommunications’ existing customers are very well protected against this type of threat but many business owners may be unaware of the potential destruction this has on an organization.

While business owners have always understood the need to protect their businesses from malware, short for “malicious software”, ransomware is a new tactic that hackers are using to attack businesses in an especially wicked way. Essentially, an employee will receive an email with a deceptive link, labeled “See Resume Here” or “Download Report Now”, and then upon clicking the link, a ransomware application will be installed immediately on the computer. Then, the software can remain hidden for several days, until it is activated. At that moment, the ransomware application will hijack critical files, remove them from the network, encrypt them so no other computers can access them and then hackers will send an email demanding payment for the release of the missing files. The biggest problem with this type of cyber attack is that it leaves absolutely no leverage to the business owner. Even if they pay the “ransom”, hackers don’t necessarily unlock the files every time. “This is a huge problem that could have drastic impact on an organization and the craziest thing we notice is that there is such a simple solution,” stated Vic Levinson, President at Prime Telecommunications.

“These types of attacks happen far too often, and we take great pride in protecting our customers from threats like this,” added Levinson. “The first line of defense for these kinds of attacks is a technically educated staff. While the majority of these threats come in the form of suspicious email links, an educated staff can avoid these catastrophes simply through awareness. That’s one of the reasons why we issued this press release,” commented Levinson. “For business owners that see the value of peace of mind, we devise comprehensive solutions that thwart these types of attacks from every angle. We take a global approach that includes a combination of anti-virus software, anti-malware software, strong firewalls, employee education, data backup, and network redundancy. What we’ve noticed over the years is that every network has different exposure points and our job is to come in as a technology advisor and to proactively prevent not only ransomware attacks, but the myriad of others attacks that a business owner may face for years to come.”

Prime Telecommunications’ mission is to leave business owners in a more empowered position by serving as an educator of emergent technologies. “Our biggest aim with this campaign is to usher in a sense of urgency amongst business owners so they take action now, instead of waiting to be in a difficult, immutable situation later,” closed Levinson.

Apple Ends Support of Quicktime for Windows

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

04/14/2016 03:48 PM EDT
Original release date: April 14, 2016

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]

References

Revision History

  • April 14, 2016: Initial Release

4 Top IT Decisions that Business Owners/CEOs Will Have to Make in 2015

In today’s business environment, owners need to assess the advancement in all technological areas, but paying special attention to these four areas will yield exponential benefits in the next calendar year. Here are the four decisions that need to be made:

Is It Time for Me to Downsize My In-House IT Department? IT departments have long served as a vital support structure for ensuring that all business operations run smoothly. However, as more software and hardware applications migrate to “the cloud” and the number of managed services providers grows, businesses need to start taking a hard look at whether or not it is fiscally responsible for them to pay for full-time IT staff. Advancements have made it possible for remote technicians to fix computer problems off-site and run constant monitoring, management and data optimization software to improve the efficiencies of a company’s network. In many cases, entire teams are used to ensure optimum network performance, something that a single employee cannot hope to deliver consistently. As the playing field has leveled, more sophisticated tools have been developed, making this job even more competitive. In fact, many large organizations are beginning to outsource key areas of their IT operations entirely, and it is not long before outsourced IT departments are commonplace.

Downnsize IT Department

How Can I Secure My Network From Threats? With cybercrimes on the rise, more and more businesses are beginning to take proper precautions to prevent company downtime or data loss. Spyware, malware, data backup and anti-virus protection are all vital to the economic well-being of any stable business. In emergency or negligence situations, critical data loss can set teams back for weeks and put a giant damper on productivity. Many businesses are reexamining their Acceptable Internet Usage Policies (AUPs), to make sure that employees are only visiting work-related sites when at the office. These types of threats are usually found on dangerous websites, which can be eliminated entirely with simple site filtering tools that restrict access to unnecessarily volatile sites. Many companies see this need, especially in the case where businesses derive funding from institutional and private investors. These organizations are often required to spend a significant portion of their yearly budget on security enhancing technologies to make sure that all sensitive information remains perpetually protected.

Network Security

Big Capital Expenditures or Small Cloud Transition Costs? With servers and telephony shifting from the standard on-premise solution of old, to more software-centric and remote operation, many businesses are choosing to invest heavily in the transition to the cloud. The biggest driving factor behind this decision is that from a financial standpoint, most businesses want to upgrade their technology, but don’t want to create a large amount of capital expenditures, which constrain financial resources. Technologies with rental programs, or lowered total cost structures are increasingly popular because of their minimal impact on a budget. With plenty of equipment nearly obsolete, many businesses are investigating technologies which leverage a fixed-cost of ownership in their cost structure. This helps businesses avoid big capital expenditures, keeping them lean and mean for the next year.

Cloud Hosting Icon

What’s Our Policy Regarding Bring-Your-Own-Device (BYOD)? Networks are the backbone of any business. However, when employees bring their own devices onto the network, they can often disrupt the infrastructure and slow the overall speed of the network drastically. Furthermore, these devices can pose as security threats when they are not properly configured to run in concert with all of the other technology endpoints on the existing network. It’s a complex web and network design is an intricate process, which is absolutely essential to get right. Some businesses refuse to let people bring their own devices onto the network, yet the vast majority of businesses allow employees to bring their own mobile devices onto the network, as long as they are properly configured by a leading technology specialist. That way, employees can utilize the tools they feel most comfortable with, without derailing anyone else’s performance on the network.

Bring your Own Device

 

Want to know more? Need help in talking out your decisions? Give us a call at 847 329 8600 and let’s begin the discussion.

AAEH Threat Alert

The following information is from the US Computer Emergency Readiness Team (US CERT) part of the Department of Homeland Security. The full text can be found here.

Network Security

AAEH

Original release date: April 09, 2015
Systems Affected
  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.

The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), released this Technical Alert to provide further information about the AAEH botnet, along with prevention and mitigation recommendations.

Description

AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network.  AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.

Impact

A system infected with AAEH may be employed to distribute malicious software, harvest users’ credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines.

Solution

Users are recommended to take the following actions to remediate AAEH infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection.

Users can consider employing a remediation tool (examples below) that will help with the removal of AAEH from your system.

Note: AAEH blocks AV domain names thereby preventing infected users from being able to download remediation tools directly from an AV company. The links below will take you to the tools at the respective AV sites. In the event that the tools cannot be accessed or downloaded from the vendor site, the tools are accessible from Shadowserver (http://aaeh.shadowserver.org).

The below are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

Revisions

  • April 9, 2015: Initial Release