As if the mad rush to “web-ify” everything wasn’t bad enough, McAfee’s security blog now brings us a new, shining moment in Internet history: it is now possible to visit an easy-to-use website to host your own ransomware campaign for the low, low price of free. A group of cybercriminals have put together a service that will provide you with the malware that locks up your victim’s files, as well as the means to collect the ransom via bitcoin through their consolidated platform. The service even includes a dashboard that summarizes your criminal activity: number of computers infected, number of people who paid the ransom, and how much you’ve made so far. It all sounds like something the Onion.com would dream up, but sadly, it’s real. Would-be cyber-extortionists have to pay 20% of their take to the service owners, which could amount to some serious cash. Over the course of the past few years, experts estimated that tens of millions have been made on previous ransomware campaigns. Like any good money-making model, these enterprising individuals hope to amass a fortune on the backs of aspiring cybercriminals.
What this means for you:
As I’ve said in previous blogs, cybercrime is big business now. Though McAfee’s bright light of publicity may help shut down this particular iteration of mass-market ransomware services, you can bet dozens more will follow suit, if they aren’t already up, running, and better hidden. The internet has the ability to magnify anyone’s capabilities by an incredible degree, even more so when someone with savvy and no scruples turns their sights onto the vast, largely naive internet populace. The pitch for this particular service is that “anyone” can set up their own ransomware campaign, and you can bet they’ll do a booming business until the good guys shut them down. On a more reassuring note, this particular platform only provides the means to start and run a ransomware campaign. It would still be up to the would-be extortionists to actually target and distribute the malware to their victims, a task which is surprisingly hard to do in a way that won’t get you caught. However, is it so hard to imagine someone else setting up shop right next door to the ransomware folks, where, for a “small percentage of the take” they would provide those targets? Imagine if these enterprising criminals decided to form pyramid schemes on top of these “business models”. I imagine once attaining that level of vicious cannibalism, the whole thing might collapsed in on itself under the weight of sheer backstabbing and profiteering, but in the meantime, we might drown in a crushing wave of malware. Sadly, there’s no magic bullet, but there are three things you can do to better protect yourself against the coming storm: a good firewall on your perimeter, solid anti-malware on your computer, and an up-to-date offsite backup of your data. Those things plus constant vigilance (and a little paranoia!) will go a long way towards staying safer in these more dangerous times.
A little over two years ago, I wrote about a hacker who was able to demonstrate hacking and takeover of an airplane’s flight control system, and suggested that it may be awhile before someone was able to execute this same type of hack “in the wild.” Unfortunately for everyone, it’s happened sooner than we might hope: notorious hacker Chris Roberts of One World Labs has claimed that he managed to penetrate an airplane’s flight control system while it was in flight and was able to temporarily alter the plane’s trajectory by overriding controls on a wing engine, forcing the plane to fly sideways for an short period. After joking via Twitter about his hacking activities on an April flight, Roberts was detained by the FBI and his equipment seized. According to affadavits published of the FBI interviews with Roberts, it appears as if the FBI believes Roberts is in fact capable of hacking planes while in flight.
What this means for you:
I’m actually quite surprised this hasn’t happened sooner, and with much more horrifying results. On the scale of expertise on technology security, I consider myself to be only moderately well-trained and informed, but it doesn’t take a expert to comprehend why this is going to be an increasingly dangerous problem. Because all security systems are essentially designed by humans, they will inherently be flawed. Hackers count on this weakness and are able to exploit it over and over again. In the case of the above alleged hacking incidents (yes, there was more than one), Roberts exploited a hardware weakness – he was able to physically connect his equipment to the plane by cracking the inflight entertainment box under his seat – and a software weakness – he used default passwords to circumvent the security of the plane’s control systems. In both cases he would have been foiled if the people who designed and implemented the systems had taken more care in their work. According to Roberts, his actions are meant to goad the industry into taking security more seriously, and maybe now that the FBI seems be backing his claims, something might get done.
Overall, security is an uphill battle, and requires more energy, money and expertise than most companies can field at any given time. Like insurance, many folks have a hard time spending money to secure against something that might happen. In this case, like the other inevitabilities we insure against, accepting the fact that you will be hacked (even if you already have been) at some point in the near future, will help you frame your investments in security in a more realistic and practical perspective, and doing something proactive will often put you ahead of your competition. Embattled industries like airlines should definitely keep this in mind.
Over the past 2 years, I’ve seen the rate of malware attacks climbing at an accelerated rate. This is due largely in part to the evolution of malware as a lucrative crime combined with sophisticated, easy-to-use platforms that are designed for and marketed to non-technical users. Previously, successful viruses and their code were jealously guarded and the purview of an elite “cadre” of hackers who would advertise their creations as badges of honor. Now these same cadre of malware programmers are racing to bring product to a highly competitive market. Malware is a business, and business is good.
What this means for you:
It’s not just an assumption that you will be targeted by malware. It’s most likely a fact. Malware makes its handlers money by casting the widest net possible, which means everyone is a target, and the attack platform that can prey on the most victims wins. With that in mind, the safest mindset to adopt is that your technology will be or already is under attack, and you must gird yourself for the onslaught. Here are 3 ways to prepare, plus one less-obvious way that may or may not be practical for most organizations:
- Install a good firewall on your network periphery. Though most ISP-provided routers come with some basic firewall functionality, your business or organization should be protected by a professionally managed firewall that can provide what’s known variously as “Unified Threat Management” or “Gateway-based Defense”. In a nutshell, these devices sit on the entry point of your organization’s internet connection and monitor all data going in and out, scanning for malware, hacking attempts, objectionable content and spam. This is your first line of defense, and if maintained properly, can protect you from numerous threats 24/7/365.
- Use effective malware protection on your vulnerable technology. Even assuming you have some sort of protection on your network periphery, there’s still plenty of ways for malware to get inside your network, and once they are “inside the gate”, your computer or server’s only protection from a really bad day is the anti-malware you’ve installed locally. This software should have some form of active protection (always-on scanning, port blocking, etc.) and not something that has to be run in order to detect or cleanup a malware incursion. If malware isn’t detected and handled the moment it approaches your computer, it’s too late.
- Back up your data. Sad as this fact is, no anti-malware is 100% effective. Your machine will get infected and at that point, the only way you don’t lose this battle is if your data is backed up and isolated from infection. This means offsite backups, with at least 7 days of historical versions just in case the backup software unknowingly backed up infected files (which it can and will do if you don’t catch it quickly enough).
- Disconnect from the internet. If the above 3 items are beyond the reach of your organization for either budgetary or technical reasons, this rather drastic alternative is very effective. Even though it may be impractical for most companies, approaching this problem from this perspective may lead to some creative changes in operations and employee behavior. As a simple example: block access to social media sites on work computers, but provide separate, isolated wifi for mobile devices that allows them to scratch that itch on their own devices.
Image courtesy of graur razvan ionut at FreeDigitalPhotos.net
If you are one of the many folks who work for a company that doesn’t have full-time IT staff on hand to keep your technology running smoothly, you might feel like your options for troubleshooting or resolving tech problems are limited. Depending on the severity of the issue, you may be able to rectify many minor/transient issues with some simple practices that we “experts” use on a regular basis. Obviously these techniques won’t work for things like a crashed hard drive, malware infection, or security breach, but they are useful to know, and can save you time and money.
- Reboot – It may sound clichéd, but more often than not, many of my clients forget about rebooting. Even though Windows 7 and 8 are supposedly designed to work without needing frequent reboots, if your computer is acting sluggish or abnormally, try a reboot to see if the problem goes away.
- Check Task Manager – On any Windows machine, XP and up, hitting Ctrl-Alt-Del and checking out the list of running applications in Task Manager may be an eye-opener. From there, you can see your Memory and CPU usage. If a program seems to be hogging one or the other (or both), try closing that application to see if performance returns to expected levels. Recent versions of Google Chrome are notorious for being memory hogs, and will hold at least one process open for each tab you have open on your computer. If something says “Not Responding” it’s possible the app itself has crashed. “End task” on apps that are not responding may return your computer to temporary usability. Save what data you can and reboot. If CPU and/or Memory usage remains high after a reboot and closing all applications, you might have a malware infection. Skip immediately to #5 or call a professional.
- Check your network connection – so many apps rely on the internet that unpredictable things may happen if your network connection is unreliable. Check your physical Ethernet connections, Wi-fi signal strength, bandwidth speed, etc. If something is wonky with your internet, your computer may manifest that problem in unexpected ways. If bandwidth seems unusually slow and you aren’t the only one using it, someone else on the network may be hogging it up, either intentionally (Game of Thrones stream?) or unintentionally due to a malware infection.
- Reboot your router or access point – depending on who’s impacted, and whether you are feeling confident on which thing is the router, AP or switch, cycling the power on your core infrastructure may clear up a lot of strange behavior. That’s right, even your home office has a “core infrastructure”! Just make sure you warn everyone affected (officemates, employees, family, etc.) that you are taking the “reboot mantra” to the next level. Not sure which one is which? Make a call to your ISP help desk or your local, friendly technician at C2 for some guidance.
- Run a malware scan -assuming you are not a managed services client of C2 (we take care of this part for you!), fire up your anti-malware software and run a full scan. Didn’t find anything? Get a second opinion and run Malwarebytes. Want a third opinion? Try herdProtect. Not sure if you have anti-malware software installed? Might be a good time to call us for a checkup.
Many garden-variety Windows issues can usually be nipped in the bud with the above 5 practices. Practicing safe-computing will keep you out of harm’s way for everything else. As always, avoid attachments, don’t click strange links or popups and practice constant vigilance to keep your data safe!
Several clients learned some hard lessons this week. First and foremost, no one is immune from malware, no matter how much money and time is invested in security. If you still don’t believe this, you might be surprised to know that the White House was hacked recently. Granted, I made fun of government-run websites and their pitiful security, but one has to imagine that the Secret Service takes POTUS security very seriously, and yet Russian hackers seemed to be able to access sensitive information by fooling someone through a phishing email. Yes, email. That indispensable tool that we can’t live with and can’t live without. While we are frequently the agents of our own demise (surely this email from this overseas lawyer about a long lost inheritance is real this time), we can also be the agents of our own salvation as well.
Let me testify!
Above all, stop opening attachments sent via email, and likewise, look for ways to stop sending attachments via email. There are tons of secure file sharing options out there (keep in mind we don’t consider the free Dropbox among them…yet), but as long as the business world continues to rely on attachments to get things done, cyber criminals will exploit your willingness to open things sent to you via email. Resist the urge to open attachments even if you recognize the sender, and verify via phone if they indeed sent the attachment. Here’s an important clue: financial institutions, law enforcement, government agencies and just about any large consumer-serving company will not send you an attachment in order to get you do something or notify you of important information. FedEx nor UPS do not send you delivery confirmations as attachments. Neither your bank or credit card company will send you an attachment asking you to open them. If you receive what you believe to be a legitimate attachment from a company with which you do business, call them to verify they sent you that file. Ninety-nine times out of one hundred, they did not send that file. I guarantee that you will receive emails that look and read 100% legitimate, but will in fact be clever attempts to trick you into nasty malware infection. Even the best anti-malware software won’t be 100% effective all the time. The criminals who send you attachments anticipate you have some form of protection installed, and their payloads are designed to turn that “foot in the door” into a full-scale home invasion, anti-malware or no.
The best management coaches say to always pair a “stop doing this” with a “start doing this”. Are you backing up your data? If not, you need to start, right now. If you are, have you checked your backups lately? Tried restoring a file? Are your backups stored offsite? One of the clients mentioned above was thoroughly decimated by the infamous cryptolocker malware. Not only did it take out a principle workstation and all data, it also kidnapped their server data and mangled their backups, primarily because they were onsite and not designed to go back more than a week before being overwritten. Cryptolocker is infamous for hiding out for days before making its presence known, precisely to destroy local backups in this fashion. If you are using proper offsite backups, either through rotating media offsite manually or by using a cloud-based platform, this form of infection is annoying but survivable. Do yourself a favor and review your backup strategies immediately!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Over the past twenty-plus years that I’ve been working in the industry, the “personal computer” has gone from from obscurity to commonplace. Some of you may have been in the workforce long enough to remember when your organization first started using email, desktop publishing, and spreadsheets. At the time, everyone needed training, and often it was requirement before anyone was allowed to use or even requisition a computer. On top of this, they were very expensive, and justifying the ROI often meant they were only used for very specialized parts of the business. Today, having PCs in the workplace is taken for granted. Likewise, I’ve seen an increasing expectation that all employees know how to use a computer, and in some cases, a high level of proficiency is just assumed, regardless of training, background, experience or industry.
While it’s largely true that computers have become much easier to use than in decades previous, they have also become much more complex – both in functionality and in how intertwined they have become with modern life. Remember the “golden days” of automobiles where any red-blooded American could roll up their sleeves and work on their own cars? Nowadays even professional mechanics rely heavily on computers to figure out what’s wrong with your car. Most people were never even presented with the opportunity to “pop the hood” of their computers, and despite the prevalence of modern technology everywhere we look, only a miniscule percentage of us ever go beyond cracking the case of our computer to blow out the dust bunnies with canned air.
Why this is important to business owners and leaders:
Do you remember when being proficient in computers was considered “geeky” or “nerdy”? Now the opposite is true – we joke about folks that struggle with their smartphones and computers. The assumption that “everyone” knows how to use a computer can lead to other more dangerous assumptions about your organization’s security. In today’s technology security environment, humans remain the weakest link, and the bad guys know this.
Do you assume your employees know to not use work email for personal use?
When email was new to the workplace, this rule was strictly enforced, but times and workplace culture has changed. Now that everyone has email, computers and smartphones, enforcing this practice has often been de-emphasized in the pursuit of “work-life balance” or outright dismissed by companies attempting to shed “uptight” business culture roots. Unfortunately, co-mingling personal and business technology can result in significant security risks for both the business and the individual.
Do you assume your employees know what do when they get a virus infection?
Depending on your company’s culture, the employee might be too scared or ashamed to admit they’ve been compromised, even if you have an IT person or department ready and waiting to help them. An unreported security breach can lead to Sony-sized hacks on your organization.
Do you have a technology usage and/or security policy for your company? If yes, do your employees understand and adhere to this policy? How do you know?
The most dangerous assumption here is that making your employees sign an agreement acknowledging this policy equates to enforcement. Proficient technology use requires training, and using this same technology securely requires regular training and checks. Just like technology itself, the practices and office culture surrounding its use are constantly changing, and both the company policy and the employee’s knowledge should be updated regularly.
Image courtesy of pakorn at FreeDigitalPhotos.net
Chinese computer manufacturer Lenovo (IBM’s former hardware division) is making headlines this month, but not the kind that most companies covet. Until as recently as January 2015, Lenovo has shipped a large number of computers with pre-installed software from adware company Superfish. In and of itself, this isn’t an uncommon practice – hardware manufacturers commonly reduce manufacturing costs for their consumer products by striking deals with various companies who pay to have their software installed on brand-new computers. As initially reported by security researcher Marc Rogers, the Superfish partnership was a bad one for Lenovo, not only because the software itself was already notorious for being adware, but also because it compromises the built-in security of your computer’s SSL protocols to do its dirty work. Lenovo initially tried to downplay the problem, but pressure from the security community and the resulting media attention has since caused Lenovo to reverse its position 180 degrees. The CTO apologized in an open letter, and the company has issued a fix that completely removes the vulnerable software.
What this means for you:
Unless you are really into the technical details, the “what” and “how” of the Superfish vulnerability is much less important than the “why” and the “who”. In this case, we know why Lenovo installed Superfish – presumably they benefitted financially in some fashion. The real problem behind this fiasco is that Lenovo (a “trusted” brand – I use a Yoga 3 while I’m out seeing clients) missed the security flaws in this arguably useless piece of software and endangered thousands of its customers for no other reason than to make a buck. Can any hardware manufacturer be trusted to have our security in mind when making and selling their products? If the most recent NSA hard drive firmware scandal is to be believed, I’d say the answer is a resounding “no”. As we’ve seen with numerous other industries, when a company is held more accountable to shareholder profit (or “patriotic” duty?) than to consumer wellbeing, the only person we can trust is ourselves.
Unfortunately, manufacturers like Lenovo, Dell and HP have made a bed that is now very uncomfortable in which to lie. Their practice of installing “bloatware” on their equipment have driven prices down to a level that may be very difficult to maintain if they can’t lean on the dollars gained by these pre-installed software deals. At minimum, they’ll have to be much more discerning on what they pre-install, which, in turn, will drive up costs and narrow their margins even further.
Russian security firm Kaspersky has just released details of an elaborate, multi-year, multi-country heist that netted hundreds of millions for the group orchestrating the crime. Rather than a series of spectacularly violent bank robberies, this campaign played out quietly and slowly on the technology infrastructure of over 100 financial institutions in 30 different countries. Unfortunately for us, Kaspersky and the banking industry are keeping specific names out of the public spotlight, as expected. It can be assumed that the organizations involved don’t want to damage their reputations, and authorities typically refuse to comment on onging investigations. How did the criminals gain such unprecedented access? Simple malware campaigns targeting employees and officials, which eventually led to a fully compromised infrastructure that allowed the criminals to quietly funnel away millions and leave very few traces behind.
What this means for you:
It may sound a bit cliched to trot out the saying, “There are 2 types of companies, ones that have been hacked, and ones that have been hacked and don’t know it,” but in this case, the criminals were able to steal vast amounts of money by staying well under the radar, an approach that is at direct odds with the normally disruptive and in-your-face style of malware and hacking many people have encountered previously. By lurking quietly in the background, the criminals gained complete familiarity with organizational procedures and employee habits, allowing them to digitally impersonate privileged officials and processes to move money around and out of the organization with impunity. Without a smoking gun, shell casings, fingerprints or DNA evidence, the only trail authorities could follow was the money one – a trail that was obfuscated by digital sleight-of-hand and spoofed internet addresses. Even though your organization may not be targeted for this kind of heist, there are many other types of data cybercriminals value, and it’s in their best interest to not get caught. Don’t look for the obvious malware symptoms – those types of attacks are analogous to vandalism and random, impersonal pollution. The real cyberattack you need to worry about is the one you can’t see.
Image courtesy of 1shots at FreeDigitalPhotos.net
If you didn’t hear it on the news, you probably got an email from Anthem letting you know that your personal information has been exposed in a massive data breach that impacts over 80 million people served by the medical insurer. According to Anthem’s own website established to address this breach, no medical records or credit card information was stolen (that they know of) which is a faint blessing in the face of what was stolen: names, addresses, birthdates, social security numbers, phone numbers, email addresses and employment history. In other words, everything a thief needs to steal your identity.
What this means for you:
As before with other large data breaches, there’s not a darn thing you could have done to protect yourself from the attack. If you just happened to not be a current or former Anthem-covered individual, it’s likely your information was stolen previously in any of the numerous other breaches from last year. Anthem will be offering free credit monitoring to all affected individuals, something that is going to sting their deep pockets signicantly, but will do little good in the long term. Why? Well, unlike credit card numbers, addresses or phone numbers, 80 million people aren’t going to change their names, dates of birth or social security numbers. Identity thefts can outwait the one year of monitoring (still unconfirmed, one year is my guess) that Anthem will provide. You can bet a large number of people won’t continue that service on their own dime, but you might want to consider factoring this type of fee permanently into your annual budgets. Or at least until someone can figure out how to secure our identities and credit better.
From a business standpoint, Anthem’s plight illustrates an important lesson. Though current legislation recommends this sort of data be encrypted, it is not a requirement. Shouldn’t Anthem have taken the extra step to protect your data? Does the government need to mandate common sense and best practice? Will Anthem’s current nightmare convince you to enforce more strict security practices in your own work and personal life? I don’t think you need me to tell you that if you want a prosperous and sustainable business protecting your sensitive data is no longer a recommendation, it’s a requirement.










