Woke up today to find this gem in the mailbox. Who knew that the FBI and the Central Bank of Nigeria would be looking for me!

This email is entertaining for a couple of reasons (at least!) beyond the alleged working relationship between Mr. Comey and the Central Bank of Nigeria.

Take a look at the portions highlighted with blue text! First a warning that “you should ignore any message that does not come from the above email address and phone number for security reasons.”

Next, look at Mr. Comey’s email address. I would have thought that after all the email scandals in Washington that Mr. Comey would not be using an AOL  email address for such important and sensitive business!

Re: Urgent January Notice…….

From: James B. Comey, Jr., <fbidirector@openmailbox.org> 

Jan 18 at 12:37 PM

OFFICE OF THE EXECUTIVE DIRECTOR,

MR. JAMES B. COMEY, JR,

FEDERAL BUREAUOF INVESTIGATION,

935 Pennsylvania Avenue, NW

Washington, D.C. 20535-0001. USA.

Attention: Beneficiary,After proper investigations, we, the Federal Bureau of investigation (FBI) discovered that your impending (over-due contract) payment with Central Bank of Nigeria is 100% legal and has been approved for release to you.

We recently had a meeting with the Executive Governor of the Central Bank of Nigeria, in the person of Mr Godwin Emefiele and other top officials of the concerned Ministries regarding your case and we were made to understand that your files have been held in abeyance pending on when you personally apply for the claim.

Investigations also revealed that a lady, by name Mrs. Joan B Melvin from New York has already contacted Central Bank of Nigeria with a power of attorney and some documents, which stipulated that you have mandated her to claim your fund of US$25,000,000.00 (Twenty Five Million United States Dollars) on your behalf due to your ill health.

In view of this, we have been urged to warn US citizens who have received information pertaining to their outstanding contract payment to be very careful and not to be a victim of ugly circumstance. In case you are already dealing with anybody or office of the Central Bank of Nigeria, you are strictly advised to STOP further communication with them in your best interest and thereby contact the real office of the Central Bank of Nigeria via the below information:

 

NAME: MR. GODWIN EMEFIELE

OFFICE ADDRESS: Central Bank of Nigeria,Central Business District,

Cadastral Zone, Abuja, Federal.

Capital Territory, Nigeria.

Email: central.bnk0015@aol.com

NOTE: In your best interest, you should ignore any message that does not come from the above email address and phone number for security reasons. And to enable the Central Bank of Nigeria to process and release the fund to you, you are required to re-confirm your full details such as

FULL NAMES: __________________________________

CITY: _________________________

STATE: __________________________________

ZIP: ______________COUNTRY: _______________________

SEX: _______________AGE: __________________

TELEPHONE NUMBER: _____________________

Ensure that you follow the Central Bank of Nigeria due process as enshrined in the International Banking Secrecy Act to avoid any form of discrepancy, which may hinder your fund transfer.Thanks for your understanding and cooperation as we earnestly await your urgent response.

Best Regards,

James B. Comey, Jr.,

Federal Bureau of Investigation

J. Edgar Hoover Building,

935 Pennsylvania Avenue,

NW Washington, D.C

E-mail: jjbcomeyjr@aol.com

 

read more

An update to a 2014 poll regarding the trustworthiness of Social Media was recently released with some interesting results.

To summarize, while the use of social media is increasing (80% of the 2016 respondents indicate they use social media) the overall level of trust in the security of social media is decreasing.

One can only assume that most respondents feel that the rewards presented by social media participation outweigh the perceived increase in information security risk.

It is also interesting that when questioned about specific security threats the results indicate a flat to decreasing sense of risk.

Do you feel more or less secure in the world of social networking?


Image courtesy of Onlineprivacy.com

read more

Our partners at proofpoint just released there 3rd Quarter Threat Summary which you should grab here.

Here is a quick overview, by category, of what’s been trending in the way of information security threats over the past 3 months.

Email and Exploit Kits

  • Volume of malicious email that used Java scripts increased 69% vs Q2
  • The most popular malicious attachment was the ransomware Locky
  • The variety of ransomware introduced increased by 10X
  • Cybercriminals continue to hone their skills in regards to exploiting business email
  • Banking Trojans have diversified and become personalized
  • Exploit kit activity, while still rampant, fell 65% from Q2
  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.

Mobile

  • PokemonGo spawned malicious counterfeits
  • Mobile exploit kits and zero days continue to haunt both iOS and Android
  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates.

Social Media

  • Negative and damaging content is up 50%
  • Social phishing has doubled since Q2
  • Cross-pollination between mobile and social accelerates

How Konsultek Protects Clients

By integrating advanced threat protection from proofpoint, Carbon Black, Forescout and others, Konsultek develops customized security plans for clients all industries and all sizes. If you are ready to proactively secure your organization, give us a call to discuss your unique situation.

 

read more

President Obama is partnering with the National Cyber Security Alliance (NCSA) to kick-off October and  National Cyber Security Awareness Month with a  public awareness campaign they call “Lock Down Your Login.”

Anchored by a corny video with a good message the campaign advocates that individuals move beyond simple usernames and passwords to secure their accounts by adding a second layer of authentication such as fingerprint or facial recognition.

According to figures provided by the White House upwards of 62% of successful data breeches might have been prevent by the application of a second layer of authentication such as the afore mentioned biometrics or other forms of dual-authentication.

Have you added a second layer of authentication to your accounts? If not, hopefully this video will convince you to!


 

read more

Harvard Business Review recently published a very insightful piece I highly recommend you read in its entirety called “Cybersecurity’s Human Factor: Lessons from the Pentagon” .

For those of you who just want the highlights, here is a quick synopsis of what I found to be the most fascinating aspects of the article.

From Bumbling Colossus to Nimble Defender

In the not-so-long-ago dark days of network security, the US military struggled to identify and defend against threats.  All that has changed and from September 2014 to June 2015 the military rebuffed 30 million malicious attacks! Still a few got through but only 0.1% compromised systems in any way. An impressive record given the State sponsored adversaries the military must repel day in and day out.

While technical fortifications are important, what has really set the military on its trajectory to invulnerability has been its focus on eliminating human error. If you have read this blog for any length of time you know that we consistently emphasize not only the best technology but also the best in processes for this very reason.

Learning from the Admiral Himself

The US Navy Nuclear program has long been the quintessential example of a well-run, mistake free organization, what is nowadays referred to as an HRO or High Reliability Organization. The fundamental principles of the Navy Nuke program have since been transferred to other industries such as airlines, air traffic control, space flight and others. Admiral Hyman Rickover, the “Father of the Nuclear Navy” demanded excellence and adherence to process and for the span of his career personally interviewed all applying Officer Candidates.

Six Principles Every Organization Should Adopt to Ensure Security

1. Integrity – Never depart from protocols and report errors immediately

2. Depth of Knowledge – Fully understand the system’s you are responsible and their vulnerabilities

3. Procedural Compliance – Follow protocols to the letter

4. Forceful Backup – All critical activities should be closely monitored

5. A questioning Attitude – While unquestioning compliance to procedure is necessary questioning things that appear outside of the norm is equally important

6. Formality in Communication – Familiarity and slang lead to miscommunication, Formality in communication eliminates these misunderstandings.

Examples of Cyber Security Failures and the Policies that Were Violated

What the authors have found is that Cybersecurity breaches caused by human mistakes nearly always involve the violation of one or more of these six principles.  As you read them you will undoubtedly recognize some of the same behaviors in your own organization or at least easily imagine that they might very well be happening without your knowledge.

Here’s a sample of some the Defense Department uncovered during routine testing exercises:

  • A polite headquarters staff officer held the door for another officer, who was really an intruder carrying a fake identification card. Once inside, the intruder could have installed malware on the organization’s network. Principles violated: procedural compliance and a questioning attitude.
  • A system administrator, surfing the web from his elevated account, which had fewer automatic restrictions, downloaded a popular video clip that was “viral” in more ways than one. Principles violated: integrity and procedural compliance.
  • A staff officer clicked on a link in an e-mail promising discounts for online purchases, which was actually an attempt by the testers to plant a phishing back door on her workstation. Principles violated: a questioning attitude, depth of knowledge, and procedural compliance.
  • A new network administrator installed an update without reading the implementation guide and with no supervision. As a result, previous security upgrades were “unpatched.” Principles violated: depth of knowledge, procedural compliance, and forceful backup.
  • A network help desk reset a connection in an office without investigating why the connection had been deactivated in the first place—even though the reason might have been an automated shutdown to prevent the connection of an unauthorized computer or user. Principles violated: procedural compliance and a questioning attitude.

A Holistic Approach

At Konsultek we don’t just slap in “black boxes” and hope that security happens. Sure we build custom technical solutions that utilize the best technology available, but we also work outside the IT department to make sure that the business processes are in place to limit the impact of human error on the security of your information and network. If you are looking to upgrade your security, give us a call and begin a dialogue with us.

 

read more

It is always heartening to see a respected organization such as Gartner espousing the same security philosophies as we have here at Konsultek. In a recent blog post, Gartner’s Oliver Rochford points out that the most robust security solutions combine both prevention AND detect and respond approaches.

If you’ve been following this blog for any length of time you’ll know that this is exactly how we approach all of our information and network security engagements.

An Ounce of Prevention – Still Worth a Pound of Cure

Despite what some might say, prevention is far from being a dying or dead approach. A properly executed prevention strategy that utilizes advanced firewall and access control technologies can help mitigate the impact of old school hacking. When outsiders who don’t have proper credentials attempt to access your network with a variety of tools and tricks they are simply shut out.

But what if they pierce the protective veil of your prevention strategies? Password theft, cracking weak passwords and social engineering are just 3 ways ne’er do wells can compromise the best developed prevention strategies. And when that happens you better hope that your security provider has also included that latest in detect and respond technologies or your system and your information will be instantly at risk.

Detect and Respond

As the name implies, detect and respond approaches can sense when things in your network are not quite right and take action to contain the unusual activity before significant damage can occur. For example, when the credentials of your summer intern suddenly are used to access the network and attempt to explore portions that he or she has no business even thinking about let alone accessing.

The Konsultek Approach

At Konsultek we approach every client’s security engagement as an opportunity to develop a best fit approach. You’ll never find us espousing one-size-fits-all, cookie cutter approaches to information security. When you call, we’ll listen and when our engineering team develops your security solution you can bet it will be based upon delivering the most security value for the money. So give us a call today. We look forward to hearing from you.

read more

In their latest Human Factor Report our friends at Proofpoint highlight the shift from automated exploits to socially engineered human factors that began in earnest in 2014.

According to the report, in 2015 social engineering outpaced technology based exploits as a means of gaining access to networks and information.

Why brute force your way through firewalls and other intrusion prevention technologies when you can get invited in?

Infection by the Numbers from Proofpoint’s Human Factors Infographic

  • 99.7% of attachments used in attachment-based campaigns relied on social engineering and macros to succeed.
  • Banking Trojans such as Dridex accounted for 74% of all payloads
  • 9-10am (time zone specific) is prime time for delivery because that’s when employees get down to business in their email accounts.
  • 2 Billion personal information stealing mobile apps were WILLINGLY downloaded by people. Over 12,000 malicious Apps were found in Android app stores.
  • 74% of URLs used in email-based campaigns took users to credential phishing sites (as opposed to malware hosting sites).
  • File sharing sites such as Google Drive, Dropbox and Adobe are the #1 most effective lure for credential theft.
  • Phishing is 10X more popular than malware in social media posts.
  • Dangerous apps from rogue app stores impact 2/5 enterprises.
  • Low volume “CEO phishing” or  “wire transfer phishing” campaigns target 1 or 2 individuals in an organization in order to extract funds.

Konsultek and Proofpoint

At Konsultek we work with our clients and awesome security providers like Proofpoint to develop holistic security solutions across a wide swath of organizations that vary in size and industry. Want to learn more about how we can help keep human factors and social engineering from making your network vulnerable?

Just give us a call!

 

read more

Many companies and organizations are likely looking forward to putting 2015 and the associated security (or lack of security) issues that plagued them to rest.

So with mere weeks left before revelers in Time Square welcome the New Year, a look ahead to what we might expect to be trending during 2016 seemed appropriate.

According to Information Age, here are 11 Trends to look (or look out) for in the coming year.

1. Back to basics

As we have discussed in this blog more than once, solid network and information security is not simply a matter of buying the latest and greatest technology. The fundamentals that address the organization as a whole, including human factors need to be in place. Strong passwords, a culture of security awareness, and keeping systems and patches up to date are just some of factors we have highlighted here on multiple occasions.

2. Intelligence-led approach

Yes, prevention will still play a role but analyzing and mitigating inevitable breaches will become even more important.

3. The resurgence of phishing

We discussed the Nigerian Prince email scams as well as some very targeted and sophisticated spear phishing campaigns this year and the authors of the Information Age article are predicting a resurgence in both. Presumably because human nature (Curiousity? Trust?) rewards these types of cybercrime with results.

4. The ‘visibility of things’

From medical devices to HVAC devices to office automation, the number of things connected to our networks will continue to grow and so will their vulnerabilities.

5. Attacks on payment card data

A perennial favorite target look for payment card attacks whether from network breaches, POS compromises or good old social engineering to continue.

6. State-sponsored attacks

China? North Korea? Islamic State? Iran? Russia? Expect to see more activity from these state sponsored powerhouses.

7. More fallout from Snowden and the war on terror

Distrust of the NSA both here and abroad will likely continue to grow. Meanwhile, governments in the USA and Europe will make opportunistic use of terrorism concerns to argue for and justify the need for complete access to all data and communications.

8. The security industry

Mergers and acquisitions will continue as the Information security space continues to both evolve and mature. On a more human level, expect to see a more security centric lifestyle develop as people begin to realize that they themselves play a role in security in both their work and private lives.

9. The connected car and the Internet of Things (I0T)

High profile hacking brought the vulnerability of the connected car to mainstream America and expect to see other instances of hacked “things” in 2016. Because improperly operated vehicles have the potential to cause tremendous damage and loss of life auto makers and their supply chain are going to have to become far more focused on keeping things secure.

10. Machine learning

No, not like Sky Net from Terminator, but more like the machine learning for security “good” that is already being leveraged by companies such as FireEye.

11. Wearables

Just when you thought it was safe to go into the BYOD waters… WYOD will start to appear at your doorstep and want to connect to your network. Enjoy!

What do you think of these trends? What did we leave out? If you have a security trend or any other security concern on your mind, just give us a call and we can discuss it!

 

read more

We may be witnessing the end of an era to one of the most parodied and popular Internet Scams ever.

The Nigerian Prince email scam, known in the security trade as a “419 scam” may be becoming a thing of the past.  419 scams get their names from Section 419 of Nigerian law which deals with fraud and represent the Internet’s evolution of the Spanish Prisoner scam stating back to the late 1700s. Given the longevity of this confidence game it is likely only a matter of time until it morphs and resurfaces again but for now it would our favorite benevolent Nigerian Prince has decided to embrace the availability of hacking as a service.

According to an in-depth report from our friends at FireEye “AN INSIDE LOOK Into the World of Nigerian Scammers” the friendly Prince is now using key-loggers and exploit tools to break into the emails of unsuspecting businesses and through a rather elaborate scheme, funnel payments for good and services into accounts they ultimately control.

An interesting aspect of this ruse is that unlike the more sophisticated cybercriminals highlighted in this blog over the years the Nigerian Prince group works their scam using off-the-shelf malware some of which can be purchased for less than $50. In fact, a complete tool-kit can be assembled for as little as $200 while a far more sophisticated tool set might cost as much as $3,600.

The Basic Scam

The group of 4 individuals documented in the report look for victims, usually businesses located in countries where English is not their first language.  The victim acquisition funnel looks like this:

Source: FireEye: “AN INSIDE LOOK Into the World of Nigerian Scammers”

FireEye estimates the group as targeted close to 2,400 victims in 54, primarily Asian countries because of their inherent unfamiliarity with the English language and their generally lower technical skill set.

Source: FireEye: “AN INSIDE LOOK Into the World of Nigerian Scammers”

Once victim targets are identified the spammers insert themselves into the middle of a legitimate email conversation with the goal of ultimately diverting legitimate payments for good and services into bank accounts owned by payment mules that are ultimately controlled by the spammers.

Source: FireEye: “AN INSIDE LOOK Into the World of Nigerian Scammers”

Lessons Learned

Our friendly Prince has elevated his game to a new level and instead of relying on his charm he is resorting to relatively common place and low cost exploit tools to target unsuspecting businesses.

While the Prince’s 419 emails were such a part of pop-culture as to be recognized by all but the least tech savvy the new payment diversion scams are more difficult to detect because they hijack legitimate email threads.

To avoid becoming a victim of these scams,  FireEye recommends the following:

 

1. Use two-factor authentication for any sensitive accounts, including email accounts. If cybercriminals somehow obtain your password, they still would need access to your one-time tokens.

2. Never open an attachment from an unknown source.

3. Pay close attention during business transactions and be skeptical of sudden changes such as updated bank account information.

4. Contact the other party directly (such as via phone) to validate transaction details.

5. Pay attention to email addresses and not just names displayed on the email, as scammers can establish email accounts that look very similar to legitimate ones.

At Konsultek our Engineers work closely with FireEye and their technologies on a daily basis. In a world where an ounce of prevention is worth a pound of cure we develop breech prevention strategies and solutions for organizations just like yours. Check us out and give us a call. Oh, and never send a Nigerian Prince any money.  We hear that those emails are just scams!

 

read more

We’ve all seen it on television or in a movie.  A spy or crook poses as a cable company worker, cleaning company employee or even an IT worker at a high end company and thanks to their feigned identity gains access to the victim’s network.  Later, this access is used to steal critical data or information or to otherwise harm the victim’s organization.  This is just one example of “social engineering” and how even the most well protected network can be penetrated through human factors.

What is Social Engineering?

According to CSOOnline, social engineering is the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques”. Rather than attacking a highly secure network directly with technology, the social engineer might steal passwords or be willingly given access to a network by an unsuspecting employee.

How Does this Affect My Network?

Social engineering is super dangerous and “has been proven to be a very successful way for a criminal to “get inside”.  After all, once he or she has your password they can easily “snoop around for sensitive data”. In one instance Cicso found out the hard way that getting into your network was as simple as purchasing a company t shirt and convincing everybody that you were IT. This person “managed to drop several malware laden USBs and hack into the company network, all within sight of other employees”.

Social Engineering Can Defeat the Best Network Security

Someone using savvy social engineering techniques can slip right into an otherwise secure network.  So, this holiday season if you see someone or something suspicious in your office do the smart thing and call site security. That simple act might just save your organization from a network security breach.

We Can Help!

For over 15 years, Konsultek has prevented network attacks and improved network performance for organization both large and small. Our custom solution approach allows us to meet the exact needs of your organization and your network. Ready for a dialogue? Please give us a call!

 Register Now!

We respect your email privacy


 

read more