Last Thursday within hours of one another two huge consumer multinationals announced that their second quarter earnings would be negatively impacted because of Petya based cyber-attacks.

According to the Financial Times, Mondelez International, purveyors of confections including Cadbury chocolates and Oreo cookies announced their financial pruning just a few hours after UK-based consumer goods conglomerate Reckitt Benckiser had announced theirs.

Petya Having a Greater Impact than Wanna Cry

If you were to look at a map of the distribution of Wanna Cry vs Petya you might think that Wanna Cry would be having the larger negative impact on global enterprises. However, this is turning out not to be the case, with Petya causing far more turmoil within large corporations because files are vanquished, not held for ransom.

From the Financial Times

“Cyber security experts dealing with the attack, which started in Ukraine, have advised stricken clients there is no hope of recovering infected systems. Unless organisations have backups of encrypted data, it is lost for good, they have warned. Western security officials say the severity of Petya’s impact points to its true purpose: not monetary gain, but pure destruction. Researchers at many of the world’s largest cyber security firms — including FireEye, Talos, ESET, Symantec and Bitdefender — have come to the same conclusion. “We believe with high confidence that the intent of the actor behind [Petya] was destructive in nature and not economically motivated,” Talos, the cyber security arm of Cisco told clients this week.”

Security Needs a Holistic Approach

What’s next? No one knows for certain, but with the NSA’s bag of tricks having been released into the wild a little under a year ago you can bet that the number and potency of attacks is only going to get worse. A holistic approach to security that includes encrypted data backup is going to become de ri·gueur.

At Konsultek we assess each client’s needs and develop security solutions that meet those needs in the most economical way possible. If this sounds like a sensible approach to security to you, give us a call to discuss your particular situation.

 

read more

Last week Chipotle completed its investigation into the breach they initial reported on in late April.

The breach, which took place during the time period March 24, 2017 and April 18, 2017, has been attributed to malware that infected the POS systems at Chipotle locations around the country.

What Information Was Lost?

According to Chipotle’s public release, “the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device.”

Illinois Locations Affected

If you visited any of the Chipotle locations below between March 24, 2017 and April 18, 2017 there is good reason to believe your data may have been compromised.

  • Addison: 1078 N. Rohlwing Rd.
  • Algonquin: 412 N. Randall Road
  • Arlington Heights: 338 E. Rand Road
  • Aurora: 848 N. Route 59, 2902 Kirk Road, 1480 North Orchard Road
  • Berwyn: 7140 W. Cermak Road
  • Bloomingdale: 396 W. Army Trail Road, 170 E. Lake St.
  • Bloomington: 305 N. Veterans Parkway
  • Bolingbrook: 274 S. Weber Road
  • Bourbonnais: 1601 Route 50
  • Champaign: 903 W. Anthony Drive, 528 East Green Street
  • Chicago:(Over 50 Locations) Visit Chipotle for full list
  • Cicero: 2201 S. Cicero Ave.
  • Countryside: 5801 S. La Grange Road
  • Crestwood: 13340 S. Cicero Ave.
  • Crystal Lake: 5006 Northwest Highway
  • Deerfield: 675 Deerfield Road
  • DeKalb: 2383 Sycamore Road, 1013A W. Lincoln Highway
  • Downers Grove: 1556A Butterfield Road, 1203 W. Ogden Ave
  • East Peoria: 300 W. Washington St.
  • Effingham: 1207 Keller Drive
  • Elk Grove Village: 910 Elk Grove Town Center
  • Elmhurst: 353 S. Route 83, 139 York Road
  • Evanston: 711 Church St.
  • Fairview Heights: 6415 N. Illinois St.
  • Frankfort: 11129 W. Lincoln Highway
  • Geneva: 1441 S. Randall Road
  • Glen Ellyn: 695 Roosevelt Road
  • Glenview: 3846 Willow Road, 2341 Willow Road
  • Gurnee: 6040 Gurnee Mills Boulevard
  • Highland Park, 1849 Green Bay Ave.
  • Hoffman Estates: 4600 Hoffman Boulevard, 15 E. Golf Road
  • Homer Glen: 14114 S. Bell Road
  • Homewood: 17700 Halsted St.
  • Joliet: 2848 Plainfield Road, 2609 W. Jefferson St.
  • Kildeer: 20505 N. Rand Road
  • La Grange: 40 N. La Grange Road
  • Lake Bluff, 945 Rockland Road
  • Libertyville: 139 N. Milwaukee Ave.
  • Lincolnshire: 950 Milwaukee Ave.
  • Lincolnwood: 7150 N. McCormick Ave.
  • Machesney Park: 1570 W. Lane Road
  • Matteson: 4815 W. 211th St.
  • McHenry: 2304 Richmond Road
  • Melrose Park: 1401 W. North Ave.
  • Mokena: 19130 S. LaGrange Road
  • Moline: 3941 41st Avenue Drive
  • Mount Prospect: 102 E. Kensington Road
  • Naperville: 2856 Route 59, 22 E. Chicago Ave, 1516 North Naper Boulevard
  • Niles: 8480 W. Golf Road
  • Normal: 701 S. Main St, 1601 E. College Ave.
  • Norridge: 4234 N. Harlem Ave.
  • Northbrook: 786 N. Skokie Boulevard
  • Oak Brook: 2103 Clearwater Drive
  • Oak Lawn: 6230B W. 95th St., 11018 S. Cicero Ave.
  • Oak Park: 1128 W. Lake St.
  • Oak Brook: 18W050 22nd St.
  • Ontario: 291 E. Ontario
  • Orland Park: 15240 S. LaGrange Road: 2432 Route 34
  • Oswego: 2432 Route 34
  • Palatine: 781 E. Dundee Road
  • Park Ridge: 119 S. Northwest Highway
  • Peoria: 4512 N. Sterling Ave.
  • Plainfield: 12720 S. Route 59
  • Rockford: 751 S. Perryville Road
  • Rolling Meadows: 1211 Golf Road
  • Romeoville: 253 S. Weber Road
  • Rosemont: 7020 N. Manheim Road
  • Round Lake Beach: 1936 N. Route 83
  • Schaumburg: 601 N. Martingale Road, 2570 W. Schaumburg Road
  • Skokie: 9408 Skokie Boulevard, 5373 Touhy Ave.
  • South Elgin: 348 Randall Road
  • Springfield: 2579 Wabash Ave.
  • St. Charles: 3821 Main St.
  • Tinley Park: 15980 S. Harlem Ave.
  • Vernon Hills: 375 N. Milwaukee Ave.
  • Villa Park: 298 W. North Ave.
  • Warrenville: 28251 Diehl Road
  • Waukegan: 940 S. Waukegan Road
  • West Dundee: 201 N. 8th St.,
  • Westmont: 300 E. Ogden Ave.
  • Wheaton: 811 E. Butterfield Road, 2119 W. Roosevelt Road
  • Wheeling: 1572 W. Lake Cook Road
  • Willowbrook: 7173 Kingery Highway

Affected? What Do You Do Now?

Since the exact time frame of the breach varies by location you should visit here, scroll to the bottom of the page and fill in the locations you may have visited during the broader time frame.  If you find that you are indeed the likely victim of a breach you can follow the directions from Chipotle regarding account monitoring and identity protection.

Here is the overview of what Chipotle advises…

“It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.  The phone number to call is usually on the back of your payment card.  Please see the section that follows this notice for additional steps you may take.”

 

read more

Symantec’s 2017 Internet Security Threat Report (ISTR) lists the Services Industry at the top of its 2016 list of most hacked industries followed by Finance, Insurance, & Real Estate. These two industries were at the top of the list for 2015 showing that their popularity with cyber-criminals has not waned.

Drilling down to a more granular level we see that specifically, Business Services and Health Services top the charts. Given the strict reporting requirements in the healthcare segment it is really no surprise to see this niche at the top of the list. Business Services, a still rather broad sub-niche, tops the list accounting for nearly a quarter of all incidents.

Some Historical Perspective

According to Symantec’s data, by the end of 2016 over 7 billion identities have been stolen over the last 8 years! That is nearly 1 identity for every single living person on the planet.

Looking at just the past 3 years, the trend in breach and data loss looks like this:

At first glance 2015’s Identities Stolen figure might seem like a misprint with approximately half the identities stolen as compared to 2014 and 2016. But as the chart below shows, major breaches just on either side of 2015 led to the spikes in its neighboring years.

2014 of course reflects both the Home Depot and Target breaches while 2016 includes the mega breach of Friend Finder Networks.

You have a friend in Konsultek

No matter what your industry or your business size, Konsultek can help you secure your business network and data. Our custom solutions are both robust and cost effective and our suite of managed services give even the smallest organizations access to world class security solutions with little to no capital expense. Gives us a call and learn more about our free vulnerability assessments.

Symantec’s 2017 Internet Security Threat Report (ISTR) lists the Services Industry at the top of its 2016 list of most hacked industries followed by Finance, Insurance, & Real Estate. These two industries were at the top of the list for 2015 showing that their popularity with cybercriminals has not waned.

 

Drilling down to a more granular level we see that specifically, Business Services and Health Services top the charts. Given the strict reporting requirements in the healthcare segment it is really no surprise to see this niche at the top of the list. Business Services, a still rather broad sub-niche, tops the list accounting for nearly a quarter of all incidents.

Some Historical Perspective

According to Symantec’s data, by the end of 2016 over 7 billion identities have been stolen over the last 8 years! That is nearly 1 identity for every single living person on the planet.

Looking at just the past 3 years, the trend in breach and data loss looks like this:

At first glance 2015’s Identities Stolen figure might seem like a misprint with approximately half the identities stolen as compared to 2014 and 2016. But as the chart below shows, major breaches just on either side of 2015 led to the spikes in its neighboring years.

2014 of course reflects both the Home Depot and Target breaches while 2016 includes the mega breach of Friend Finder Networks.

You have a friend in Konsultek

No matter what your industry or your business size, Konsultek can help you secure your business network and data. Our custom solutions are both robust and cost effective and our suite of managed services give even the smallest organizations access to world class security solutions with little to no capital expense. Gives us a call and learn more about our free vulnerability assessments.

read more

Rather than write the 1000th post about WannaCry (although our Partners at Proofpoint, their Engineer Darien Huss and a fellow called MalwareTech deserve a serious shout-out from the world for stopping WannaCry) I decided to cover something with potentially huge financial implications that has virtually gone under the radar by comparison.

While WannaCry was grabbing the cybersecurity headlines for the week, it turns out that online signature giant DocuSign was more quietly and in a rather methodical fashion, publicly disclosing the details of a significant and serious cyberbreach themselves.

Here’s an abbreviated timeline of what we know so far from DocuSign themselves.

Update 5/9/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature”.

The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 5/15/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* – Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including dse@docus.com. Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses.

Update 5/15/2017 – Latest update on malicious email campaign

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software. As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time). The email comes from “dse@dousign.com” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

The Ultimate Phishing Scam?

This may very well be the ultimate spear phishing campaign. While the number of email addresses compromised has not been disclosed, we can assume it is A LOT and a considerable portion of those affected routinely use DocuSign multiple times a month, if not weekly or daily. Since DocuSign emails are both expected and “trusted” we can only further assume that these phishing campaigns are being effective. No official report on just how effective, so far, but perhaps we’ll get an update further details emerge.

It seems likely that this scam will continue for a very long time given that DocuSign reportedly has 100 million users.

The Lesson You Can Learn

“However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses.” (Emphasis added)

The lesson to be learned here is that in today’s world no part of your network can be considered “non-core” when it comes to security. If the data is worth saving within your network, it is worth protecting!

Konsultek and Its Partners

Konsultek and its partners like Proofpoint, CheckPoint, ForeScout, CarbonBlack and many others work together to build custom security solutions for businesses of all sizes in all markets. When you’re ready to learn about your network vulnerabilities and how to correct them please give us a call.

 

read more

There has been a major shift in the type of breach incident happening in the education services sector according to the Verizon 2017 Data Breach Investigations Report.

Can you spot the shift in the graphic below?

Source: Verizon 2017 DBIR

Cyber-Espionage has exploded since mid-2012! That’s right, because of the cutting-edge research that happens at many colleges and universities they have become a target for state-sponsored hacking.

As Verizon puts it…

“So college isn’t just pizza and tailgates—research studies across myriad disciplines conducted at universities put them in the sights of state-affiliated groups.”

So while of course the personal information of students and faculty were commonly extracted during breaches (a little more than half of all breaches) intellectual property losses were tied to a little more than a quarter of all breaches.

Targeted or Random Acts of Unkindness?

The evidence is clear that state-sponsored hacking and some criminal, profit based hacking is specifically targeting the hallowed halls of our academic institutions.

How do They do it?

Good question. Here is the answer in a graphic from the Verizon report.

Phishing email was the predominant threat vector in the social category while the use of stolen credentials was the dominant hacking technique. One interesting thing to note is the number of incidents involving Social and one or more other vector.

How Would You Like to Get a Threat Vulnerabilty Education for FREE?

At Konsultek we believe an educated client is the best client. That’s why we offer a variety of free vulnerability assessments to help you determine both your risk exposure and the likelihood of that exposure in regards to the veracity of your current security measures. Who would you rather educate you, the good guys at Konsultek or the bad guys out in the wild? Well, what are you waiting for? Pick up the phone and give us a call today so we can get your vulnerability assessment scheduled ASAP!

 

read more

Yet, Consumers Implicitly Trust Them According to a CapGemini Report

According to the CapGemini report, while banks and financial institutions enjoy an extraordinary 83% positive level of trust in the cybersecurity of their systems, just 1 in 5 banking executives surveyed are “highly confident in their ability to detect a breach, let alone defend against it.”

For comparison, e-commerce firms enjoy just a 28% positive level of trust while telecom companies and retailers score a paltry 13%.

The full CapGemini Report Can be downloaded here

Trust is a HUGE Factor In Consumer Choice

According to the report authors, trust in an institution’s ability to protect private data and provide a secure environment is a significant factor for 65% of consumers when choosing which bank to do business with.

And yet, while approximately 25% of all financial institutions have reported being a victim of some level of hack only 3% of consumers believe that their own financial institution has ever been breached. It would seem that indeed there is a “trust halo” being enjoyed by banks that the numbers suggest they do not deserve.

If this halo were to become tarnished banks could be in trouble. According to the report 74% of consumers would switch their bank or insurer if they became aware of a breach.

GPDR Regulations Will Likely Drive Transparency

The GPDR regulations set to be introduced next year should drive more transparency and quicker reporting of breaches and this may result in some tarnished halos.

“When GDPR is introduced and all breaches are likely to be made public soon after they occur, many people will be in for a surprise,” said Zhiwei Jiang, Global Head of Financial Services, Insights & Data at Capgemini. “The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be.”

Konsultek Knows Security

From financial institutions to university and healthcare organizations, Konsultek builds customized security solutions that protect networks and the data they house. If you are interested in learning exactly how your network may be vulnerable just give us a call and we’ll discuss how we can find your vulnerabilities before they are found by cybercriminals and hackers.

 

read more

Our partners at proofpoint just released there 3rd Quarter Threat Summary which you should grab here.

Here is a quick overview, by category, of what’s been trending in the way of information security threats over the past 3 months.

Email and Exploit Kits

  • Volume of malicious email that used Java scripts increased 69% vs Q2
  • The most popular malicious attachment was the ransomware Locky
  • The variety of ransomware introduced increased by 10X
  • Cybercriminals continue to hone their skills in regards to exploiting business email
  • Banking Trojans have diversified and become personalized
  • Exploit kit activity, while still rampant, fell 65% from Q2
  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.

Mobile

  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.

Social Media

  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates

How Konsultek Protects Clients

By integrating advanced threat protection from proofpoint, Carbon Black, Forescout and others, Konsultek develops customized security plans for clients all industries and all sizes. If you are ready to proactively secure your organization, give us a call to discuss your unique situation.

 

read more

You would have to be living under some sort of information security rock this week to have not heard about the massive breach at the popular cloud storage service Dropbox.

The breach, at 68,000,000 plus users, is a large one to say the least and it also means that your credentials have been leaked just as mine were if you have been a long-time Dropbox user.

I’ve Been Pwned… Have You?

Rather than rehash the breach, I thought I would make this post more of a Public Service Announcement aimed at helping our small and medium sized business clients (who often use Dropbox) navigate the breach.

First, you should head over to haveibeenpwned.com and see if in fact you have been pwned. If you are like me and use your primary email for a number of site subscriptions you will likely see a screen like this:

Now, if you are the type of person who uses the same password for multiple accounts (Shame on you! After all, you are reading an information security blog!) you should probably set aside and hour or two and start the arduous processs of changing passwords at all of your critical accounts such as banking, fincancial services, email accounts, website accounts, airline accounts etc.

If you are not a password reuser then this latest Dropbox incident is a relatively minor hassle once you get past the fact that there is a chance that anything that was stored in your Dropbox account has been stolen.

The Password Reset Process

Have you seen this email?

If not, then ostensibly you were not compromised in the breach but my advice would be to follow the steps below anyway!

If so, then you’ll want to log out of your Dropbox account and log back in.

That should elicit this message:

Which will lead to this email message:

Which leads to this:

And Voilà, your password has been changed and your account is secure once more!

How Konsultek Can Help

Reusing passwords, weak passwords, insufficient prevention technologies, sub-standard detection and response technologies are all important facets of information and network security. And, guess what? These are all facets that Konsultek addresses each time we work with a client.

If you are ready to upgrade your security, give us a call. We are here to help.

 

read more

In a narrative that could have been lifted from a Tom Clancy novel, reports surfaced this week that an elite hacking group with ties to the NSA had been hacked and a treasure trove of their hacking tools stolen.

According to theHackerNews.com, the elite covert hackers known as the “Equation Group” have been hacked and a portion of their toolkit has been released publicly. Another portion of their most potent tools and exploits is apparently up for sale at auction with an asking price of $1 Million Bitcoins!

Source: Washington Post

The hackers, who go by the name “The Shadow Brokers” had this to say about their stunning hack:

“We follow Equation Group traffic,” says the Shadow Broker. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

While the authenticity of the hack was at first questioned, many security experts from free-lancers to Kaspersky have examined the publicly leaked materials and have concluded that they are indeed products from Equation Group.

Hack or Inside Job

In an update to the rapidly unfolding story, security expert Matt Suiche spoke with an anonymous source who used to work in the NSA’s TAO (Tailored Access Operations) unit. The credible source indicated that the leaked files were stored on a physically isolated network and that either an inside mistake or purposeful act brought the files into contact with the outside world.

For certain, this story is not over yet and probably won’t be for some time. Will the final plot twists be as interesting as something penned by Clancy? We’ll have to wait and see!

In the meantime, if you have security concerns about your information and network please pick up the phone and speak with one of our operatives, um I mean team members!

 

read more

The Hackers Bazaar 2016 Update

On April 21st, 2016, posted in: Cyber Attacks, Hackers by konweb

In November 2014 we reported on the vibrancy of the underground marketplace for all things hacking related in our post titled RAND Report “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar”.

In this post we’ll be revisiting the topic armed with fresh data and insights from the recently released DELL SecureWorks Underground Hacker Markets 2016 Annual Report, their 3rd installment in the series that was first published in 2013.

Hackers Seek Market Differentiation through Superior Customer Experience

One of the most interesting things about the “underground” services market is just how much energy and effort is being expended to make the marketplace a more comfortable and convenient place for shoppers.

DELL SecureWorks found numerous examples of this improved customer experience including:

  • Extended customer service hours of operation
  • Emphasis on product quality experience
  • Availability of free demos and free trials
  • Emphasis on trustworthiness
  • Repeat customer discounts
  • Security of transaction including “not sharing purchase details with any 3rd parties”
  • Pay only for results after they have been delivered
  • Use of “Guarantor Services”

All of this is good news for those looking to use these criminal services for personal or corporate gain! DDOS attacks, email account hacking, social media hacking and complete legitimate business dossiers (Russian businesses) including  bank accounts, tax identification numbers and articles of incorporation can now be procured easier than ever.

Good for the Criminals, Bad for You

While all of this is good news for the criminals it puts legitimate organizations like yours at more risk. Why? Because all markets require buyers and sellers to function and the easier and safer it becomes for buyers to participate, the more demand will increase. As demand increases so does price. And, in order to meet the increased demand and take advantage of elevated prices hackers will be working harder and harder to increase supply.

Prices Going Up…

The DELL report is filled with pricing data for credit cards, personal information, hardware and hacking services. Historical information is not complete but at a glance it appears that prices have been climbing for credit card and personal information as shown below.

 

 

 

 

 

 

 

 

 

Source: DELL SecureWorks Underground Hacker Markets 2016 Annual Report

Get Proactive and Protect Your Organization

Here at Konsultek we develop custom security solutions.  From education and firewalls, intrusion detection, malware prevention and endpoint detection we have the experience and technologies to develop the correct solutions for your organization. Give us a call today to begin a dialogue about your unique situation.

 

read more