Tuesday, May 17, 2016

Money Money Money Money

More banking goodness. The first (that we know of) exploit of SWIFT was on the Bank of Bangladesh, and supposedly involved 3 separate exploits, according to SANS. This one is newish and just as disturbing.

Vietnam's Tien Phong Bank came forward claiming to be the second bank that was attacked with a fake message sent through The Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system.
According to CNBC, Tien Phong said in a statement Sunday it had identified and stopped a suspicious request made through SWIFT to transfer $1.1 million. The bank said the transfer request came through a third-party vendor it uses to connect to the SWIFT system. While the vendor was not named, Tien Phong said it is has switched to another company.
SWIFT announced last week that a second bank had been targeted, but did not identify the institution. In February hackers breached The Bangladesh Central Bank, stealing credentials needed to authorize payment transfers via the SWIFT messaging system from the country's monetary reserves in the Federal Reserve Bank of New York to fraudulent accounts based in the Philippines and Sri Lanka. (from SC Magazine)
Might be cash under the mattress time, or should I use an old coffee can and bury it out back? Do they still sell coffee in cans?

Friday, May 06, 2016

Are you down with ransomware?

The third largest Utility in Michigan, Lansing BWL,was hit by ransomware and their corporate systems have been down for a week. Not their facility controls, thank you, just their central business and outage reporting system. 
If only there was some sort of warning! It's not like this has been in the media or federal organizations have been warning us:

https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise/incidents-of-ransomware-on-the-rise

http://www.cbsnews.com/news/warning-issued-over-new-strain-of-ransomware/

http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/

So down for a week is insane. They should have had regular backups on their corporate systems. Let me repeat that in all caps. THEY SHOULD HAVE HAD REGULAR BACKUPS ON THEIR CORPORATE SYSTEMS.

Here is an article from Naked Security, "8 tips for preventing ransomware". Notice tip #1:

If you do get infected with ransomware, unless you’ve got back-ups, or the crooks made some kind of cryptographic mistake, you’re left with either paying or losing your locked up files forever.
Prevention is far better than a cure. So here are 8 tips to protect yourself against ransomware. 
1. Back up your files regularly and keep a recent backup off-site.The only backup you’ll ever regret is one you left for “another day.” Backups can protect your data against more than just ransomware: theft, fire, flood or accidental deletion all have the same effect. Make sure you encrypt the backed up data so only you can restore it.
Like the hospital in California that was down for a week, there is no way that they were anyway compliant with any standards, as every security standard from HIPAA to FERPA  requires regular backup.

Wednesday, May 04, 2016

Fake Ransom Ware?

The latest from the “are there no depths” crowd: fake ransom ware.
Another thing to be aware of.
“There are a number of examples where true encryption doesn’t occur. Instead, cyber criminals rely on the social engineering edge of the attack to convince people to pay,” warns Grayson Milbourne, director of security intelligence at Webroot.
Is it real or fake?
It takes only a few seconds to confirm whether it’s a real infection or a social engineering scam.
If the ransom demand includes the name of the ransomware, then there’s no mystery, and you're in trouble. Ransomware families that identify themselves include Linux.Encoder -- the first Linux-based ransomware -- which clearly says “Encrypted by Linux.Encoder.” CoinVault identifies itself by listing the support email address. TeslaCrypt and CTB-Locker are also among the well-known ransomware families that tell you who is holding your files hostage.. "
So yet another reason to hate these guys.
The only solution is to train yourself and your people so that they are not caught by real or fake ransom ware demands.
I think that finally there is something that would suck more than paying the ransom to get your files decrypted: paying the ransom to get your files decrypted when they were never encrypted at all.

Monday, May 02, 2016

Preventing Cybercrime


In the cyber crime world, there is no such thing as a bullet-proof defense. However, the risk of data-loss, unauthorized access, or other undesirable intrusions can be reduced or nearly eliminated by taking some basic precautions. Among them:

1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.

2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.

3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.

4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.

5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.

Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.