Posts

Bryley Basics: Critical steps before opening an unknown attachment or a link

/in , /by

Since Ransomware and other malware often travel as attachments or web-links, Anna Darlagiannis, Manager of Client Relationships, offers these tips:

1. Don’t open an email or attachment or click on a link within an email if you don’t know who sent it to you….period!

2. Check and see who the email was actually sent to.

If the email was sent to a distribution list, then be especially vigilant before opening it.  For example, hackers can assume that a company’s accounts payable distribution email address is accountspayable@companydomain.com or any other variations such as AP@companydomain.com or accounts-payable@companydomain.com.  Hackers recognize that accounts payable departments anticipate attachments marked “invoice” or “PO” or other related keyword(s) and will name the attachment accordingly.  Furthermore, distribution lists are typically posted on a company’s website making these email addresses public knowledge and easy targets.

Tip:  Setup rules within Outlook to have emails that are sent to a distribution list automatically move into a specified folder(s).  This will make it easier to know exactly what email address was used to send you the email.

NOTE:  It is NOT safe to assume that all email attachments and/or links sent to your personal email address are safe to open.

3. Check who sent you the email.

Hackers can spoof a name, but they can’t spoof an email address.  The email may be marked with a familiar name, prompting you to open the email and/or attachment/link, but if you pay close attention to the actual email address, you may be surprised.  (Unfamiliar email addresses should never be opened.)  For example, your boss’s name is John Smith and his email address is JSmith@companydomain.com.  You receive an email that is marked “From: John Smith” and assume this came from your boss.  You go to open the email and find an attachment.  At this point, you must also look at the actual email address before opening the attachment.  If the email address isn’t JSmith@companydomain.com, then delete it and/or block the domain with your SPAM filter immediately and make everyone in the organization aware of what is going on.

If the email address is correct, but the attachment/link/signature/way that the person writes an email looks suspicious, be cautious, call the person that sent you the email (do not email in case the email address is compromised) and ask if what they sent you was in fact legitimate.

4. Scan the attachment with your anti-virus program before opening.

Take the attachment from the email and drag it to your desktop.  From there, right click on the attachment and then scan it using your anti-virus program.  Be sure to update the anti-virus program prior to scanning it, to ensure that you have the latest updates applied to the anti-virus program.

Unfortunately, this approach isn’t full proof.  An anti-virus program may not recognize all viruses, especially if they are newly created viruses.

More Ransomware – Jeez, I’m getting sick of this topic!

/in , /by

Gavin Livingstone, Bryley Systems Inc.

Guess what:  Cyber crooks are killing it!  According to Kaspersky Labs, over 700,000 people late 2015/early 2016 gained the privilege of stress-testing their backup strategies or forking over money (and a comment on their vulnerability) to some overseas creeps who view every server and workstation as a potential cash cow; this was 5x the amount of people reporting similar issues in late 2014/early 2015.  And, the attacks are getting more sophisticated, and much more effective.

Sure, it is constantly in the news and we are all concerned, but many of us are like the proverbial Ostrich, sticking our proverbial (yes, I meant to repeat proverbial; I like the way it sounds; proverbial, proverbial, proverbial) heads in the sand.  And, it is costing us significant money!

To recover from Ransomware, we recommend backups that follow the 3:2:1 rule:

  • Three copies of your data
  • Two media types
  • One offsite

This simple rule, when followed diligently using a professional-grade backup application with at least daily, monitored, encrypted backups, can save your data from Ransomware, disasters, and other ills.  (Windows Server Backup, although improved, is not a professional-grade backup application since it lacks logging, which can lead to unintended consequences, particularly when swapping backup media on a daily basis and trying to verify previous, good backups.)

Case in point:  We saved an organization that relied on Windows Server Backup with a single, attached USB drive (no media swapping). It was attacked by Cerber Ransomware, which was inadvertently downloaded to the Windows PC of a user with administrative rights.  (Cerber Ransomware is licensed to cyber-criminals, who pay royalties for its use; these royalties are sent back to its originators in Russia.  It emerged in March 2016 and has recently targeted Microsoft Office365 users.)

The virus on the server went to high-value accounts, concentrating on encrypting data and Windows Server Backup files while making it appear that all files within most folders were already encrypted (although only about one in 10 had been encrypted initially).  Some interesting points:

  • The virus was injected into User Accounts in their AppData/Remote folder, which executed when the user logged onto the network.
  • Over 25,000 data files in about 1500 folders were encrypted.
  • All Windows Server backup files on attached drives were encrypted and renamed to @@@@@@@@.server with the current date or no date.
  • The requested ransom was $2,000; 2.725 bitcoins.

In broken English, the attackers noted:

  • “You have turned to be a part of a big community #CerberRansomware.”
  • “…we are the only ones who have the secret key to open them (your files).”
  • “Cerber … is not malicious and is not intended to harm a person…”
  • “…created for the sole purpose of instruction regarding information security.”

The upshot:

  • We rebuilt the server and reintroduced it to the network.
  • The Network Administrator’s workstation was wiped clean and rebuilt.
  • With significant effort, we recovered 90% of the company’s original data.
  • We now professionally backup this site using our remote Bryley BU/DR.

Related:

  • Anyone and everyone is a target; these criminals are happy to get a few hundred dollars each from millions of potential “customers”.
  • A solid backup plan is only one step in your line of defense; security requires a multi-layered approach.
  • Don’t pay cybercriminals; one Kansas hospital paid the ransom, and was told to pay again! Plus, you become an unwitting target for future attacks!

Please see these issues of Bryley Tips and Information (BITs):

Please also see Cyber-Security Firm:  Crypto-Ransomware Infections have reached Epidemic Level by Jonathan Keane of DigitalTrends on 6/24/2016.

Recommended Practices:  Dealing with CryptoLocker

/in , /by

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

CryptoLocker surfaced in the fall of 2013; it is a ransomware trojan that, upon activation, encrypts all data files to which the infected end-user has read-write access, and then demands payment to decrypt.  It typically hides as an attachment within a phishing email and can even work over a home user’s VPN connection to encrypt data files on the organizations’ server(s).

cl-ex

The cyber-criminal’s intent is to receive untraceable payment via cyber-currency in exchange for a decryption key to unlock the data files, forming a one-to-one relationship between the cyber-criminal and the infected user:  The cyber-criminal knows the user is infected and awaits payment; if thwarted in his/her extortion attempt, that information is retained by the cyber-criminal, which could reduce future efforts to pursue your organization.

Of greater concern; if an individual or organization pays the ransom, that information is also known, recorded, and potentially shared for future attempts.  Basically, if you pay the ransom, you may be targeted for new efforts.

The cyber-criminal is likely acting within a crime syndicate; he/she might not even be technically savvy since CryptoLocker tools are readily available and easy to use.

We have recently seen a significant upswing in CryptoLocker attempts; the source emails spoof the email addresses of known parties while the attachment might carry a seemingly harmless “PDF” extension.  The message is compelling; an end-user unwittingly clicks the attachment and starts the process.

The first best step is prevention:

  • If feasible, use group policies or AppLocker to restrict software execution1
  • Limit access only to needed files; make them read-only where appropriate
  • Update security patches on all operating systems and end-user applications2
  • Deploy and continually update anti-malware apps on all end-user devices2
  • Deploy a robust, anti-spam solution that can block executables2
  • Consider blocking or quarantining all incoming attachments
  • Setup a backup routine that addresses data files frequently3

For more information, Jonathan Haskell of ComputerWorld reviews group policy restrictions in his article:  “CryptoLocker:  How to avoid getting infected and what to do if you are”.  Also, Third Tier and SMB Kitchen have jointly released a CryptoLocker Prevention Kit to assist in developing these group policies.

Education is also critical4:

  • Schedule regular training reviews with your end-users
  • Demonstrate to your end-users how to spot potential threats
  • Discuss the dangers of clicking attachments, even those from known sources

If you are infected by CryptoLocker5:

  • Identify the infected computer and remove it from the network
  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

Index of referenced articles:

1 See the January 2015 Bryley Tips and Information article: Recommended Practices:  Manage End Users via Active Directory and the February issue for the article: Recommended Practices – Part 7:  Resource Management via Active Directory.

2 See the June 2015 Bryley Tips and Information article:  Recommended Practices:  IT security cheat-sheet.

3 See the April issue of Bryley Tips and Information for Bryley Basics:  How ransomware (CryptoLocker) makes backups more critical.

4 See the May 2015 Bryley Tips and Information article: Recommended Practices: Basic IT training for end users

5 View detailed prevention and response techniques in CryptoLocker Prevention and Remediation Techniques, presented by fishnet security.

Bryley Basics: Free anti-malware plug-in for WordPress

/in , /by

Intel Security’s McAfee group now offers a free McAfee SECURE certification plug-in for WordPress-based websites.  This plug-in protects WordPress websites from unwanted malware while site-visitors can verify a site’s integrity by right-clicking on the McAfee SECURE logo (shown below).

McAfee Secure Icon

The free version covers the first 500 site-visitors each month; a paid version (about $80 per month) accommodates more than 500 visitors and allows for some different themes for the trust-mark itself.

James Wheeler, our Internet Marketing Associate, installed the plug-in in May; at first, it did not initially deploy the trust-mark properly, but has since been working reliably at Bryley.com since early June.

Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

/in , , /by

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.

Bryley Basics: Scammer YGDNS.org

/in , /by

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Bryley Basics: Fixed-disk drive recycling and destruction

/in /by

Fixed-disk drives are located in most personal computers, servers, and even some copiers and printers; they store business data and confidential information.  When retired, they require special handling and recycling to ensure that this information is not available to others.  In addition, compliance and military standards dictate specific procedures regarding erasure and destruction.

Most fixed-disk drives house spinning disks within a metal enclosure; a read/write head passes over these disks to retrieve/record information.  Erasing the spinning disks is a good first step; physically destroying the spinning disks is also good since it then renders these disks unusable.  (Of course, someone can always try to put a disk back together, but the complexity and cost of this effort makes it extremely difficult and unlikely.)

When we recycle personal computers and servers, we take these steps to obliterate the contents of all fixed-disk drives:

  • When mounted within a computer, we run a multiple-pass cleanup utility that not only erases existing data, but also rewrites nonsense data back onto the drive to overlay previous data.
  • We then smash the drive into insignificant pieces using our Manual Disk Drive Crusher from Pure Leverage.

Our Manual Disk Drive Crusher quickly and easily destroys fixed-disk drives by crushing them in half.  The remnants are then recycled with confidence.

 

Upcoming Bryley webinar on 12/10: “Get into the Cloud – Safely and Securely”

/in , , /by

On December 10th, 2014 at 2pm (EST), Bryley Systems will present: “Get into the Cloud – Safely and Securely”, which reviews Cloud Services and security.

Learn how to select from Cloud options while protecting data and related systems:

  • Select Cloud Services
  • Secure these Cloud Services
  • Secure associated systems and data
  • Ensure the integrity of your data

Click here to sign-up for this informational, no-charge webinar.

 

Recommended practices – Part 2: Web browsing/Internet usage

/in /by

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase.  But, browsing comes with some risks:

  • Potential liability from browsing ill-advised sites at work
  • Inadvertent or unintentional download of malicious software
  • Waste of company resources: Internet bandwidth, employee time, etc.

To reduce browsing risks, we recommend have these recommendations:

  • Set an Internet usage policy
  • Monitor and enforce browsing behavior
  • Train staff members on safe-browsing habits

A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.

Set an Internet usage policy

Unless we know what is acceptable, how can it be enforced?  Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?

An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction.  (See a simple Sample Internet usage policy fromGFI.  Or, review an in-depth Internet usage Policy from the SANs Institute.)

Monitor and enforce browsing behavior

Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:

  • About one-third of users followed the organization’s Internet-use policy,
  • The second one-third generated less than 10% of browsing violations, and
  • The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.

Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.

To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:

  • Cluster related sites together (ie: gaming, sports) to set policy by site-groups
  • Combine users by department or functional area to enable group restrictions
  • Whitelist specific sites (or site-groups) to permit unlimited access
  • Blacklist specific sites (or site-groups) to prohibit access

Once deployed, you must continually review the results to inspect what you expect.

Example:  Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing.  The results are periodically reviewed and reported by Bryley Systems to the client.

Train on safe-browsing habits

It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.

Basic rule is to not click on any site that you do not trust.  However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.

Some browsing tips2:

  • Do not click on pop-ups
  • Do not open links within spam email
  • Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
  • When in doubt, shout it out (call for help)

There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.

REFERENCES:

  1. See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
  2. Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.

Why do organizations ignore information (cyber) security?

/in /by

I read an interesting article by Don Jones of Redmond Magazine titled: “The Quest for a Culture of Security”.  In it, Mr. Jones notes (via my paraphrasing):

  • Security gets limited attention and even less funding from decision makers
  • Security hacking has become a profession with significant financial rewards
  • Every company is a target and has been, at a minimum, probed by hackers

In 2010, I witnessed the first item above when Bryley Systems hosted a series of seminars on the (then) new Massachusetts statute for the protection of personal information (201 CMR 17.00); people attended the seminars and took the first steps toward compliance, but most ignored the difficult changes and few made security (and compliance) part of their corporate structure.

Mr. Jones’ suggestion:  Ingrain security into your corporate culture; make it as important as uptime and connectivity and make it a fundamental part of everything you do.

Lynn Russo Whylly, in her May 14th 2014 article “How to Prevent Becoming the Next “Target” of a Data Security Breach” from Chief Executive, recommends:

  • Discuss security with your CIO or MSP regularly (to highlight its importance).
  • Walk-through the data center (to pose questions about its vulnerabilities).
  • Setup security goals and then monitor metrics (to inspect what you expect).
  • Hire an outside person/firm to attack your security (and highlight its flaws).

Her position is that security is a part of the CEO’s responsibility; one of continually growing importance.