Tuesday, May 17, 2016

Money Money Money Money

More banking goodness. The first (that we know of) exploit of SWIFT was on the Bank of Bangladesh, and supposedly involved 3 separate exploits, according to SANS. This one is newish and just as disturbing.

Vietnam's Tien Phong Bank came forward claiming to be the second bank that was attacked with a fake message sent through The Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system.
According to CNBC, Tien Phong said in a statement Sunday it had identified and stopped a suspicious request made through SWIFT to transfer $1.1 million. The bank said the transfer request came through a third-party vendor it uses to connect to the SWIFT system. While the vendor was not named, Tien Phong said it is has switched to another company.
SWIFT announced last week that a second bank had been targeted, but did not identify the institution. In February hackers breached The Bangladesh Central Bank, stealing credentials needed to authorize payment transfers via the SWIFT messaging system from the country's monetary reserves in the Federal Reserve Bank of New York to fraudulent accounts based in the Philippines and Sri Lanka. (from SC Magazine)
Might be cash under the mattress time, or should I use an old coffee can and bury it out back? Do they still sell coffee in cans?

Friday, May 06, 2016

Are you down with ransomware?

The third largest Utility in Michigan, Lansing BWL,was hit by ransomware and their corporate systems have been down for a week. Not their facility controls, thank you, just their central business and outage reporting system. 
If only there was some sort of warning! It's not like this has been in the media or federal organizations have been warning us:




So down for a week is insane. They should have had regular backups on their corporate systems. Let me repeat that in all caps. THEY SHOULD HAVE HAD REGULAR BACKUPS ON THEIR CORPORATE SYSTEMS.

Here is an article from Naked Security, "8 tips for preventing ransomware". Notice tip #1:

If you do get infected with ransomware, unless you’ve got back-ups, or the crooks made some kind of cryptographic mistake, you’re left with either paying or losing your locked up files forever.
Prevention is far better than a cure. So here are 8 tips to protect yourself against ransomware. 
1. Back up your files regularly and keep a recent backup off-site.The only backup you’ll ever regret is one you left for “another day.” Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.
Like the hospital in California that was down for a week, there is no way that they were anyway compliant with any standards, as every security standard from HIPAA to FERPA  requires regular backup.

Wednesday, May 04, 2016

Fake Ransom Ware?

The latest from the “are there no depths” crowd: fake ransom ware.
Another thing to be aware of.
“There are a number of examples where true encryption doesn’t occur. Instead, cyber criminals rely on the social engineering edge of the attack to convince people to pay,” warns Grayson Milbourne, director of security intelligence at Webroot.
Is it real or fake?
It takes only a few seconds to confirm whether it’s a real infection or a social engineering scam.
If the ransom demand includes the name of the ransomware, then there’s no mystery, and you're in trouble. Ransomware families that identify themselves include Linux.Encoder -- the first Linux-based ransomware -- which clearly says “Encrypted by Linux.Encoder.” CoinVault identifies itself by listing the support email address. TeslaCrypt and CTB-Locker are also among the well-known ransomware families that tell you who is holding your files hostage.. "
So yet another reason to hate these guys.
The only solution is to train yourself and your people so that they are not caught by real or fake ransom ware demands.
I think that finally there is something that would suck more than paying the ransom to get your files decrypted: paying the ransom to get your files decrypted when they were never encrypted at all.

Monday, May 02, 2016

Preventing Cybercrime

In the cyber crime world, there is no such thing as a bullet-proof defense. However, the risk of data-loss, unauthorized access, or other undesirable intrusions can be reduced or nearly eliminated by taking some basic precautions. Among them:

1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.

2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.

3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.

4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.

5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.

Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.

Friday, April 29, 2016

Jesus is on the Mainline

Earlier this year, the Fed let us know that it had misplaced 81 million dollars. This was the bad news. The good news is, that due to a misspelled bank transfer document, they had adverted a loss of nearly a billion. Dollars. Billion with a "b".
Now for more bad news (from Reuters):
The disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cyber theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank. SWIFT has acknowledged that the scheme involved altering SWIFT software on Bangladesh Bank's computers to hide evidence of fraudulent transfers.
 At the time, I told an associate that they would find that access was gained through social engineering. This does nothing to lessen this suspicion:

BAE's evidence suggested that hackers manipulated SWIFT's Alliance Access server software, which banks use to interface with SWIFT's messaging platform, to cover their tracks.BAE said it could not explain how the fraudulent orders were created and pushed through the system. Bit SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar. It said that the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.
Yes there are entirely technical means to accomplish this, but why pick the lock when you can kick down the door?


Last month the IRS issued a warning that CEO's were being either targeted or spoofed to obtain employee information. This isn't exactly new, but the more focused phishing attacks (known as "Whaling") show the increasing sophistication of this new generation of social engineers. Of course your CEO, CFO, or COO is going to be a juicier target because, as Willie Sutton put it, "That's were the money is."
This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
This follows the trend of more closely targeted phishing attempts, where a few minutes of Googling can produce an "in" that is much less risky than traditional social engineering ploys.

Remind your C level people that they are targets too. They need the training you are no doubt providing to the rest of the company just as much or more than the intern who is right now propping up the water cooler.

Wednesday, April 27, 2016

Pay Me

There is a lot of news lately about a specific form of malware called "ransom ware". Some experts say that it may have replaced credit card heisting as the popular way to earn an elicit buck on the web. Since 2014, when figures were first compiled, it has risen from a paltry 30 million dollar a year enterprise to such a level that one magazine has called 2016 the Year of Ransom Ware. I'm guessing that means considerably more than 30 million bucks this year.
The problem is that as far as I know there is only two ways to combat this. One is white listing, which interferes with the malware being able to phone home to the Command and Control server (usually some unwitting third party's less than secured server) and therefore start the insidious process that eventually leads to a pleasant message like "Say, nice data you got dere. Shame if somtin' was to happen to it. Send me Bitcoin and nosbody gets hurt." But white listing is going to be extremely unpopular with your users, as well as a giant pain in the butt to administer. I, for one, am unwilling to be put in the position of In-House Internet Hall Monitor.
The other is regular backup. This is the thermonuclear option, as you end up losing the data that was generated post ransom ware, but hey, at least you aren't paying off the pirates that have hijacked your excel files.
There are some precautions. You can lock down your systems to make it difficult for .exes to run. This is probably the strongest protective measure. Unfortunately you pretty much have to exclude your admins from this, and admins are just as human as the rest of us, all evidence to the contrary. Someone in a hurry, or distracted will click on the "Are you sure?" button eventually, and you will be cursing Russian cyber mobsters just the same as in the old days.
Kapersky and a few others have some of the signatures to some versions of Cryptoyouarescrewed et. al., but of course this beast is polymorphic, so they can't fully protect you.
As always, the best defense is education. Almost all of these ransom wares propagate through email attachments or "water holes", so keeping your users up to date on the latest ways of reaching them and reinforcing training like a knowledge jackhammer is your main option. I suggest monthly 15 minute training sessions, reinforced by posters, screen savers and emails.
Or I guess you could just pay up.

Wednesday, April 13, 2016

Blue Suit, Red Cape and Red Boots

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line

At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?

The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.

Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.

New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.