Let’s stop phishing and go fishing!

Phishing fishing

Summer is a time for having fun. I happen to love fishing. However, in the world we live in today, fishing gets no news – and phishing gets all the news. In order to provide some useful information of the various types of phishing attacks, I want to share an excellent posting from the Malwarebytes Blog here. Wendy Zamora did an excellent job of going through the various types of phishing attacks that you must learn to recognize. The recent events nationally and internationally show the importance of being able to recognize a phishing email. Events with the DNC, corporate data breaches and the like are gaining widespread notoriety on a daily basis – news stories are abundant. This post is required reading – so please share it with your employees, coworkers and family members. Another targeted group is senior citizens using computers- so please make sure that you share this with older family members and friends. All of our clients who are on our managed services plan for remote monitoring and maintenance, get the premium version of Malwarebytes  included with their monthly remote monitoring package. If you are interested in learning more about how we help with PCs and networks for your business- either click here or give us a call at 847 329 8600.

Posted: June 26, 2017 by 
Last updated: June 23, 2017

Dear you,

 It appears you need to update your information. Click here to tell us all your secrets.

 No really, it’s totally safe. We’re not going to steal your identity, we swear.

If only phishing attempts were that obvious.

Instead, these days it’s hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let’s go back to the first instance of phishing.

The Nigerian prince and early phishing

Back in the early days of the Internet, you could marvel at your “You’ve Got Mail” message and freely open any email that came your way. You’d get one email a day, tops, from your new best friend you met in the “grunge 4EVA” chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn’t cross your mind that going online could bring about danger.

Then came the Nigerian prince.

Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation’s longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as “urgent” or “private,” and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.

Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.

Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”

The evolution of phishing

While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.

fry phishing

“Phishers had no other choice but to evolve and improve on where they fell short,” says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. “Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones.”

Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

So how can we learn from these lessons? Let’s start by identifying the different types of phishing in use today.

Types of phishing

The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.

Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.

Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.

Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.

Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.

And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.

There truly are a lot of phish in the sea.

So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.

Something’s phishy if:

  • The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
  • The URL shown on the email and the URL that displays when you hover over the link are different from one another.
  • The “From” address is an imitation of a legitimate address, especially from a business.
  • The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
  • The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
  • Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account with be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment,” says Umawing.
  • The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
  • The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

If you suspect or can verify that you’ve been phished, it’s best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)

Now the next time someone attempts to scam you with fraudulent emails, you won’t have to wonder if the message is for real. You’ll scope out a phish hook, line, and sinker.

Advertisements

The Feds just wiped out your online privacy…

Your ISP, browsing history, and what to do about it

Your ISP, browsing history, and what to do about it

Posted: April 4, 2017 by

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

 

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

 

Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

 

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/06/2016 06:29 PM EDT
Original release date: September 06, 2016 | Last revised: September 28, 2016

Systems Affected

Network Infrastructure Devices

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco’s description of the evolution of attacks on Cisco IOS devices.

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.

It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:
  • Implement Principles of Least Privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.
Virtual Separation of Sensitive Information        

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:
  • Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use VPNs to securely extend a host/network by tunneling through public or private networks.

2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

Recommendations:
  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.

Recommendations:
  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
  • Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
  • Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and VTY lines.
  • Implement robust password policies and use the strongest password encryption available.
  • Protect router/switch by controlling access lists for remote administration.
  • Restrict physical access to routers/switches.
  • Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

Recommendations:
  • Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
  • Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
  • Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.

Recommendations:
  • Segregate standard network traffic from management traffic.
  • Enforce that management traffic on devices only comes from the OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

Recommendations:
  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

 

Shadow Broker Exploits
Vendor CVE Exploit Name Vulnerability
Fortinet CVE-2016-6909 EGREGIOUSBLUNDER Authentication cookie overflow
WatchGuard CVE-2016-7089 ESCALATEPLOWMAN Command line injection via ipconfig
Cisco CVE-2016-6366 EXTRABACON SNMP remote code execution
Cisco CVE-2016-6367 EPICBANANA Command line injection remote code execution
Cisco CVE-2016-6415 BENIGNCERTAIN/PIXPOCKET Information/memory leak
TOPSEC N/A ELIGIBLEBACHELOR Attack vector unknown, but has an XML-like payload
beginning with <?tos length=”001e.%8.8x”?
TOPSEC N/A ELIGIBLEBOMBSHELL HTTP cookie command injection
TOPSEC N/A ELIGIBLECANDIDATE HTTP cookie command injection
TOPSEC N/A ELIGIBLECONTESTANT HTTP POST parameter injection

 

References

Revision History

  • September 6, 2016: Initial release
  • September 13, 2016: Added additional references

Prime Telecommunications Educates Customers on Ransomware

watchguard-1

Prime Telecommunications, Inc., a leader in unified communications, announced today that they have launched a ransomware awareness campaign. The purpose of the campaign is to quickly educate business owners in understanding one of the latest threats now facing small to mid-sized businesses (SMBs). Ransomware is a specific variation of malware, that is growing in popularity amongst hackers and Prime Telecommunications is doing its best to alert business owners of this new tactic. Prime Telecommunications’ existing customers are very well protected against this type of threat but many business owners may be unaware of the potential destruction this has on an organization.

While business owners have always understood the need to protect their businesses from malware, short for “malicious software”, ransomware is a new tactic that hackers are using to attack businesses in an especially wicked way. Essentially, an employee will receive an email with a deceptive link, labeled “See Resume Here” or “Download Report Now”, and then upon clicking the link, a ransomware application will be installed immediately on the computer. Then, the software can remain hidden for several days, until it is activated. At that moment, the ransomware application will hijack critical files, remove them from the network, encrypt them so no other computers can access them and then hackers will send an email demanding payment for the release of the missing files. The biggest problem with this type of cyber attack is that it leaves absolutely no leverage to the business owner. Even if they pay the “ransom”, hackers don’t necessarily unlock the files every time. “This is a huge problem that could have drastic impact on an organization and the craziest thing we notice is that there is such a simple solution,” stated Vic Levinson, President at Prime Telecommunications.

“These types of attacks happen far too often, and we take great pride in protecting our customers from threats like this,” added Levinson. “The first line of defense for these kinds of attacks is a technically educated staff. While the majority of these threats come in the form of suspicious email links, an educated staff can avoid these catastrophes simply through awareness. That’s one of the reasons why we issued this press release,” commented Levinson. “For business owners that see the value of peace of mind, we devise comprehensive solutions that thwart these types of attacks from every angle. We take a global approach that includes a combination of anti-virus software, anti-malware software, strong firewalls, employee education, data backup, and network redundancy. What we’ve noticed over the years is that every network has different exposure points and our job is to come in as a technology advisor and to proactively prevent not only ransomware attacks, but the myriad of others attacks that a business owner may face for years to come.”

Prime Telecommunications’ mission is to leave business owners in a more empowered position by serving as an educator of emergent technologies. “Our biggest aim with this campaign is to usher in a sense of urgency amongst business owners so they take action now, instead of waiting to be in a difficult, immutable situation later,” closed Levinson.

Eight Reasons Why Small and Mid-Sized Businesses Need Managed IT Services

Managed Networks Chicago

Managed IT services is rapidly becoming one of the hottest solutions in business today because it dramatically improves an organization’s profitability, frees up internal resources, and offers a unique competitive advantage.   Simply put, managed IT services are designed to assist companies in maintaining and supporting their network and IT infrastructure with the assistance of an outsourced managed services provider (MSP).  Types of services may include remote network monitoring, programming and reporting (24/7), firewall monitoring, intrusion detection, preventative tasks, disaster recovery, data backup and help desk support.  There are eight critical reasons why small to midsized businesses (SMBs) need managed IT services now and throughout the life cycle of their business.

Dependence On IT

Almost all businesses have become more dependent on computer technologies in the past few years.  And, it’s a rapidly changing environment.  Every business has become dependent on its IT infrastructure to perform at a high level, while effectively delivering its products or services.  As a result, it has become more difficult to maintain the expertise to properly deploy, manage, and monitor this new technology, especially as a business evolves.

Complexity

The fact that this new technology is new makes it more difficult for the average employee to understand and use effectively.  The level of demand and sophistication from today’s businesses are driving up complexity.  Distinct disciplines or specialties are emerging in a variety of technology related areas such as telephony, desktop, network, application and database support.  The breadth and depth of technology an organization requires immediately places the resources at a small to mid-sized businesses (SMBs) at a distinct disadvantage.

Insufficient Solutions

Traditional support options such as a one man IT consultant, or a one or two person in-house IT department cannot effectively handle the occasional network breakdowns that are bound to occur. This is especially true when compared to a team of external resources that  proactively monitor the SMB’s installed technology at all times.

Lack of Process

An IDC study reinforces the notion of lack of process, showing that 78% of all IT downtime is caused by change.  If you could simply eliminate change from the computing environment, you would substantially decrease the risk. Unfortunately, most SMBs lack the procedures, documentation standards, and scope of work, which often results in major disruption and downtime.

Increased Use of Technology

Increasing use of computers, new software and procedures, often leads to increased complaints and loss of productivity. Typically, when network or desktop problems arise and escalate inside a company, the response time of the one man shop or internal staff is quite slow. This dramatically increases employee complaints and lowers productivity.  In many situations employees have to wait in line to receive help.  As a result the downtime and morale will impact the organization’s bottom line as well as their ability to meet their customers’ needs.  By implementing a managed IT services program, the demand on internal IT resources are lessened, and they can now be utilized for other purposes such as directly supporting strategic business objectives rather than becoming bogged down in frequent break/fix issues.

Controlling Costs

During these challenging times, the IT budget is frequently reduced.  In a recent survey of nearly 950 IT managers at companies in North America and Europe; nearly half of the U.S. respondents said they have already cut their IT spending budgets.  Unfortunately, a cut in IT spending doesn’t mean there is a cut in demand for services.  This adds tremendous stress and pressure on internal departments to support the same amount of work with fewer resources.

Technology Erosion

Computer systems must be maintained just like any other systems used within the business. Vehicle fleets, manufacturing equipment, and the physical plant, have all moved to a preventative approach. If a company does not implement this preventative maintenance strategy for its technology components, disaster might be the unpleasant and unprofitable result.

Compliance

Finally, the technology utilized within an organization in most cases must meet specific compliance standards.  For example, a company’s business processes supported by technology may need to comply with Sarbanes-Oxely, Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act (GLBA) and other requirements. Most companies don’t have the resources to fully understand and comply with all the detailed requirements of these regulations.

All of the above issues are driving the popularity of partnering with a managed IT services firm.  Companies that have made the transition already answered this question.  If deploying, managing and monitoring my IT infrastructure has absolutely nothing to do with the core competency of my business, why wouldn’t I outsource it to an expert?  This is a fairly easy question to answer and these organizations have reaped the rewards of increased profitability and a competitive advantage.

Want a honest assessment of your network? Give us a call at 847 329 8600!

Apple Ends Support of Quicktime for Windows

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

04/14/2016 03:48 PM EDT
Original release date: April 14, 2016

Systems Affected

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]

References

Revision History

  • April 14, 2016: Initial Release

Don’t Make these 5 Cloud Migration Mistakes

Don’t Make These 5 Cloud Migration Mistakes

The cloud has many benefits that countless businesses are taking advantage of today. But this convenience and efficiency doesn’t happen with a snap of your fingers. A smooth and smart cloud migration takes preparation. Here are five mistakes to avoid when moving to the cloud:

1. Assuming All Clouds Are Equal

Just as your business brings its a unique set of goals and requirements for moving to the cloud, each cloud provider has its own set of strengths and weaknesses. You can’t assume that a solution working for another business will automatically work for yours. There’s a wide array of providers and cloud services, so you need to choose the best one to fulfill your needs. You will go about the transition differently than the company next door.

Additionally, there are different cloud options, and you need to know which one(s) you want. Does your business need a private, public or hybrid cloud environment? Are you a small or large organization? Do you need IaaS, PaaS or SaaS? Different workloads mean different clouds! It’s definitely worth your business’ time to evaluate the options and make the most informed choice. The decision to move to the cloud isn’t just a yes or no one. It’s all about the “how,” “when,” and “which.”

2. Not Doing Your Homework

Yes, you have to do some work first!

Businesses commonly think that the first step to the cloud is searching outside the organization for a provider, but this skips a crucial personal evaluation.

Instead, you should first look inside your organization to identify your own needs, current environment and spending, usage, and hopes or expectations for the cloud. Only then can you move on and thoroughly research and identify providers that suit your business.

The perfect provider is one that lines up with your needs and goals. To determine this, reach out to multiple providers and be prepared to ask questions. What exact security measures do they have in place? Can they meet your compliance needs? How involved are they? What’s their specialty? The answers to these types of questions are key.

3. Moving Too Fast

It’s okay to start small! In fact, we recommend it.

Faster doesn’t mean better. There’s a difference between proactivity and rushing. In fact, moving too fast will likely result in unpreparedness. Take time to consider what makes the most sense in the cloud and be prepared from the get-go.

You can take a test drive by moving a non-critical application to the cloud that will still make a positive business impact, like a collaborative tool. Once you’re comfortable, confident and more experienced, it’s easy to repeat and eventually you can start taking bigger steps.

This calculated pace allows you to learn more about the cloud as you go, and drives consistent, positive change across your business.

4. Thinking It’s All or Nothing

Just as you don’t have to migrate all at once, you also don’t have to move all functionality to the cloud. It doesn’t have to be all or nothing! Some applications will make sense in the cloud while others might not be worth it. Always weigh the pros and cons of moving tools and resources into the cloud. Choose whatever makes sense for YOUR organization, and then you can develop the perfect cloud solution.

It’s helpful to prioritize the applications and tools that need to be moved, while considering if the move maintains cost efficiency, usability and security.

5. Not Doing Your Part

The relationship between a business and its cloud provider is an important one. While the provider obviously shoulders the majority of the responsibility, your organization still has to do its part.

You should have an internal team that develops your cloud strategy and ensures you are using the cloud in the best way possible for your business. It’s also important to communicate with your team and educate your employees on why the cloud move is happening. You might initially face resistance, but by demonstrating the benefits of the migration, the team will be more willing to learn about the new cloud services. Involve your employees in each step and keep them informed – this ensures a smooth transition and builds trust.

Additionally, security is up to both parties. The provider will certainly have hefty security measures in place, but you can take steps on your end as well. Make sure your users are creating secure passwords and you have policies in place in regards to personal device usage and data access. Setting these expectations will help keep your information safe.

AAEH Threat Alert

The following information is from the US Computer Emergency Readiness Team (US CERT) part of the Department of Homeland Security. The full text can be found here.

Network Security

AAEH

Original release date: April 09, 2015
Systems Affected
  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Overview

AAEH is a family of polymorphic downloaders created with the primary purpose of downloading other malware, including password stealers, rootkits, fake antivirus, and ransomware.

The United States Department of Homeland Security (DHS), in collaboration with Europol, the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), released this Technical Alert to provide further information about the AAEH botnet, along with prevention and mitigation recommendations.

Description

AAEH is often propagated across networks, removable drives (USB/CD/DVD), and through ZIP and RAR archive files. Also known as VObfus, VBObfus, Beebone or Changeup, the polymorphic malware has the ability to change its form with every infection. AAEH is a polymorphic downloader with more than 2 million unique samples. Once installed, it morphs every few hours and rapidly spreads across the network.  AAEH has been used to download other malware families, such as Zeus, Cryptolocker, ZeroAccess, and Cutwail.

Impact

A system infected with AAEH may be employed to distribute malicious software, harvest users’ credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines.

Solution

Users are recommended to take the following actions to remediate AAEH infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection.

Users can consider employing a remediation tool (examples below) that will help with the removal of AAEH from your system.

Note: AAEH blocks AV domain names thereby preventing infected users from being able to download remediation tools directly from an AV company. The links below will take you to the tools at the respective AV sites. In the event that the tools cannot be accessed or downloaded from the vendor site, the tools are accessible from Shadowserver (http://aaeh.shadowserver.org).

The below are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

Revisions

  • April 9, 2015: Initial Release

Take Advantage Of Network Security – An Ounce Of Prevention Is Worth A Pound Of Cure

In the minutes, hours and days that follow a widespread, widely publicized data breach, most companies scramble, amping up their security measures in an effort to overcompensate for their lack of proactive preparation. A Forrester Research study revealed that more than 45 percent of businesses opt to increase security and audit requirements after an attack occurs. But as our grandmothers always say, an ounce of prevention is worth a pound of cure. Basically, Grandma was trying to say that a proactive approach to security—versus a reactive one—helps to ensure that your business is protected without having to learn the hard way.

While a lax data security plan may be the most detrimental of business strategies, a close second is taking a “one and done” approach. In reality, true data and network protection requires constant effort —it’s not a checklist to be completed, filed away and forgotten. System security, as a whole, is a moving target with new threats and vulnerabilities popping every day and from all angles. Which means one security solution may become outdated just as quickly as it was implemented. Without dedicated resources and the training required to implement and monitor advanced security solutions, organizations are basically sitting ducks, putting their corporate assets at greater risk.

Network Security

So where do you start? System protection begins with a thorough risk vulnerability assessment—and trust me, there are plenty of vulnerabilities to look for. For example, consider the impact of Bring-Your-Own Device (BYOD), with its myriad of points at which employees may unknowingly compromise corporate network security. Or take into account the rising threat and increased variety of Distributed Denial of Service (DDoS) attacks. From organized crime rings to hacktivists to foreign government hacking attempts, the complexities and motives are changing by the day.

By identifying the most vulnerable points within your current system and workflow, you can then start to draft a strategy and analyze potential solutions. Creating a customized security plan, one that’s tailored to addressing those vulnerabilities head-on, is foundational to a solid strategy. Your plan may include simple items, such as creating and implementing a formal BYOD policy. Or you may need more comprehensive protection, enhancing your network and cloud security through a Managed Service Provider (MSP) or bringing in a variety of tactical solutions, such as firewalls, antivirus, OS hardening, intrusion detection and web filtering as applicable. A complete security solution should protect your data and applications from all angles — network, cloud and employee communication—to mitigate any threat to your data.

Part of a successful security plan, however, is allocating enough staff and resources to support that plan. The best-protected systems are those that are constantly managed by a dedicated IT team. If, in your risk assessment efforts, you find that you’re lacking resources to provide ongoing support and monitoring, a Managed Network Security Solution may be the answer.

Our Managed Network Security Solutions provide not only security, but also the team that can support your security mission. We offer 24 x 7 x 365 management and monitoring, going beyond protecting PC desktops with custom, comprehensive real-time protection against attacks, defending and protecting your entire office-computing environment against the latest generation of Internet threats.

Take the first step toward achieving system security and contact a Prime representative today. Remember that ounce of protection? When we’re talking about data security, it’s worth WAY more than a pound of cure.

10 Key Considerations When Picking a Managed Security Services Provider

Once, managed security providers were small companies who offered select few larger companies the option to store their data remotely. Now, that market has grown into a widely utilized industry, where providers navigate security issues, compliance regulations, and the importance of data protection for you.

But with this burgeoning enterprise comes the difficulty of deciding between the many competent players. When choosing the company that will defend the security of your data and manage your ability to access it, it’s important to look closely at several aspects of each provider

Track Record. The ideal MSSP to handle your company’s sensitive data will be able to show a strong history of quality information management over a significant period of time.

  1. Response Time and Analysis. An MSSP must be able to easily determine security threats from false alarms. Your provider should be able to respond immediately after analyzing and interpreting large amounts of network security.
  2. Operation Centers. The best MSSP will have state-of-the-art security operations centers at multiple locations, allowing for cross-monitoring and double-checking compliance with security standards.
  3. Global Awareness. To really be prepared, security experts must be able to monitor threats to data not just domestically, but from around the world. International eyes and ears allow for proactive handling of threats and real-time alerts.
  4. High Level Management. Management personnel in the best MSSPs will often have backgrounds working in military, security, or government: an indicator of success.
  5. Range of Services. Particularly for larger businesses, MSSPs must be able to provide a variety of services, including real-time monitoring, firewall management, intrusion detection systems, virtual private networks, and more.
  6. Security Procedures. Ask for documented standards and policies that are in place, from handling of unusual operations to common threats. Look for an MSSP that offers a variety of notification options for optimal staff awareness.
  7. Third-Party Validation. Whatever these policies and procedures are, make sure that the MSSP has had them validated and certified by a third-party auditor.
  8. Range. For best brand-specific protection, find an MSSP that employs specialists who have certified experience working with a variety of security providers and in a wide range of products.
  9. Reporting. Detailed reporting is essential for a company to truly trust the MSSP. Be sure that the reports are based on information drawn from various platforms, include recommendations, are open about latest threats, and are clear about any security changes that have been made.

Your data is only as secure as the company trusted to protect it. Take your time and consider all aspects of the business and relevant details of your own company before deciding.

 

Network Security