You could say that Mordechai Guri, director of the Cybersecurity Research Center at Israel’s Ben Gurion University, is obsessed with the “air gap”. His obsession, as described in depth in a fascinating Wired.com article has resulted in some of the most arcane ways to beat the “air gap” ever devised.

Connectivity Beyond Wires and WiFi

One of the best ways to secure sensitive data is to have it stored on machines that are isolated from the network and Internet by both wire and WiFi, or so called “air gapped”. Makes sense, right? If your machine is not connected to the outside world it should be impossible to breach from the outside world.

Want to take your security a step further? Place your machine in a secured metal clad room or Faraday pouch to prevent the transmission of electrical signals.

Still Not Enough

What Mordechai has proven is that a hacker who is determined and skilled enough can overcome virtually any isolation if given enough time and resources.

Here is a list of some of his most creative ways to extract data to date:

  • Altering the noise the machine’s internal fan generates
  • by changing air temperatures in patterns that the receiving computer can detect with thermal sensors
  • by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window.

And a Couple of Videos Showing the Techniques in Action

 

The Saving Grace

The one saving grace and defense to most of these techniques is that they rely upon the system having been previously compromised with malware. The malware itself would likely have been injected via a corrupted USB drive – think Stuxnet. Still, fascinating research and a great reminder that the concepts of security need to constantly be challenged.

 

 

read more

Why Hackers Hack

On January 24th, 2018, posted in: Cyber Attacks, Hackers by konweb

Through the years we’ve posted a number of times on the subject of hackers and their motivations. This infographic courtesy of Raconteur provides an interesting look at hackers and their motivations as a function of industry, pattern and motive. Click on the image to view in full size.

Image Courtesy of Raconteur

Konsultek Knows Security

If there is one thing you can count on, so long as there is information you are trying to secure there will be hackers. Some will be motivated by idealism, some by the challenge and some by the money to be made. That’s where we come in. No matter your organization size or focus, Konsultek can develop a customized, robust security solution that fits your needs and budget. Call us to learn more about how we can help you secure your future.

read more

WannaCry burst onto the world stage in May, caused incredible levels of disruption around the globe and then just as quickly died when British hacker Marcus Hutchins fortuitously found a hidden “kill switch” in the code and successfully activated it.

The destruction left in WannaCry’s path was enormous. Assets in more than 150 nations were affected as the ransomware locked up digital databases and files, demanding that ransoms be paid for their release. Notable victims included Britain’s National Health Service, Germany’s national railway and multinationals Nissan and Renault.

Unified Nations Officially Blame North Korea

In a Wall Street Journal op-ed US Department of Homeland Security Advisor Tom Bossert declared North Korea was “directly responsible” for the attack and would be held fully accountable for it.

According to CNN the United Kingdom, Microsoft, the Australian, Canadian, New Zealand and Japanese Governments all came to a similar conclusion regarding the culpability of Pyongyang.

It Could Have Been Worse, Much Worse

Had the kill switch not been found (or not ever existed!) who knows the extent of what WannaCry might have done before a different solution was discovered. One thing is clear, having a completely robust security solution in place that includes secure data backup is a must moving forward. If your current security solution is out of date or incomplete please give the Engineers at Konsultek a call. Your security is our business.

 

read more

That’s the message Britain’s National Audit Office has for the NHS and Department of Health, according to theguardian.com after concluding their investigation surrounding the ransomware outbreak the organizations experienced in May.

Crippled by the “Relatively Unsophisticated” WannaCry

According to an independent investigation, “basic IT security” could have avoided the calamity that resulted in 19,500 medical appointments being cancelled and 600 computers associated with surgeries being locked.

“It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

Prevention Was Possible

88 out of 236 health trusts in England had an “on-site cybersecurity assessment” performed on them by NHS Digital prior to the attacks taking place. These assessments identified vulnerabilities and recommended remedial actions that unfortunately were not followed.

Identify Vulnerabilities then Act!

The experience of the NHS and Department of Health provides an instructive lesson in how not to handle cybersecurity. The key to preventing breaches and securing networks is to identify vulnerabilities and then eliminate them before they can be exploited.

Konsultek offers a variety of vulnerability assessments to help organizations of all types and sizes identify their network vulnerabilities. These vulnerabilities are then eliminated as part of the customized security solution that is put in place. If your organization hasn’t undergone a pre-emptive vulnerability assessment, it is not too late! The information you learn could prevent a breach and as we always stress, prevention is far less expensive than cure when it comes to cybersecurity.

 

read more

In two prior posts we have discussed the impact Petya has been having on the profits of multinationals that had fallen victim. Last week, according to Bloomberg, FedEx announced it would be reducing its profit forecast by $300 million because of the impact Petya had on its Europe based TNT Express business unit.

Most Operations Restored by Quarter’s End

Operations returned mostly to normal by the end of the 3rd quarter but the logistics giant confirmed that when Petya’s crippling effect was at its peak they were forced to process some transactions by hand. The $300 million dollar hit to profits reflects a combination of lost sales, recovery costs and “stepped up” technology investments.

Relatively Isolated Impact

Fortunately for the logistics behemoth, FedEx’s broader global business was not impacted by the Petya attack which has had its ingress traced back to tax software used in the Ukraine. Still the impact of the Petya virus has been substantial and has accelerated the technology integration of TNT with FedEx’s Express air-shipping unit in an effort to get away from the legacy IT systems that were inherited.

Far Worse than Wanna Cry

We’ve reported previously that Petya has been far more disruptive and costly than WannaCry to large companies and FedEx provides a particularly useful case study since the company has been hit by both. In May, WannaCry came calling on FedEx and reportedly “didn’t cause a material disruption to its systems or raise operating costs”, according to Bloomberg.

Prevention is Better than Cure

Petya, WannaCry and other cyber-attacks can be enormously costly and yet, once the forensics have been done they often show that the attack could have been prevented had a well-managed, holistic security plan been in place. At Konsultek, we’ve been designing and implementing such plans for organizations ranging in size from small medical offices to large, mulit-national airlines.

The time to begin discussions about improving your network security is today, before you and your organization have a revenue and profit disrupting event. Please give us a call, our security team is always ready to listen to your unique situation.

 

read more

Often we report on breaches that start with spearphishing. An employee gets an email from someone posing as a trusted supplier or customer or perhaps a high-ranking fellow employee and downloads the infected attachment without a second thought.

Today we report on a completely different approach. Rather than shooting for one fish at a time the folks behind the CCleaner infection decided to catch upwards of a million fish and toss the small ones back while keeping just trophy fish.

Keep the Big Ones, Throw the Little Ones Back

Millions of people have taken advantage of the CCleaner free security tool to help them clean up and steer clear of malware, viruses and other types of hacking exploits. Unfortunately according to reports from Morphisec and Cisco it looks like 700,000+ computers were infected with a backdoor by downloading CCleaner. Well bad enough, it was the report by Cisco’s Talos security division that revealed that this mass hack was really just the top of the funnel in an effort to penetrate a much smaller set of targets.

From 700,000+ to 20

According to Talos, code within the backdoor indicates that the infected computers were being filtered to identify whether or not they belonged to 20 or so primary targets, big tech firms such as Intel, VMware, Samsung, Sony and wait for it… Cisco itself!

This finding abruptly turned a mass infection into what appears to be a corporate espionage play, potentially with state sponsorship.

A Couple of Take Aways

CCleaner is primarily a consumer level product and frankly, has no place as a security tool in any but the smallest organizations. For the corporations of this size to have infected computers in their network is alarming and suggests a breakdown in security protocol and user privileges.

Konsultek Doesn’t Use Consumer Software

Software such as CCleaner, while normally effective and safe, is a consumer level product and not something that we at Konsultek use as part of our custom security solutions. So if your business is ready to move beyond consumer level solutions, give us a call.

 

read more

Last Thursday within hours of one another two huge consumer multinationals announced that their second quarter earnings would be negatively impacted because of Petya based cyber-attacks.

According to the Financial Times, Mondelez International, purveyors of confections including Cadbury chocolates and Oreo cookies announced their financial pruning just a few hours after UK-based consumer goods conglomerate Reckitt Benckiser had announced theirs.

Petya Having a Greater Impact than Wanna Cry

If you were to look at a map of the distribution of Wanna Cry vs Petya you might think that Wanna Cry would be having the larger negative impact on global enterprises. However, this is turning out not to be the case, with Petya causing far more turmoil within large corporations because files are vanquished, not held for ransom.

From the Financial Times

“Cyber security experts dealing with the attack, which started in Ukraine, have advised stricken clients there is no hope of recovering infected systems. Unless organisations have backups of encrypted data, it is lost for good, they have warned. Western security officials say the severity of Petya’s impact points to its true purpose: not monetary gain, but pure destruction. Researchers at many of the world’s largest cyber security firms — including FireEye, Talos, ESET, Symantec and Bitdefender — have come to the same conclusion. “We believe with high confidence that the intent of the actor behind [Petya] was destructive in nature and not economically motivated,” Talos, the cyber security arm of Cisco told clients this week.”

Security Needs a Holistic Approach

What’s next? No one knows for certain, but with the NSA’s bag of tricks having been released into the wild a little under a year ago you can bet that the number and potency of attacks is only going to get worse. A holistic approach to security that includes encrypted data backup is going to become de ri·gueur.

At Konsultek we assess each client’s needs and develop security solutions that meet those needs in the most economical way possible. If this sounds like a sensible approach to security to you, give us a call to discuss your particular situation.

 

read more

Last week Chipotle completed its investigation into the breach they initial reported on in late April.

The breach, which took place during the time period March 24, 2017 and April 18, 2017, has been attributed to malware that infected the POS systems at Chipotle locations around the country.

What Information Was Lost?

According to Chipotle’s public release, “the malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device.”

Illinois Locations Affected

If you visited any of the Chipotle locations below between March 24, 2017 and April 18, 2017 there is good reason to believe your data may have been compromised.

  • Addison: 1078 N. Rohlwing Rd.
  • Algonquin: 412 N. Randall Road
  • Arlington Heights: 338 E. Rand Road
  • Aurora: 848 N. Route 59, 2902 Kirk Road, 1480 North Orchard Road
  • Berwyn: 7140 W. Cermak Road
  • Bloomingdale: 396 W. Army Trail Road, 170 E. Lake St.
  • Bloomington: 305 N. Veterans Parkway
  • Bolingbrook: 274 S. Weber Road
  • Bourbonnais: 1601 Route 50
  • Champaign: 903 W. Anthony Drive, 528 East Green Street
  • Chicago:(Over 50 Locations) Visit Chipotle for full list
  • Cicero: 2201 S. Cicero Ave.
  • Countryside: 5801 S. La Grange Road
  • Crestwood: 13340 S. Cicero Ave.
  • Crystal Lake: 5006 Northwest Highway
  • Deerfield: 675 Deerfield Road
  • DeKalb: 2383 Sycamore Road, 1013A W. Lincoln Highway
  • Downers Grove: 1556A Butterfield Road, 1203 W. Ogden Ave
  • East Peoria: 300 W. Washington St.
  • Effingham: 1207 Keller Drive
  • Elk Grove Village: 910 Elk Grove Town Center
  • Elmhurst: 353 S. Route 83, 139 York Road
  • Evanston: 711 Church St.
  • Fairview Heights: 6415 N. Illinois St.
  • Frankfort: 11129 W. Lincoln Highway
  • Geneva: 1441 S. Randall Road
  • Glen Ellyn: 695 Roosevelt Road
  • Glenview: 3846 Willow Road, 2341 Willow Road
  • Gurnee: 6040 Gurnee Mills Boulevard
  • Highland Park, 1849 Green Bay Ave.
  • Hoffman Estates: 4600 Hoffman Boulevard, 15 E. Golf Road
  • Homer Glen: 14114 S. Bell Road
  • Homewood: 17700 Halsted St.
  • Joliet: 2848 Plainfield Road, 2609 W. Jefferson St.
  • Kildeer: 20505 N. Rand Road
  • La Grange: 40 N. La Grange Road
  • Lake Bluff, 945 Rockland Road
  • Libertyville: 139 N. Milwaukee Ave.
  • Lincolnshire: 950 Milwaukee Ave.
  • Lincolnwood: 7150 N. McCormick Ave.
  • Machesney Park: 1570 W. Lane Road
  • Matteson: 4815 W. 211th St.
  • McHenry: 2304 Richmond Road
  • Melrose Park: 1401 W. North Ave.
  • Mokena: 19130 S. LaGrange Road
  • Moline: 3941 41st Avenue Drive
  • Mount Prospect: 102 E. Kensington Road
  • Naperville: 2856 Route 59, 22 E. Chicago Ave, 1516 North Naper Boulevard
  • Niles: 8480 W. Golf Road
  • Normal: 701 S. Main St, 1601 E. College Ave.
  • Norridge: 4234 N. Harlem Ave.
  • Northbrook: 786 N. Skokie Boulevard
  • Oak Brook: 2103 Clearwater Drive
  • Oak Lawn: 6230B W. 95th St., 11018 S. Cicero Ave.
  • Oak Park: 1128 W. Lake St.
  • Oak Brook: 18W050 22nd St.
  • Ontario: 291 E. Ontario
  • Orland Park: 15240 S. LaGrange Road: 2432 Route 34
  • Oswego: 2432 Route 34
  • Palatine: 781 E. Dundee Road
  • Park Ridge: 119 S. Northwest Highway
  • Peoria: 4512 N. Sterling Ave.
  • Plainfield: 12720 S. Route 59
  • Rockford: 751 S. Perryville Road
  • Rolling Meadows: 1211 Golf Road
  • Romeoville: 253 S. Weber Road
  • Rosemont: 7020 N. Manheim Road
  • Round Lake Beach: 1936 N. Route 83
  • Schaumburg: 601 N. Martingale Road, 2570 W. Schaumburg Road
  • Skokie: 9408 Skokie Boulevard, 5373 Touhy Ave.
  • South Elgin: 348 Randall Road
  • Springfield: 2579 Wabash Ave.
  • St. Charles: 3821 Main St.
  • Tinley Park: 15980 S. Harlem Ave.
  • Vernon Hills: 375 N. Milwaukee Ave.
  • Villa Park: 298 W. North Ave.
  • Warrenville: 28251 Diehl Road
  • Waukegan: 940 S. Waukegan Road
  • West Dundee: 201 N. 8th St.,
  • Westmont: 300 E. Ogden Ave.
  • Wheaton: 811 E. Butterfield Road, 2119 W. Roosevelt Road
  • Wheeling: 1572 W. Lake Cook Road
  • Willowbrook: 7173 Kingery Highway

Affected? What Do You Do Now?

Since the exact time frame of the breach varies by location you should visit here, scroll to the bottom of the page and fill in the locations you may have visited during the broader time frame.  If you find that you are indeed the likely victim of a breach you can follow the directions from Chipotle regarding account monitoring and identity protection.

Here is the overview of what Chipotle advises…

“It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.  The phone number to call is usually on the back of your payment card.  Please see the section that follows this notice for additional steps you may take.”

 

read more

Symantec’s 2017 Internet Security Threat Report (ISTR) lists the Services Industry at the top of its 2016 list of most hacked industries followed by Finance, Insurance, & Real Estate. These two industries were at the top of the list for 2015 showing that their popularity with cyber-criminals has not waned.

Drilling down to a more granular level we see that specifically, Business Services and Health Services top the charts. Given the strict reporting requirements in the healthcare segment it is really no surprise to see this niche at the top of the list. Business Services, a still rather broad sub-niche, tops the list accounting for nearly a quarter of all incidents.

Some Historical Perspective

According to Symantec’s data, by the end of 2016 over 7 billion identities have been stolen over the last 8 years! That is nearly 1 identity for every single living person on the planet.

Looking at just the past 3 years, the trend in breach and data loss looks like this:

At first glance 2015’s Identities Stolen figure might seem like a misprint with approximately half the identities stolen as compared to 2014 and 2016. But as the chart below shows, major breaches just on either side of 2015 led to the spikes in its neighboring years.

2014 of course reflects both the Home Depot and Target breaches while 2016 includes the mega breach of Friend Finder Networks.

You have a friend in Konsultek

No matter what your industry or your business size, Konsultek can help you secure your business network and data. Our custom solutions are both robust and cost effective and our suite of managed services give even the smallest organizations access to world class security solutions with little to no capital expense. Gives us a call and learn more about our free vulnerability assessments.

Symantec’s 2017 Internet Security Threat Report (ISTR) lists the Services Industry at the top of its 2016 list of most hacked industries followed by Finance, Insurance, & Real Estate. These two industries were at the top of the list for 2015 showing that their popularity with cybercriminals has not waned.

 

Drilling down to a more granular level we see that specifically, Business Services and Health Services top the charts. Given the strict reporting requirements in the healthcare segment it is really no surprise to see this niche at the top of the list. Business Services, a still rather broad sub-niche, tops the list accounting for nearly a quarter of all incidents.

Some Historical Perspective

According to Symantec’s data, by the end of 2016 over 7 billion identities have been stolen over the last 8 years! That is nearly 1 identity for every single living person on the planet.

Looking at just the past 3 years, the trend in breach and data loss looks like this:

At first glance 2015’s Identities Stolen figure might seem like a misprint with approximately half the identities stolen as compared to 2014 and 2016. But as the chart below shows, major breaches just on either side of 2015 led to the spikes in its neighboring years.

2014 of course reflects both the Home Depot and Target breaches while 2016 includes the mega breach of Friend Finder Networks.

You have a friend in Konsultek

No matter what your industry or your business size, Konsultek can help you secure your business network and data. Our custom solutions are both robust and cost effective and our suite of managed services give even the smallest organizations access to world class security solutions with little to no capital expense. Gives us a call and learn more about our free vulnerability assessments.

read more

Rather than write the 1000th post about WannaCry (although our Partners at Proofpoint, their Engineer Darien Huss and a fellow called MalwareTech deserve a serious shout-out from the world for stopping WannaCry) I decided to cover something with potentially huge financial implications that has virtually gone under the radar by comparison.

While WannaCry was grabbing the cybersecurity headlines for the week, it turns out that online signature giant DocuSign was more quietly and in a rather methodical fashion, publicly disclosing the details of a significant and serious cyberbreach themselves.

Here’s an abbreviated timeline of what we know so far from DocuSign themselves.

Update 5/9/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature”.

The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 5/15/2017 – Malicious Email Campaign

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* – Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

These emails are not associated with DocuSign. They originate from a malicious third-party using DocuSign branding in the headers and body of the email. The emails are sent from non-DocuSign-related domains including dse@docus.com. Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses.

Update 5/15/2017 – Latest update on malicious email campaign

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media. The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software. As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time). The email comes from “dse@dousign.com” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

The Ultimate Phishing Scam?

This may very well be the ultimate spear phishing campaign. While the number of email addresses compromised has not been disclosed, we can assume it is A LOT and a considerable portion of those affected routinely use DocuSign multiple times a month, if not weekly or daily. Since DocuSign emails are both expected and “trusted” we can only further assume that these phishing campaigns are being effective. No official report on just how effective, so far, but perhaps we’ll get an update further details emerge.

It seems likely that this scam will continue for a very long time given that DocuSign reportedly has 100 million users.

The Lesson You Can Learn

“However, as part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses.” (Emphasis added)

The lesson to be learned here is that in today’s world no part of your network can be considered “non-core” when it comes to security. If the data is worth saving within your network, it is worth protecting!

Konsultek and Its Partners

Konsultek and its partners like Proofpoint, CheckPoint, ForeScout, CarbonBlack and many others work together to build custom security solutions for businesses of all sizes in all markets. When you’re ready to learn about your network vulnerabilities and how to correct them please give us a call.

 

read more