Last September 21st we first discussed the CC Cleaner breach. In that post we described how the hackers behind the attack used the malicious doppleganger software to cast a wide net, infecting hundreds of thousands of users in the hopes of finding a few big fish amongst the fry.

Yesterday on the Avast blog, Avast CTO, Ondrej Vlcek, shared some insights and a timeline that shows just how the breach was developed.

How Does a Security Company Get Breached?

The old fashioned way – with user credentials!

According to Vlcek:

To initiate the CCleaner attack, the threat actors first accessed Piriform’s network on March 11, 2017, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate. They successfully gained access with a single sign-in, which means they knew the login credentials. While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account.

Updating the Numbers

In our initial post we cited experts from Talos who were putting the size of the infection at approximately 700,000 users with approximately 20 of those becoming actual targets for the second stage of the exploitation. Yesterday Vlcek provided more accurate figures.

In terms of CCleaner, up to 2.27 million CCleaner consumers and businesses downloaded the infected CCleaner product. The attackers then installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. We don’t have proof that a possible third stage with ShadowPad was distributed via CCleaner to any of the 40 PCs.

Very Similar to the NetSarang Compromise

Last year Kaspersky identified and shutdown a similar attack that used an infected version of the popular server management software produced by NetSarang.

Further Kaspersky Lab analysis showed that the suspicious requests were actually the result of the activity of a malicious module hidden inside a recent version of the legitimate software. Following the installation of an infected software update, the malicious module would start sending DNS-queries to specific domains (its command and control server) at a frequency of once every eight hours. The request would contain basic information about the victim system (user name, domain name, host name). If the attackers considered the system to be “interesting”, the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer. After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code. (Emphasis added to highlight similarities)

Konsultek’s Approach

Protect, detect and respond are the hallmarks of a robust security solution. When Konsultek develops your custom security solution you can bet that all 3 approaches will be included. Interested in taking your security to the next level? Call us and let’s begin a dialogue.

 

read more

Michigan PA 95 and PA 96 were signed into law on April 2, 2018, closing a loophole that allowed cybercriminals to possess ransomware legally according to statescoop.com. Prior to these laws taking effect cybercriminals could only be charged after a cyberattack took place even if an individual was suspected of planning an attack and indeed had possession of ransomware.

Minority Report?

The law has a bit of a Minority Report quality to it. In the 2002 film Minority Report starring Tom Cruise people could be charged for committing murder before they actually did anything because a group of gifted “pre-cogs” could look into the future and predict crimes before they happened.

While one could argue that there is no reason anyone should own ransomware unless they intend to use it, hundreds, if not thousands of security researchers might argue differently.

Just the Facts

The two laws criminalize “possession of ransomware” with the intent to use or employ that ransomware or the purpose of introduction into the computer, computer data, computer system, or computer network of another person, without authorization of the other person.”

There were more than 1,300 reported cases of ransomware attacks in Michigan in 2017, according to FBI statistics. In 2016 a ransomware attack on Lansing Power and Light in 2016 cost nearly $2 million. According to Michigan State Representative Brandt Iden it was that incident that drove ransomware law reform forward in the state legislature.

Getting Tough is the Trend

Michigan is the latest state to take large measures to address and contain cybercrime. Georgia recently developed an ”unauthorized access” computer crime bill which essentially makes it a crime to gain unauthorized access to a network under any circumstances. This has many gray-hat hackers extremely concerned since they derive their livelihood and help protect us all by gaining unauthorized access on a daily basis.

Konsultek Means Security

While cyber-crime laws can help prosecute and potentially deter cyber-crime, organizations need to make sure that they are doing their best to protect and secure their networks and data. That’s where we come in. As network security experts we develop custom, holistic security solutions for organizations of all shapes and sizes. If you and your organization are ready to take your security to the next level give us a call or hit us up on our contact form.

 

read more

This week’s revelation that Cambridge Analytica dug deep into the personal preferences of approximately 50 Million Facebook users has lost the company approximately $60 Billion in market cap and once again landed them in hot water. Technically not a security breach in the traditional sense of the word since the data was accessed with the permission of Facebook, experts are referring to the episode as a “breach of trust”.

Facebook is People

What many people still don’t seem to grasp is how Facebook (and to be fair, all the other social media giants) make their billions. They make their billions from marketing a product and that product is YOU! Perhaps more specifically they are marketing your interests, wants, desires, financial status, relationships and more. You are the product and companies looking to sell you products and services are the customers.

Enjoy Facebook But Limit Their Privacy Invasion

Facebook lets you use their platform, connect with friends and family, shop, like and share all for free so that it can turn around and sell everything it gleans to advertisers. And, occasionally unwittingly share it with hackers. So what’s a person to do? If you enjoy using Facebook and want to continue to use it are there anyways to protect your privacy. The short answer is “no”, the longer more nuanced answer is “yes, kinda”.

The Deep Dive on Personal Facebook Privacy

In the wake of the most recent privacy faux pas, the good folks at Wired.com published a comprehensive look at how Facebook users can continue to enjoy sharing inspirational messages and cat videos while limiting what Facebook can actually share with advertisers and other 3rd parties.

Apps, Ads and Posts

Brian Barret, the article’s author, recommends you lock down your account in 3 specific areas, Apps, Ads and finally how you share the content you post. Of course, taking action on all 3 of these will require you to work a bit as none of what we might consider “security settings” are located in one central security area of your user profile but rather are located in a variety of different sections.

Fortunately, the guide is well written and includes helpful screenshots showing exactly where to go and what to do when you get there. All told, thanks to this guide you will only have to invest 10 minutes or so to tighten up your personal privacy. Without the guide I’m sure you could spend hours searching through the bowels of Facebook and still not get it right.

Konsultek’s Take

Social media and big data aggregators such as Facebook, Google, YouTube, Twitter and LinkedIn are successful because they provide tangible and intangible benefits to their users for “free”. In reality, when you joined their network you agreed to share an enormous amount of private details about yourself, your family and your friends when you blithely skipped through the 20 pages of terms of service and ticked the “I agree” box. Our recommendation is that you revisit each of these sites with a more informed eye towards personal privacy and do as much as you possibly can to tighten things up. Yes, it will take some time and your decision to protect aspects of your privacy might limit some features, but in the end you’ll be far less exposed the next time a “breach of data” or a “breach of trust” occurs.

 

read more

Cisco’s Annual Cyber Security Report was released today and as always it is filled with interesting insights about both sides of the cyber security battle.

Insights into Hackers and Attackers

1. Adversaries are taking malware to unprecedented levels of sophistication and impact.

Malware, especially self-propogating “worm” malware such as WannaCry and Petya played a pivotal role in some of the biggest attacks and infections of 2017.

2. Adversaries are becoming more adept at evasion— and weaponizing cloud services and other technology used for legitimate purposes.

One trend is the use of encryption by hackers to protect themselves from detection, especially C2 types of activities.

3. Adversaries are exploiting undefended gaps in security, many of which stem from the expanding Internet of Things (IoT) and use of cloud services.

Defenders are deploying IoT devices at a rapid pace but often pay scant attention to the security of these systems.

Insights into Security Defenders

1. Budgets are perceived to be relatively stable, growing and appropriate.

2. Breaches appear to be the biggest driver of future investments and improvements in technology and process.

3. The use of outsourcing is growing as a means of dealing with security threats, especially in the areas of monitoring and incident response.

Konsultek’s Take

Cisco’s report is well written, easy to read and full of valuable insights. Many of these insights such as the growing reliance on outsourcing correlate closely with our own findings. As a pioneer in outsourced security solutions we too have seen strong growth in both the variety and volume of services our clients outsource to us.

Managed services are a cost effective way to improve security efficacy as well as scale security solutions in a growing organization. If either of these are of interest to you and your organization please give us a call to set up an introductory meeting.

 

read more

You could say that Mordechai Guri, director of the Cybersecurity Research Center at Israel’s Ben Gurion University, is obsessed with the “air gap”. His obsession, as described in depth in a fascinating Wired.com article has resulted in some of the most arcane ways to beat the “air gap” ever devised.

Connectivity Beyond Wires and WiFi

One of the best ways to secure sensitive data is to have it stored on machines that are isolated from the network and Internet by both wire and WiFi, or so called “air gapped”. Makes sense, right? If your machine is not connected to the outside world it should be impossible to breach from the outside world.

Want to take your security a step further? Place your machine in a secured metal clad room or Faraday pouch to prevent the transmission of electrical signals.

Still Not Enough

What Mordechai has proven is that a hacker who is determined and skilled enough can overcome virtually any isolation if given enough time and resources.

Here is a list of some of his most creative ways to extract data to date:

  • Altering the noise the machine’s internal fan generates
  • by changing air temperatures in patterns that the receiving computer can detect with thermal sensors
  • by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window.

And a Couple of Videos Showing the Techniques in Action

 

The Saving Grace

The one saving grace and defense to most of these techniques is that they rely upon the system having been previously compromised with malware. The malware itself would likely have been injected via a corrupted USB drive – think Stuxnet. Still, fascinating research and a great reminder that the concepts of security need to constantly be challenged.

 

 

read more

Just a couple days after the confetti had settled in Time Square, security researchers revealed two massive vulnerabilities that exist in virtually every pc and server in the world.

 

The vulnerabilities, Named “Meltdown” and “Spectre” (James Bond fans, are we?) by the researchers who discovered them, exist at the processor level. The two vulnerabilities differ in that Meltdown affects only processors designed and built by Intel while the Spectre flaw is so deeply embedded in modern chip architecture design that it affects virtually all modern processors regardless of manufacture.

Patching Things Up

Researchers, manufacturers and cloud service providers have been feverishly working to develop patches for Meltdown. The good news is that it does appear that patches are on their way for both Windows and Linux machines and that this vulnerability will be fixed before it can wreak havoc on cloud computing providers, hosting providers, businesses and individuals. – I suspect this means that PC users around the world will be getting a Windows update dropped in their lap shortly. Oh and according to some sources, expect your PC to run upwards of 30% slower once the patch is in place!

As for Spectre, early indications are that nothing short of changes to fundamental chip architecture will be able to fully patch this vulnerability. This of course means a legacy vulnerability may well exist for many years until PCs, phones, servers etc. are replaced as part of the normal life cycle.

2018 is Starting Off with a Bang!

Two huge vulnerabilities and the coldest holiday season on record for much of North America! Stay warm, stay inside and focus on security!

 

read more

According to TechRepublic.com take budgets were going to be increasing in 2017 with marked increases in security spend.

Did your organization ride this trend or buck it?

read more

What are the four questions every CEO should ask after a breach? According to an article on inc.com they are:

1. What information was impacted?

All information is not created equal or valued equally. In general, Personally Identifiable Information (PII) is valued more highly by both cybercriminals and regulators. This means that the ramifications for losing this type of information are greater than for losing other types of more generic information.

2. How many customers were impacted?

Of course, the more customers, the worse the breach in general and the more likely you are to find yourself in the press. But beyond that, the size of the breach determines how you will notify the victims and whether or not you may find yourself in a class action law suit.

3. What geographies were impacted?

Breaches are handled differently in different parts of the world. Who you must report to, how quickly you must report and what is considered personal information all varies depending upon who has jurisdiction.

4. Do we have logs?

Logs are the history of what actions took place on a database or server. Logs are crucial! They hold the entire history of the event and the more accurate and detailed the better. Without good logs your technical team is at a huge disadvantage when attempting to piece together how the breach occurred and what actions were taken in response.

Your Quick-Start Road Map

In summary, knowing what information was compromised, how many individuals were impacted, where they were impacted and how well your team and security measures responded to the breach provides you and your C-Team the information you need in a capsule summary format.

You will quickly know what types of ramifications to expect and what other resources you will need. Of course, as the event continues to unfold you will need additional, more granular information but the answers to these four simple questions will serve you well as a “quick-start road map” to your journey ahead.

The Case for Managed Security Services

If an ounce of prevention is worth a pound of cure, then Konsultek’s managed security services may be the best way to keep your organization out of the headlines and focused on your core competencies. To learn more about the advantages of managed security services, please give us a call.

 

 

read more

It’s hard to imagine but the FBI’s IC3 turns 17 this year and in the spirit of National Cyber Security Month we thought we’d take a moment to highlight this valuable resource.

The Internet Crime Complaint Center (IC3)  was established in May 2000 as a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation. The organization gives victims of cybercrime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. IC3 provides law enforcement and regulatory agencies at all levels a central referral system for complaints involving Internet-related crimes.

Here’s How the Process Works Today

Filing a Complaint with the IC3

The IC3 accepts online Internet crime complaints from either the actual victim or from a third party to the complainant. You can file yourself, or someone can file for you (for example, your security provider). The IC3 works best when they receive complete and accurate information so before you click the big red button we suggest you follow their recommendations regarding what information to have at the ready.

Here is that list:

  • Victim’s name, address, telephone, and email
  • Financial transaction information (e.g., account information, transaction date and amount, who received the money)
  • Subject’s name, address, telephone, email, website, and IP address
  • Specific details on how you were victimized
  • Email header(s)
  • Any other relevant information you believe is necessary to support your complaint

Konsultek and the FBI

In the past Konsultek has had the pleasure of having members of the FBIs cyber crime team join us for lunch-n-learn opportunities. We have an upcoming event in the works so be sure to check our events page frequently because the FBI appearances are always extremely popular and seating goes fast.

 

read more

While the alarming news about the massive Equifax breach is just days old, Joshua Browder, the entrepreneur behind the robo-lawyer DoNotPay.UK has already taken action on it.

Head over to the DoNotPay website and you’ll be greeted by this splash screen:

 

Browder and his team have built upon their “chatbot” technology which has reportedly already helped nearly 400,000 people successfully fight traffic tickets in New York.

The national aspect of the Equifax breach introduced complexities beyond the relatively simple types of legal matters, say parking tickets in Chicago, which the bot has been helping with so far.

According to reports, his biggest challenge was determining who to sue in each state and the various indiosyncracies of each state’s system.

You can learn more details at WashingtonPost.com and get a different perspective on this approach to suing Equifax over at dailydot.com.

Security Experts, Not Lawyers

Whether using a chatbot to sue Equifax in small claims court is a good decision or not is not our area of expertise. Keeping breaches from happening is! At Konsultek we develop customized, holistic security solutions for organization of all shapes and sizes.

When you’re ready to learn how we can make a difference in your organization’s security, just give us a call and talk to one of our real experts, not a chat bot!

 

read more