Highlights from The Week in Breach: May 30 to June 6 2018

Highlights from The Week in Breach:

– Finance sector attacks ramping up
– BackSwap JavaScript injections effectively circumventing detection
– Honda has leaky buckets too

This week in breach has all been about money, money, money. The finance sector is getting pelted with attacks recently – even more than usual – and Mexico, Canada, and Poland have been hit the worst.

In other news…

North Korea is still up to their old tricks, targeting South Korean websites with advanced zero-day attacks.
https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/

School is letting out which means grade changing breaches are in season! Two students at Bloomfield Hills High School attempted to fudge their report card and refund lunches for themselves and 20 other students.
https://www.forbes.com/sites/leemathews/2018/05/22/school-hackers-changed-grades-and-tried-to-get-a-free-lunch/#478b6d026e7d

The government of Idaho was hacked 2 times in 3 days which is not a very good look.
https://idahobusinessreview.com/2018/05/22/state-government-hacked-twice-in-three-days/

Coca-Cola had a breach that compromised 8,000 employees’ personal data, but they are also providing identity monitoring for a year at no cost. Ahh… refreshing, isn’t it?
https://www.infosecurity-magazine.com/news/no-smiles-for-cocacola-after-data/


 What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!

Simplii Financial (CIBC) & Bank of Montreal
Exploit: Spear Phishing
Type of Exploit Risk to Small Business:  High: Personal and account information from a large number of customers were compromised, opening up the possibility of identity theft for business owners or employees.

Risk to Exploited Individuals: High: A large number of both personal and account information was breached from both banks including social insurance numbers and account balances. 

Simplii Financial: Owned by CIBC, Simplii Financial is a Canadian banking institution offering a wide array of services for their customers such as mortgages and investing.

BMO (Bank of Montreal): BMO is also a Canadian banking institution that offers investing, financial planning, personal accounts, and mortgages.

Date Occurred/
Discovered
The weekend of the 25th
Date Disclosed May 28, 2018
Data Compromised Personal and account information of the two bank’s customers. The hackers provided a sample of the breached data, containing the names, dates of birth, social insurance number and account balances of two customers.
How it was Compromised It is believed that both bank data breaches have been carried out by the same group of fraudsters, due to the time frame and ‘blackmail’ strategy of the group rather than selling of the data. It is suspected that a spear phishing attack was used, focusing on individual employees with targeted phishing attempts rather than a ‘dragnet’ approach typically seen in phishing attacks.
Customers Impacted
Between the two banks over 90,000 people’s personal and account information was compromised during the breach. CIBC owned Simplii Financial reported 40,000 accounts compromised compared to BMO who declared 50,000 accounts compromised later on the same day.
Attribution/Vulnerability Undisclosed at this time.

http://www.cbc.ca/news/business/simplii-data-hack-1.4680575

Honda Car India
Exploit: Misconfigured/ Insecure Amazon S3 buckets
Type of Exploit Risk to Small Business: High
Risk to Exploited Individuals: Moderate: Presumably low-risk PII and vehicle information exposed.
Honda Car India: Honda is an international cooperation from Japan that specializes in cars, planes, motorcycles and power equipment.

Date Occurred/
Discovered
The details were left exposed for at least three months. A security researcher who was scanning the web for unsecured servers left a message of warning timestamped February 28.
Date Disclosed May 30 2018
Data Compromised
Names
User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car VIN
Car Connect IDs, and more
How it was Compromised
A researcher who was scanning the web for AWS S3 buckets with incorrect permissions left a message in Honda Car India’s server to try and warn them to secure their server. Honda was not even aware that the note was added, signaling a complete lack of monitoring on the companies part.
Customers Impacted
50,000 of Honda Car India’s customers have had their personal info exposed on the internet for three months at the minimum.
Attribution/Vulnerability Negligence. Once the researcher noticed that Honda had still not secured their buckets, he reached out to them but it still took the company 2 weeks to respond.

https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/

SPEI
Exploit: Man in the Middle Attack
Type of Exploit Risk to Small Business: Severe: Security certificate exploit, website login spoofing, traffic re-direct. Significant financial loss. Threat intelligence/ data share fail.
Risk to Exploited IndividualsLow:  Financial Institutions will absorb the loss.

SPEI: Mexican domestic payment system.

Date Occurred/
Discovered
A breach was first detected on April 17th, with 5 more financial institutions being breached on April 24th, 26th, and May 8th.
Date Disclosed May 2018
Data Compromised
$15 Million stolen
How it was Compromised The central bank of Mexico experienced a man in the middle attack in April that it was able to stop, but failed to warn other financial institutions in the country about the severity of the incident. This led to 5 other financial institutions being compromised except the attacks were successful. It is unclear exactly how the hackers were able to enter the network, but the situation is constantly developing.
Attribution/Vulnerability Outside actors/ not disclosing breach possibly facilitated more breaches.
Customers Impacted Multiple financial institutions in Mexico

https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

Polish Banks
Exploit: JavaScript malware injection named BackSwap
Type of Exploit Risk to Small Business: High: Sophisticated JavaScript injection designed to bypass advanced security/ injection detection.
Risk to Exploited Individuals: High: those who used the polish banks targeted by the new malware will take a financial loss, 2FA does not combat this.

Polish Banks: 5 Polish banks are being targeted

Date Occurred/
Discovered
The banking malware was first introduced in March 2018. The malware has been increasingly active since then.
Date Disclosed May 2018
Data Compromised Banking account information and funds
How it was Compromised
A new malware family. This family of banking malware uses an unfortunately elegant solution to bypass traditional security measures, using Windows message loop events rather than process injection methods to monitor browsing activity. When an infected user begins banking activities, the malware injects malicious JavaScript directly into the address bar. The script hides the change in recipient by replacing the input field with a fake one displaying the intended destination.
Attribution/Vulnerability Outside actors, deployed through spam email campaign

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

The last couple of months has seen an increase in the number of attacks on financial institutions around the world. Both the Bank Negara Malaysia and Bancomext were targeted in SWIFT-related attacks while two Canadian banks’ data was held at ransom in a massive breach. The largest three banks in the Netherlands were hit by DDoS attacks, the Swiss Financial Market Supervisory Authority stated that cyber-attacks were the greatest threat to their banks, while at the same time British banks spending on fighting financial crime sits at 5 billion pounds.

While no sector is immune from cyber-attack, the nature of the financial industry makes an attractive target. The sector is made up of institutions that store large quantities of sensitive data that can be sold on the Dark Web, as well as institutions that have access to large sums of capitol.

Additional Sources:
https://www.hstoday.us/uncategorized/cyber-attacks-on-banking-infrastructure-increase/

Advertisements

Surprise! What’s The Country Where All The CEO Fraud Gangs Are?

KnowBe4’s Stu Sjouwerman wrote a really great blog about Business Email Compromise. Once upon a time, about 5 years ago, if you got a letter from a Nigerian prince or some sad story about not being able to transfer funds, that was obviously a scam. You knew, I knew, anybody but the most gullible knew it. Those were referred to as Nigerian 419 scams- 419 is the section of the Nigerian criminal code where this practice is codified as illegal.

Image result for nigerian prince

But times have changed and so have the gangs…

What if your CFO got an email from your COO or your CEO? What if your AP clerk got an email from your CFO- or your Comptroller?

A new study by Agari concludes that, despite all the attention nation-state espionage services have been getting for their phishing attacks, the big threat still comes from criminal gangs.

Here is your quick Executive Summary:

  • 97% of people who answer a Business Email Compromise (aka CEO Fraud) email become victims
  • The average BEC incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
  • 24% of all observed email scam attempts between 2011 and 2018 were BEC even though BEC only started in earnest in 2016

And What’s That Country?

Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 scam has upgraded big time.

While business email scams are relative newcomers to the world of online crime, becoming popular only as recently as 2016, they’re now the most common kind of attack, accounting for 24% of phishing emails.

Patrick Peterson, Agari’s Executive Chairman said: “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

BEC, in which the scammer poses as an executive of the business being phished, has the greatest potential for a large, immediate payout. All organizations should make it their policy never to use email to direct fund transfers, and they should train their employees to be aware of this social engineering tactic.

Other scams have similar potential to bankrupt their targets. Real estate brokers, for example, have been targeted with malicious attachments that enable criminals to conduct man-in-the-middle account takeover scams that hit escrow accounts.

Scammers Use A Multi-Step Process

An interesting finding of Agari’s study is the multi-step process many of the scammers use: a probe email is followed by one or more follow-ups that deliver the scammer’s punch.

In the case of business email compromise, a common and effective probe might ask, “Are you at your desk to make a payment?” We have seen that these organized crime groups are starting to automate and script the process of sending these initial probes to their targets.

Interactive training can help a business arm its employees against social engineering. KnowBe4 actually allows you to monitor what an employee who falls for a simulated CEO fraud attack writes back, and automatically step them through immediate remedial training.

Want a free tool to see how vulnerable you are to spoofing? Cut and paste this link to your browser- https://info.knowbe4.com/domain-spoof-test-partner?partnerid=0010c00001wis6gAAA

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/

 

The Pillars of Cyber Security Explained

Network Security

The cyber threat landscape changes on a daily basis.  There is no one size fits all solution and there are no magic bullets. It has been said that the price of liberty is eternal vigilance. The same holds true for cyber security. There are four pillars of security- end point protection, perimeter protection, monitoring and end user vigilance.

They say that those who don’t learn from history are doomed to repeat it, and matters of cyber security are no exception. Threats will often follow trends, and so by reviewing what has happened in the past, we may be able to glean some insight into what will be important in the future.

If the first half of 2018 was any indication, there are a few things that will be of most concern to IT professionals and end users. My friend and colleague, Tommy Vaughn from Central Technology Solutions, provided a lot of the inspiration for this post!

Ensure All Endpoints Have Appropriate Security Measures

It’s staggering to consider how many end points any given business could have, each providing a route in for threat actors. Between company-provided devices, personal mobile devices, and Internet of Things devices, there are plenty of opportunities for a company to be attacked.

As a result, as 2018 progresses, businesses must be aware of what threats exist, as well as better prepared to protect themselves against them. This includes strategies that ensure your organization’s digital protections are properly maintained while remaining cognizant of physical security best practices. Pairing encryption and access control, as well as mobile device management, can create a much safer environment for your data.

Cover your 6’s

Your network needs to have not just the firewall appliance – but a comprehensive suite of tools that can help you recognize suspicious behavior. It is more than just a static device. It has to be paired with analytical tools as a service that can give you insight into your network. Additionally, an external firewall or web filtering service can protect you from unseen threats on a multitude of levels. It is not just hardware and software anymore. You need to have the resources available to alert you to threats, cut down the noise from repeated alerts and investigate areas that you should not be in yourself – e.g. the Dark Web.

Get Back to Basics With Security and End User Education – Cyberawareness Training

While it may sometimes be tempting to focus on the massive attacks and breaches that too-often dominate the headlines, no business can afford to devote their full attention to those vulnerabilities and overlook the more common threats. This is primarily because once they do, they become exponentially more vulnerable to these attacks through their lack of awareness and preparation.

Part of being prepared for the threats of the coming weeks and months is to make sure that your employees are also up to speed where security is concerned. Educating them on best practices before enforcing these practices can help to shore up any vulnerabilities you may have and maintain your network security. This includes restricting employee access to certain websites, requiring passwords of appropriate strength, and encouraging your employees to be mindful of exactly what they’re clicking on. A comprehensive program of cyberwareness training- delivered to the employees over the course of a year in small incremental sessions is key. Use controlled mistakes as teachable moments to correct dangerous behavior. Once trained, your employees become your “human firewall”. As they say with shampoo, “rinse and repeat”. Often.

Continuing to Improve Security Measures

Finally, it is important to remember that implementing security features isn’t a one-time activity. Threats will grow and improve in order to overcome existing security measures, and so if they are going to remain effective, these security measures must be improved as well.

While regulatory requirements can provide an idea of what security a network should feature, they shouldn’t be seen as the endpoint. Instead, those requirements should be the bare minimum that you implement, along with additional measures to supplement them.

We are here to help. If you would like to explore the options of a completely managed firewall, DNS filtering, or cyber awareness training- we can assist. First- get a baseline of where your organization is at. We have a suite of FREE tools that can help show you your susceptibility to phishing, spoofing and whether your organization’s credentials are for sale on the Dark Web.  We can also do an onsite security assessment to analyze your network’s vulnerabilities.

For your free tools, please visit:  http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools or give us a call at 847 329 8600.

We are your managed technology solutions professionals and we are here to listen!

Prime Telecommunications Partners with ID Agent to Heighten Cybersecurity

 

Prime Telecommunications, a leader in managed technology services, announced today that the company has partnered with ID Agent, to enhance the security of SMBs (small to mid-sized businesses) across the nation. ID Agent and this partnership will enable business owners, to prevent identity theft and thwart cybercriminals from gaining access to sensitive data.

“We’re thrilled to announce this partnership. It’s going to have a huge effect on the business owners we serve,” stated Vic Levinson, President of Prime Telecommunications. “This partnership allows business owners to get a very clear and immediate picture of how their cybersecurity is currently performing. When owners are made aware of the threats and risks that are facing their business, they’re capable of bringing in the right infrastructure to protect themselves from cyber-attacks. This partnership is so important because it gives a very clear picture of the company’s risks.”

The partnership between Prime Telecommunications and ID Agent will combine human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor an organization’s compromised or stolen employee and customer data. Business owners will receive real-time alerts, so they can focus on running their organizations. This partnership will not only allow businesses to monitor the dark side of the web, but it also provides the option to monitor an organization’s supply chain, third party partners and vendors that may have access to sensitive data, as well.

“At the end of the day it’s all about protecting employees who don’t realize the threats they face when executing their day-to-day responsibilities,” added Levinson. “Employees who spend time browsing the Internet, who share their email passwords freely, or use unsecured, cloud-based tools to do their work may not necessarily realize all of the potential vulnerabilities facing their network. We consider it to be our duty to educate the marketplace on these types of solutions to prevent as many cyberattacks from happening as possible.”

 

About ID Agent

ID Agent provides Dark Web monitoring and identity theft protection solutions, available exclusively through the reseller channel, to private and public organizations and millions of individuals at risk of cyber incidents. Its flagship product, Dark Web ID, delivers Dark Web intelligence to identify, analyze and monitor for compromised or stolen employee and customer data, mitigating exposure to enterprise clients’ most valuable asset – their digital identity. The company’s SpotLight ID provides personal identity protection and restoration for employees and customers while enhancing their overall cybersecurity awareness as well as further safeguarding corporate systems.

Let’s stop phishing and go fishing!

Phishing fishing

Summer is a time for having fun. I happen to love fishing. However, in the world we live in today, fishing gets no news – and phishing gets all the news. In order to provide some useful information of the various types of phishing attacks, I want to share an excellent posting from the Malwarebytes Blog here. Wendy Zamora did an excellent job of going through the various types of phishing attacks that you must learn to recognize. The recent events nationally and internationally show the importance of being able to recognize a phishing email. Events with the DNC, corporate data breaches and the like are gaining widespread notoriety on a daily basis – news stories are abundant. This post is required reading – so please share it with your employees, coworkers and family members. Another targeted group is senior citizens using computers- so please make sure that you share this with older family members and friends. All of our clients who are on our managed services plan for remote monitoring and maintenance, get the premium version of Malwarebytes  included with their monthly remote monitoring package. If you are interested in learning more about how we help with PCs and networks for your business- either click here or give us a call at 847 329 8600.

Posted: June 26, 2017 by 
Last updated: June 23, 2017

Dear you,

 It appears you need to update your information. Click here to tell us all your secrets.

 No really, it’s totally safe. We’re not going to steal your identity, we swear.

If only phishing attempts were that obvious.

Instead, these days it’s hard to tell a phish apart from a foul, if you catch my drift. Modern-day phishing campaigns use stealthy techniques to target folks online and trick them into believing their messages are legit. Yet for all its sophistication, phishing relies on one of the basest of human foibles: trust. Detecting a phish, in its various forms, then requires you to hone a healthy level of skepticism when receiving any kind of digital communication, be it email, text, or even social media message. In order to understand how we got here, let’s go back to the first instance of phishing.

The Nigerian prince and early phishing

Back in the early days of the Internet, you could marvel at your “You’ve Got Mail” message and freely open any email that came your way. You’d get one email a day, tops, from your new best friend you met in the “grunge 4EVA” chat room. There was no such thing as junk email. The only promotions you received were CD copies of AOL in the snail mail. It didn’t cross your mind that going online could bring about danger.

Then came the Nigerian prince.

Unfortunately, where innovation and progress lead, corruption and crime will inevitably follow. One of the nation’s longest-running scams, the Nigerian prince phish came from a person claiming to be a government official or member of a royal family who needed help transferring millions of dollars out of Nigeria. The email was marked as “urgent” or “private,” and its sender asked the recipient to provide a bank account number for safekeeping the funds. Gone were the innocent days of trusting your inbox.

Over the years, the Nigerian prince scam has fooled millions, raking in hundreds of billions of dollars. Why has this scam been so successful? Simple. It uses a time-honored criminal technique—the ole bait and switch—to fool folks into believing that they are being contacted by a legitimate organization with a legitimate concern. Threat actors use this social engineering method to trick unwilling participants into clicking on malicious links and handing over personal information. The end goal, as with most cybercrime, is financial gain.

Phishing attacks aim to collect personal data—including login credentials, credit card numbers, social security numbers, and bank account numbers—for fraudulent purposes. The attack is most commonly delivered as an email communication that spoofs a known enterprise, such as a bank or online shopping site, but it can also appear to come from an individual of authority or of personal acquaintance. These emails always contain a link that sends users to a decent facsimile of a valid website where credentials will be collected and sent to the attacker, instead of the supposedly trusted source. From there, the attacker can exploit credentials to commit crimes such as identity theft, draining bank accounts, or selling personal information on the black market.

“Truth be told, phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective,” says Adam Kujawa, Director of Malware Intelligence. “That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.”

The evolution of phishing

While the Nigerian prince attack vector remains in use today, most savvy Internet users can now spot this scam a mile away (hence the multitude of memes that have popped up over the years). The campaign has lost its edge and fooled way fewer users. Plus, email technology has progressed so that spam filters readily pick up on this phish and block it. And this is why cybercriminals have had to advance their tactics.

fry phishing

“Phishers had no other choice but to evolve and improve on where they fell short,” says Jovi Umawing, Malware Intelligence Analyst at Malwarebytes. “Nowadays, most sophisticated modern-day phishing emails are so polished and well-designed that one cannot easily differentiate them from legitimate ones.”

Case in point: Recent phishing campaigns have had great success impersonating big-name companies and fooling big-name recipients. In May 2017, a phishing email targeted one million Gmail users by purporting to be from a contact sharing Google Docs. In Minnesota alone, state employees were scammed out of $90,000 due to the Google Docs fiasco. Hillary Clinton’s campaign manager for the 2016 presidential election, John Podesta, famously had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

So how can we learn from these lessons? Let’s start by identifying the different types of phishing in use today.

Types of phishing

The most basic and commonly seen type of attack, of course, is the phishing email. Phishing emails are sent to a group of users who are unique enough to be used as bait but broad enough to ensnare a large number of people. The point is to cast as large a net as possible. In contrast, other forms of attack are much more targeted.

Spear phishing, as might be gathered from its title, usually targets a specific person or organization. Since these types of attacks are so pointed, phishers scour the Internet for available information about their target in order to craft a believable email to extort information (if not money) from victims.

Whaling is a form of spear phishing directed at executives or other high-profile targets within a business, government, or other organization, such as a CEO, senator, or someone who has access to financial assets. CFO fraud is an example of whaling.

Smishing, short for SMS phishing, is carried out via SMS text messaging on mobile devices. A similar technique, vishing, is voice phishing conducted over the phone.

Pharming, also known as DNS-based phishing, is a type of phishing that involves the modification or tampering of a system’s host files or domain name system to redirect requests for URLs to a fake site. As a result, users have no idea that the website they are entering their personal details into is fake.

Content-injection phishing is when phishers insert malicious code or misleading content into legitimate websites that instructs users to enter their credentials or personal information. This type of phishing is a form of content spoofing.

Man-in-the-middle phishing happens when phishers position themselves between people and the websites they use, such as a social networking sites or online banks, to extract information as it’s being entered. This type of phishing is more difficult to detect because attackers continue to pass on users’ information (after collecting it) so as not to disrupt any transactions.

And finally, search engine phishing starts off when phishers create malicious websites with attractive offers, and search engines index them. People then stumble upon such sites doing their own online searches and, thinking the sites are legit, unknowingly give up their personal information.

There truly are a lot of phish in the sea.

So, if your head isn’t completely swimming in fish puns, it’s time to talk about how to train your eye and your gut to sniff out the various forms of phishing attacks. I asked Labs researchers to tell me their top indications that an email, text, or other form of communication is a phish and compiled a list of their, and my, recommendations.

Something’s phishy if:

  • The email, text, or voicemail is requesting that you update/fill in personal information. This is especially dubious if it’s coming from a bank or the IRS. Treat any communication asking for your credentials with extra caution.
  • The URL shown on the email and the URL that displays when you hover over the link are different from one another.
  • The “From” address is an imitation of a legitimate address, especially from a business.
  • The formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. Or possibly there are weird paragraph breaks or extra spaces between words. If the email appears sloppy, start making the squinty “this looks suspect” face.
  • The content is badly written. Sure, there are plenty of wannabe writers working for legitimate organizations, but this email might seem particularly amateur. Are there obvious grammar errors? Is there awkward sentence structure, like perhaps it was written by a computer program or someone whose second language is English? Take a closer look.
  • Speaking of content, a phishing email almost always sounds desperate. “Whether they’re claiming that your account with be closed, an urgent request is needed, or your account has been compromised, think twice before double-clicking that link or downloading that attachment,” says Umawing.
  • The email contains attachments from unknown sources that you were not expecting. Don’t open them, plain and simple. They might contain malware that could infect your system.
  • The website is not secure. If you do go ahead and click on the link of an email to fill out personal information, be sure you see the “https” abbreviation as well as the lock symbol at the beginning of the URL. If not, that means any data you submit is vulnerable to cybercriminals. (If the link is malicious, Malwarebytes will block the site.)

If you suspect or can verify that you’ve been phished, it’s best to report the attempt directly to the person or organization being spoofed. You can also contact the Federal Trade Commission (FTC) to lodge a complaint. Once completed, delete the email, then empty your trash. (Same goes for texts.)

Now the next time someone attempts to scam you with fraudulent emails, you won’t have to wonder if the message is for real. You’ll scope out a phish hook, line, and sinker.

The Feds just wiped out your online privacy…

Your ISP, browsing history, and what to do about it

Your ISP, browsing history, and what to do about it

Posted: April 4, 2017 by

In late March, Congress approved a bill lifting restrictions imposed on ISPs last year concerning what they could do with information such as customer browsing habits, app usage history, location data, and Social Security numbers. They additionally absolved ISPs of the need to strengthen their existing customer data holdings against hackers and thieves. For more on the particulars of the bill, you can see reports on the Washington Post and Ars Technica. Given that the repealed restrictions hadn’t yet come into effect, the immediate impact of the new bill is somewhat unclear. But given what typically happens with massive stores of aggregated, location-specific customer data, the prognosis is not good.

So what’s the worst that can happen? Let’s run through a few probable outcomes:

Ad retargeting

We all might be familiar with this; when we buy a product online and then see ads for it relentlessly for a couple weeks thereafter. But with increased granularity of metadata, ad retargeting can be significantly more ‘effective.’ As an example, certain tech support scam companies prefer to draw their staff directly from complicit drug detoxes and rehabs, largely in order to ensure a compliant, desperate employee base. So the next time someone searches for help with an intractable heroin addiction, they might get targeted ads for unlicensed rehabs that come with a new job opportunity of scamming the elderly. Perhaps if my browser history correlates to those of low income or unemployed people, my ads would fill with work from home scams. Or low literacy search phrasing, in conjunction with low income, could get me directed to multi-level marketing scams. There are a cornucopia of ways to target the weak and vulnerable via metadata and it’s both legal and profitable.

 

Stalking

As we can see with many domestic violence cases, abusers have no compunction against using technology to stalk and harass their victims. A 2014 article by NPR surveyed a series of domestic violence shelters and found 75% of their clients had dealt with abusers monitoring them remotely using hidden mobile apps. Some ill-conceived apps have linked multiple sets of user data together, to create inadvertent ‘stalking apps’. Once search metadata is openly sold, a person suffering domestic abuse would have a hard time searching for a local shelter without their partner knowing about it. Even with new homes and new identities, a victim would have to live with the fear of their search patterns combined with IP address identifying them, permanently. Stalking via metadata has been seen as an issue before and it will most likely happen again.

 

Browser History Ransom

We’ve seen doxware in the wild before. But when the barrier to entry is lowered to simply having enough money to purchase the incriminating data in question, why wouldn’t more criminals get in on the game? As seen with ransomware and tech support scams, when technical limitations to a crime are removed, people willing to try it multiply exponentially. Ransoming a victim’s browser history would seem to be easy money.

 

Time to Breach

Essentially, once this data begins to be collected, stored, and prepared for sale, there is a stopwatch set for time to breach and dissemination of your data to the highest bidder on the dark web. Think that’s hyperbolic? In 2015 Comcast published the personal data of almost 75,000 California customers due to operator error. In a separate incident in the same year, 200,000 Comcast customers had their data sold on the dark web. In 2014, Comcast hadn’t patched their mail servers adequately and hackers made off with extensive credentials. Not to be outdone, Time Warner had their customers breached in incidents here and here. Cox Communications paid the FCC a $595,000 fine for breach of its customer data. Given the track record of handling customer data thus far, how long until the next breach?

But this is bad and I don’t want this?

Although options are limited and sometimes frustrating, there are some things you can do. To combat ad retargeting, an ad blocker works quite well. It’s awfully tough to be taken in by deceptive or fraudulent, or just too intrusive advertising if you can’t see it. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. This doesn’t really address the issue of shadowy third parties doing untoward things with your data, which brings us to…

Virtual Private Networks (VPNs)

Here be dragons, though, because many VPN providers are no more trustworthy than the ISPs that we all love so dearly. If you go to a VPN review site you can see the latest VPNs and how they stack up on quality criteria, which generally include, but are not limited to:

  • Do they keep logs of your activity?
  • How much identifiable data do they keep on you?
  • Do they have physical control over their own VPN servers?
  • What countries are their servers located in?

Check out some reviews of popular VPNs based on answers to these questions here. Another question that you should be asking is how much a VPN costs. Free ones generally find some unsavory ways to monetize your traffic, which is what you’re trying to avoid to begin with.

HTTPS Everywhere

This is a browser extension published by the Electronic Freedom Foundation. It forces websites to use a more secure HTTPS connection when the website supports it. Encrypting traffic in this way does not protect the specific websites you visit from your ISP, but it does obfuscate specific content that you’re accessing on that page. And as a browser extension, it’s fairly easy to install, and probably falls under the category of things you should be doing anyway. If you want to find out more about HTTPS Everywhere, check out their FAQ here.

Calling your congressman

Privacy is a developing issue. As technology advances, its ability to infringe on our privacy in irritating and sometimes dangerous ways can increase. Letting your representatives know that this is a concern can help prevent worse legislation in the future. If you’d like to make your opinion on online privacy known, you can find your representatives here and here.

In conclusion, strong online privacy can sometimes be an inconvenience for those of us trying to catch cybercriminals. But its loss hurts all of us. Whether you have ‘something to hide’ or not, your data and your identity belong to you. Why shouldn’t you control how it’s used?

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

09/06/2016 06:29 PM EDT
Original release date: September 06, 2016 | Last revised: September 28, 2016

Systems Affected

Network Infrastructure Devices

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco’s description of the evolution of attacks on Cisco IOS devices.

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.

It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.

Recommendations:
  • Implement Principles of Least Privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.
Virtual Separation of Sensitive Information        

As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.

Recommendations:
  • Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use VPNs to securely extend a host/network by tunneling through public or private networks.

2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.

Recommendations:
  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.

Recommendations:
  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
  • Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
  • Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and VTY lines.
  • Implement robust password policies and use the strongest password encryption available.
  • Protect router/switch by controlling access lists for remote administration.
  • Restrict physical access to routers/switches.
  • Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.

Recommendations:
  • Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
  • Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
  • Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.

OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.

Recommendations:
  • Segregate standard network traffic from management traffic.
  • Enforce that management traffic on devices only comes from the OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.

Recommendations:
  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

 

Shadow Broker Exploits
Vendor CVE Exploit Name Vulnerability
Fortinet CVE-2016-6909 EGREGIOUSBLUNDER Authentication cookie overflow
WatchGuard CVE-2016-7089 ESCALATEPLOWMAN Command line injection via ipconfig
Cisco CVE-2016-6366 EXTRABACON SNMP remote code execution
Cisco CVE-2016-6367 EPICBANANA Command line injection remote code execution
Cisco CVE-2016-6415 BENIGNCERTAIN/PIXPOCKET Information/memory leak
TOPSEC N/A ELIGIBLEBACHELOR Attack vector unknown, but has an XML-like payload
beginning with <?tos length=”001e.%8.8x”?
TOPSEC N/A ELIGIBLEBOMBSHELL HTTP cookie command injection
TOPSEC N/A ELIGIBLECANDIDATE HTTP cookie command injection
TOPSEC N/A ELIGIBLECONTESTANT HTTP POST parameter injection

 

References

Revision History

  • September 6, 2016: Initial release
  • September 13, 2016: Added additional references

Prime Telecommunications Educates Customers on Ransomware

watchguard-1

Prime Telecommunications, Inc., a leader in unified communications, announced today that they have launched a ransomware awareness campaign. The purpose of the campaign is to quickly educate business owners in understanding one of the latest threats now facing small to mid-sized businesses (SMBs). Ransomware is a specific variation of malware, that is growing in popularity amongst hackers and Prime Telecommunications is doing its best to alert business owners of this new tactic. Prime Telecommunications’ existing customers are very well protected against this type of threat but many business owners may be unaware of the potential destruction this has on an organization.

While business owners have always understood the need to protect their businesses from malware, short for “malicious software”, ransomware is a new tactic that hackers are using to attack businesses in an especially wicked way. Essentially, an employee will receive an email with a deceptive link, labeled “See Resume Here” or “Download Report Now”, and then upon clicking the link, a ransomware application will be installed immediately on the computer. Then, the software can remain hidden for several days, until it is activated. At that moment, the ransomware application will hijack critical files, remove them from the network, encrypt them so no other computers can access them and then hackers will send an email demanding payment for the release of the missing files. The biggest problem with this type of cyber attack is that it leaves absolutely no leverage to the business owner. Even if they pay the “ransom”, hackers don’t necessarily unlock the files every time. “This is a huge problem that could have drastic impact on an organization and the craziest thing we notice is that there is such a simple solution,” stated Vic Levinson, President at Prime Telecommunications.

“These types of attacks happen far too often, and we take great pride in protecting our customers from threats like this,” added Levinson. “The first line of defense for these kinds of attacks is a technically educated staff. While the majority of these threats come in the form of suspicious email links, an educated staff can avoid these catastrophes simply through awareness. That’s one of the reasons why we issued this press release,” commented Levinson. “For business owners that see the value of peace of mind, we devise comprehensive solutions that thwart these types of attacks from every angle. We take a global approach that includes a combination of anti-virus software, anti-malware software, strong firewalls, employee education, data backup, and network redundancy. What we’ve noticed over the years is that every network has different exposure points and our job is to come in as a technology advisor and to proactively prevent not only ransomware attacks, but the myriad of others attacks that a business owner may face for years to come.”

Prime Telecommunications’ mission is to leave business owners in a more empowered position by serving as an educator of emergent technologies. “Our biggest aim with this campaign is to usher in a sense of urgency amongst business owners so they take action now, instead of waiting to be in a difficult, immutable situation later,” closed Levinson.