Posts

Bryley Basics: Critical steps before opening an unknown attachment or a link

Since Ransomware and other malware often travel as attachments or web-links, Anna Darlagiannis, Manager of Client Relationships, offers these tips:

1. Don’t open an email or attachment or click on a link within an email if you don’t know who sent it to you….period!

2. Check and see who the email was actually sent to.

If the email was sent to a distribution list, then be especially vigilant before opening it.  For example, hackers can assume that a company’s accounts payable distribution email address is accountspayable@companydomain.com or any other variations such as AP@companydomain.com or accounts-payable@companydomain.com.  Hackers recognize that accounts payable departments anticipate attachments marked “invoice” or “PO” or other related keyword(s) and will name the attachment accordingly.  Furthermore, distribution lists are typically posted on a company’s website making these email addresses public knowledge and easy targets.

Tip:  Setup rules within Outlook to have emails that are sent to a distribution list automatically move into a specified folder(s).  This will make it easier to know exactly what email address was used to send you the email.

NOTE:  It is NOT safe to assume that all email attachments and/or links sent to your personal email address are safe to open.

3. Check who sent you the email.

Hackers can spoof a name, but they can’t spoof an email address.  The email may be marked with a familiar name, prompting you to open the email and/or attachment/link, but if you pay close attention to the actual email address, you may be surprised.  (Unfamiliar email addresses should never be opened.)  For example, your boss’s name is John Smith and his email address is JSmith@companydomain.com.  You receive an email that is marked “From: John Smith” and assume this came from your boss.  You go to open the email and find an attachment.  At this point, you must also look at the actual email address before opening the attachment.  If the email address isn’t JSmith@companydomain.com, then delete it and/or block the domain with your SPAM filter immediately and make everyone in the organization aware of what is going on.

If the email address is correct, but the attachment/link/signature/way that the person writes an email looks suspicious, be cautious, call the person that sent you the email (do not email in case the email address is compromised) and ask if what they sent you was in fact legitimate.

4. Scan the attachment with your anti-virus program before opening.

Take the attachment from the email and drag it to your desktop.  From there, right click on the attachment and then scan it using your anti-virus program.  Be sure to update the anti-virus program prior to scanning it, to ensure that you have the latest updates applied to the anti-virus program.

Unfortunately, this approach isn’t full proof.  An anti-virus program may not recognize all viruses, especially if they are newly created viruses.

More Ransomware – Jeez, I’m getting sick of this topic!

Gavin Livingstone, Bryley Systems Inc.

Guess what:  Cyber crooks are killing it!  According to Kaspersky Labs, over 700,000 people late 2015/early 2016 gained the privilege of stress-testing their backup strategies or forking over money (and a comment on their vulnerability) to some overseas creeps who view every server and workstation as a potential cash cow; this was 5x the amount of people reporting similar issues in late 2014/early 2015.  And, the attacks are getting more sophisticated, and much more effective.

Sure, it is constantly in the news and we are all concerned, but many of us are like the proverbial Ostrich, sticking our proverbial (yes, I meant to repeat proverbial; I like the way it sounds; proverbial, proverbial, proverbial) heads in the sand.  And, it is costing us significant money!

To recover from Ransomware, we recommend backups that follow the 3:2:1 rule:

  • Three copies of your data
  • Two media types
  • One offsite

This simple rule, when followed diligently using a professional-grade backup application with at least daily, monitored, encrypted backups, can save your data from Ransomware, disasters, and other ills.  (Windows Server Backup, although improved, is not a professional-grade backup application since it lacks logging, which can lead to unintended consequences, particularly when swapping backup media on a daily basis and trying to verify previous, good backups.)

Case in point:  We saved an organization that relied on Windows Server Backup with a single, attached USB drive (no media swapping). It was attacked by Cerber Ransomware, which was inadvertently downloaded to the Windows PC of a user with administrative rights.  (Cerber Ransomware is licensed to cyber-criminals, who pay royalties for its use; these royalties are sent back to its originators in Russia.  It emerged in March 2016 and has recently targeted Microsoft Office365 users.)

The virus on the server went to high-value accounts, concentrating on encrypting data and Windows Server Backup files while making it appear that all files within most folders were already encrypted (although only about one in 10 had been encrypted initially).  Some interesting points:

  • The virus was injected into User Accounts in their AppData/Remote folder, which executed when the user logged onto the network.
  • Over 25,000 data files in about 1500 folders were encrypted.
  • All Windows Server backup files on attached drives were encrypted and renamed to @@@@@@@@.server with the current date or no date.
  • The requested ransom was $2,000; 2.725 bitcoins.

In broken English, the attackers noted:

  • “You have turned to be a part of a big community #CerberRansomware.”
  • “…we are the only ones who have the secret key to open them (your files).”
  • “Cerber … is not malicious and is not intended to harm a person…”
  • “…created for the sole purpose of instruction regarding information security.”

The upshot:

  • We rebuilt the server and reintroduced it to the network.
  • The Network Administrator’s workstation was wiped clean and rebuilt.
  • With significant effort, we recovered 90% of the company’s original data.
  • We now professionally backup this site using our remote Bryley BU/DR.

Related:

  • Anyone and everyone is a target; these criminals are happy to get a few hundred dollars each from millions of potential “customers”.
  • A solid backup plan is only one step in your line of defense; security requires a multi-layered approach.
  • Don’t pay cybercriminals; one Kansas hospital paid the ransom, and was told to pay again! Plus, you become an unwitting target for future attacks!

Please see these issues of Bryley Tips and Information (BITs):

Please also see Cyber-Security Firm:  Crypto-Ransomware Infections have reached Epidemic Level by Jonathan Keane of DigitalTrends on 6/24/2016.

Recommended Practices:  Dealing with CryptoLocker

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

CryptoLocker surfaced in the fall of 2013; it is a ransomware trojan that, upon activation, encrypts all data files to which the infected end-user has read-write access, and then demands payment to decrypt.  It typically hides as an attachment within a phishing email and can even work over a home user’s VPN connection to encrypt data files on the organizations’ server(s).

cl-ex

The cyber-criminal’s intent is to receive untraceable payment via cyber-currency in exchange for a decryption key to unlock the data files, forming a one-to-one relationship between the cyber-criminal and the infected user:  The cyber-criminal knows the user is infected and awaits payment; if thwarted in his/her extortion attempt, that information is retained by the cyber-criminal, which could reduce future efforts to pursue your organization.

Of greater concern; if an individual or organization pays the ransom, that information is also known, recorded, and potentially shared for future attempts.  Basically, if you pay the ransom, you may be targeted for new efforts.

The cyber-criminal is likely acting within a crime syndicate; he/she might not even be technically savvy since CryptoLocker tools are readily available and easy to use.

We have recently seen a significant upswing in CryptoLocker attempts; the source emails spoof the email addresses of known parties while the attachment might carry a seemingly harmless “PDF” extension.  The message is compelling; an end-user unwittingly clicks the attachment and starts the process.

The first best step is prevention:

  • If feasible, use group policies or AppLocker to restrict software execution1
  • Limit access only to needed files; make them read-only where appropriate
  • Update security patches on all operating systems and end-user applications2
  • Deploy and continually update anti-malware apps on all end-user devices2
  • Deploy a robust, anti-spam solution that can block executables2
  • Consider blocking or quarantining all incoming attachments
  • Setup a backup routine that addresses data files frequently3

For more information, Jonathan Haskell of ComputerWorld reviews group policy restrictions in his article:  “CryptoLocker:  How to avoid getting infected and what to do if you are”.  Also, Third Tier and SMB Kitchen have jointly released a CryptoLocker Prevention Kit to assist in developing these group policies.

Education is also critical4:

  • Schedule regular training reviews with your end-users
  • Demonstrate to your end-users how to spot potential threats
  • Discuss the dangers of clicking attachments, even those from known sources

If you are infected by CryptoLocker5:

  • Identify the infected computer and remove it from the network
  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

Index of referenced articles:

1 See the January 2015 Bryley Tips and Information article: Recommended Practices:  Manage End Users via Active Directory and the February issue for the article: Recommended Practices – Part 7:  Resource Management via Active Directory.

2 See the June 2015 Bryley Tips and Information article:  Recommended Practices:  IT security cheat-sheet.

3 See the April issue of Bryley Tips and Information for Bryley Basics:  How ransomware (CryptoLocker) makes backups more critical.

4 See the May 2015 Bryley Tips and Information article: Recommended Practices: Basic IT training for end users

5 View detailed prevention and response techniques in CryptoLocker Prevention and Remediation Techniques, presented by fishnet security.

Bryley Basics: Free anti-malware plug-in for WordPress

Intel Security’s McAfee group now offers a free McAfee SECURE certification plug-in for WordPress-based websites.  This plug-in protects WordPress websites from unwanted malware while site-visitors can verify a site’s integrity by right-clicking on the McAfee SECURE logo (shown below).

McAfee Secure Icon

The free version covers the first 500 site-visitors each month; a paid version (about $80 per month) accommodates more than 500 visitors and allows for some different themes for the trust-mark itself.

James Wheeler, our Internet Marketing Associate, installed the plug-in in May; at first, it did not initially deploy the trust-mark properly, but has since been working reliably at Bryley.com since early June.

Bryley Basics: Microsoft Windows is not as vulnerable as Apple OS or Linux

Due to their size and complexity, it is difficult to completely secure a computer operating system, which leaves them vulnerable to attack.  With the number of reported hackings, most might consider Microsoft Windows to be extremely vulnerable, but Windows actually ranked less vulnerable than Apple Mac OS X, Apple iOS, and Linux.

This ranking was made by GFI Software in 2014, which reviewed popular operating systems and the number and rating of reported vulnerabilities.  GFI reported these top-5 results:

  1. Apple Mac OS X – 147 vulnerabilities; 64 High, 64 Medium, and 16 Low
  2. Apple iOS – 127 vulnerabilities; 32 High, 72 Medium, and 23 Low
  3. Linux – 119 vulnerabilities; 24 High, 74 Medium, and 12 Low
  4. Microsoft Windows Server 2008 – 38 vulnerabilities; 26 High and 12 Medium
  5. Microsoft Windows 7 – 36 vulnerabilities; 25 High and 11 Medium

Microsoft’s Internet Explorer, however, was ranked as the most-vulnerable application followed by Google Chrome, Mozilla Firefox, Adobe Flash Player, and Oracle’s Java.

See the article from Swati Khandelwal of The Hacker NewsWindows?  NO, Linux and Mac OS X Most Vulnerable Operating System in 2014.

Bryley Basics: Scammer YGDNS.org

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Bryley Basics: Fixed-disk drive recycling and destruction

Fixed-disk drives are located in most personal computers, servers, and even some copiers and printers; they store business data and confidential information.  When retired, they require special handling and recycling to ensure that this information is not available to others.  In addition, compliance and military standards dictate specific procedures regarding erasure and destruction.

Most fixed-disk drives house spinning disks within a metal enclosure; a read/write head passes over these disks to retrieve/record information.  Erasing the spinning disks is a good first step; physically destroying the spinning disks is also good since it then renders these disks unusable.  (Of course, someone can always try to put a disk back together, but the complexity and cost of this effort makes it extremely difficult and unlikely.)

When we recycle personal computers and servers, we take these steps to obliterate the contents of all fixed-disk drives:

  • When mounted within a computer, we run a multiple-pass cleanup utility that not only erases existing data, but also rewrites nonsense data back onto the drive to overlay previous data.
  • We then smash the drive into insignificant pieces using our Manual Disk Drive Crusher from Pure Leverage.

Our Manual Disk Drive Crusher quickly and easily destroys fixed-disk drives by crushing them in half.  The remnants are then recycled with confidence.

 

Recommended practices – Part-3: Password security

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

October is National Cybersecurity Awareness Month, and to help you celebrate, we have compiled a list of best practices for password-strength optimization.

Passwords are the primary tool for online authentication; as such, they are targeted information for cybercriminals looking to gain access to your workstation, mobile device, and/or personal records.  Proactive measures are vital to prevent online identity theft, network infiltration, system crashes, and the spread of malware.  By following the practices described below you will fortify yourself against these malicious cyber threats.

1. Create a “strong” password:

A strong password is one that cannot be easily identified by a cybercriminal.  When creating your next password, here are the do’s and do not’s of password strength:

  • Do not draw from the obvious: When selecting a password, do not draw from obvious sources – your name, your child’s name, not even something as seemingly ambiguous as your favorite flavor of ice cream or a random word.  With social media, today’s cybercriminal can easily aggregate personal information and crack obvious passwords.  Even if you feel that your password is obscure and/or unconnected to yourself, if the password is simply a word or phrase, dictionary attacks – programs that plug in every word from a database – can still compromise you.
  • Do use a mixture of letters, numbers, and special characters: Make your password complex and you help make it secure.  Random placements of letters, numbers, and symbols will make it very difficult for cybercriminals to hack into your accounts.
  • Do not use the same password: Using the same password for every login is a recipe for disaster:  A cybercriminal now only needs to crack one password for unlimited access to all of your online accounts.
  • Do use longer passwords: When it comes to password security, the longer the better.  According to online security experts, a password 15 characters in length could take up to two trillion years to crack.  However, password length isn’t everything:  You must be sure to utilize a mixture of letters, numbers and special characters.

By creating long, complex, and unique passwords for every one of your authentication accounts, you will guarantee password strength.

2. Change your password regularly

It is very important to create strong passwords, but even strong passwords can be discovered by expert cybercriminals – especially if they are given ample time for discovery.  That is why it is essential for you to get into the practice of routine and mandatory password changes.

A perfect time to schedule updates is with the change of seasons as they divide the business year into obvious and unforgettable quarters.  And, as it is now fall, it is the perfect time to begin this excellent practice.  You can start by announcing a mandatory password change in the next few weeks and update your business calendar for three more alterations for the winter, spring, and summer.

3. Keep written reminders secure or use a Password Manager

Long, complex, constantly changed passwords are hard to remember.  You may need to write them down as a practical safeguard.  Just be sure to avoid the bad habit of keeping these written reminders close to your computer – or even worse, taped to your screen for all to see.

If you need written reminders, keep them in a secure area away from your workspace, such as at home or in the glove compartment of your car.  Better yet, consider using a Password Manager to record and manage your passwords.  (See the July 2014 Bryley Tips and Information for a review on Password Managers.)

4. Keep reset information up-to-date

There will be moments when you simply cannot remember a password and will need to request a reset.  As a precaution you should always be certain that your online accounts have your relevant email address on file so that when reset information is sent, it is sent to you and not to an abandoned account that has the potential to be exploited.  It would be best to get into the practice of checking reset information on the scheduled dates for password changes.

5. Review your organization’s password policy

Take the time during your quarterly password changes and reset information checks to review and/or update your organization’s password policy, which has the rules and procedures employees are required to adhere to in order to ensure password and network security.  If your organization does not already have such a policy, be sure to create one and distribute it to all technology-enabled employees.

6. Expunge temporary usernames and passwords

If you recently employed any temporary staff or summer help, be sure that their usernames and passwords no longer access your system.

Upcoming Bryley webinar on 12/10: “Get into the Cloud – Safely and Securely”

On December 10th, 2014 at 2pm (EST), Bryley Systems will present: “Get into the Cloud – Safely and Securely”, which reviews Cloud Services and security.

Learn how to select from Cloud options while protecting data and related systems:

  • Select Cloud Services
  • Secure these Cloud Services
  • Secure associated systems and data
  • Ensure the integrity of your data

Click here to sign-up for this informational, no-charge webinar.

 

Recommended practices – Part 2: Web browsing/Internet usage

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users browse the web; it’s usually the fastest way to get an answer, search for an item, or make a purchase.  But, browsing comes with some risks:

  • Potential liability from browsing ill-advised sites at work
  • Inadvertent or unintentional download of malicious software
  • Waste of company resources: Internet bandwidth, employee time, etc.

To reduce browsing risks, we recommend have these recommendations:

  • Set an Internet usage policy
  • Monitor and enforce browsing behavior
  • Train staff members on safe-browsing habits

A fourth recommendation, configure and patch/update end-point components (operating system, anti-malware software, Internet browser, etc.), will be covered in future articles.

Set an Internet usage policy

Unless we know what is acceptable, how can it be enforced?  Some organizations, to limit unproductive time, might restrict access to social-media sites (Facebook, Twitter, etc.), while others (police investigators) may need access to pornographic sites; without a policy, what sites do we monitor and restrict and for whom?

An Internet usage policy should define the dos and don’ts of Internet access; it should be included in the Employee Handbook with a sign-off acknowledgement and should also note that the organization reserves the right to monitor and limit this usage, without restriction.  (See a simple Sample Internet usage policy fromGFI.  Or, review an in-depth Internet usage Policy from the SANs Institute.)

Monitor and enforce browsing behavior

Paul Wood of Symantec™ studied browsing habits of end-users with these findings1:

  • About one-third of users followed the organization’s Internet-use policy,
  • The second one-third generated less than 10% of browsing violations, and
  • The final one-third had over 90% of browsing violations; about 20% of this group actually had more violations than legitimate usage.

Basically, about 66% of end-users follow an organization’s Internet usage policy most or all of the time, but there is a small group that abuses this policy, which suggests that enforcement efforts should focus on the abusers.

To protect an organization, basic monitoring and enforcement of Internet usage is recommended; a typical monitoring/enforcement software application for small to mid-sized organizations should provide, at a minimum, these capabilities:

  • Cluster related sites together (ie: gaming, sports) to set policy by site-groups
  • Combine users by department or functional area to enable group restrictions
  • Whitelist specific sites (or site-groups) to permit unlimited access
  • Blacklist specific sites (or site-groups) to prohibit access

Once deployed, you must continually review the results to inspect what you expect.

Example:  Bryley Systems offers our Secure Network™; an onsite, Unified Threat Management (UTM) tool with monitoring and enforcement of web browsing.  The results are periodically reviewed and reported by Bryley Systems to the client.

Train on safe-browsing habits

It is important that staff know and understand the importance of an organizations’ Internet usage policy; they have a significant role to play in this effort.

Basic rule is to not click on any site that you do not trust.  However, even some trustworthy sites can be hijacked and route an unsuspecting user to an unintended site with unexpected consequences.

Some browsing tips2:

  • Do not click on pop-ups
  • Do not open links within spam email
  • Check a site’s actual address in the address bar; this address should always match the expected site-name (URL)
  • When in doubt, shout it out (call for help)

There are also many online, security-training options; we offer a video-training package on a per-user basis through our business partner, Deadbolt Security.

REFERENCES:

  1. See Paul Wood’s article “Employee browsing habits, the good, the bad, and the ugly” at Symantec Intelligence.
  2. Dylan Herix offers “An idiot’s guide to good browsing habits” at AppStorm Guide.