Posts

Bryley Basics: How to identify the ransomware source on a computer network

Mike Carlson and Gavin Livingstone, Bryley Systems Inc.

Mike Carlson, CTO and a young, 20-year employee at Bryley Systems, had these suggestions on what to do when you get ransomware on your computer network:

  • Identify the end-user login name associated with the ransomware “How to decrypt” text files that are placed in the shared folders. (You would look at the properties of all of these text files to determine the originator.)
  • Remove this end-user’s workstation from the network immediately; preferably disconnect the network cable, but, if not feasible, power it down.
  • Restore all encrypted files from backup.
  • Erase the infected workstation(s) completely, then rebuild it.

In addition, we offered these suggestions in our July 2015 Bryley Information and Tips (BITs):

  • To be prudent, change online and system passwords
  • Create forensic images of infected computers
  • Preserve all firewall, Intrusion Prevention, and Active Directory logs for potential analysis by law-enforcement officials

These three can’t hurt, but the first one won’t stop the next attack and the last two are a bit of a stretch; it seems unlikely that the criminals will ever be pursued unless they happen to be working in this country (which also seems unlikely).

The US Computer Emergency Readiness Team (US-CERT) defines ransomware, its variants, and some solutions at Alert TA16-091A, Ransomware and recent variants.

Security concern with popular, home-based, Internet routers

Independent Security Evaluators, a Baltimore-based security firm, stated that 13 Internet routers sold for home use were vulnerable to attack if the hacker had network access and could obtain the username and password of the router.  These routers include:

  • Linksys WRT310v2
  • Netgear’s WNDR4700
  • TP-Link’s WR1043N
  • Verizon’s FiOS Actiontec MI424WR-GEN3I
  • D-Link’s DIR865L
  • Belkin’s N300, N900 and F5D8236-4 v2 models

Basic suggestions:

  • Check to see if your home-based Internet modem/router is named above.  If so, check with the manufacturer to ensure that all security updates have been applied.
  • Change the login credentials using a complex password.  (Please review the article “Simple passwords = disaster” in our January 2013 Bryley Tips and Information.)

 

ComputerWorld.com — Popular Home Routers Contain Critical Security Vulnerabilities has the full story by Jeremy Kirk at ComputerWorld.

Hackers Hijack Email Contacts

Have you received a rogue email from a friend or acquaintance that seems out of character?  For example:  Why is Aunt Mildred calling me “Friend” in her email?  Or, does neighbor Fred really want me to invest in Nigeria?

Odds are, their email accounts – particularly if located at online services like Gmail, Yahoo! Mail, or Windows Live Hotmail – have been hijacked.  (Visit About.com at About.com:Free Email Review for a review of the top 16 free email services by Heinz Tschabitscher.)

With an online service, the email application is cloud-based; the application does not reside locally on the computer, so it is probably the online account that has been compromised.  (Your PC could also be infected, which is discussed later.) Typically, the password is discovered, providing an easy entry to stored emails (which could contain sensitive information) and a contact list that can be exploited.

If this happens to you, login to your account and take these steps:

  • Change your password – Use a complex password with at least eight upper and lower-case characters, numbers and special characters.  (Please See the January 2013 issue of Bryley Tips and Information for the article “Simple passwords = disaster” at Bryley-Tips-and-Information-January-2013
  • Change your Recovery Information (challenge questions) – If the hacker has account access, he/she can retrieve your challenge questions.  Using these questions, he can then reenter the account after you change the password.
  • Set the highest-possible level of security – Select the highest-possible level, even though it adds complexity to the login process.
  • Check related accounts – You might have put passwords into saved emails that the hacker can now access.  Change your passwords and your Recovery Information on all other accounts that might have been compromised.
  • Contact list – Email the folks in your Contact list and tell them:  “I am having an issue with my email account, which I am addressing.  Please contact me if you receive an unusual email that appears to have come from my email address.  Do not open any links within the email itself.”
  • Backup emails and contacts – Backups allow recovery; backup your contacts whenever you add or change a contact.  Backup your emails as often as necessary to keep from losing stored emails.

As with any account, change your password regularly and change your challenge questions periodically.  Visit the About.com article on how to change your Gmail at About.com: Change Your Gmail Password.

For a related article by Leo Notenboom at Ask Leo, please visit Ask-Leo.com: How to stop someone sending email with my address.

If the email application reside locally and connects to a secure site, your PC would be suspect and should be interrogated by virus and malware scanners.  You should also scrutinize your Microsoft Outlook contacts and rename the Contacts folder.

It is still possible that your computer is infected; your account information might have been recovered through a keyboard logger that records your keystrokes and sends them to the hacker.  If so, you need to clean-up your computer before taking the steps above.

Studies suggest cyber-security overconfidence in small/medium businesses

In a recent survey by Symantec and the National Cyber Security Alliance (NCSA), most small and medium-sized businesses participating felt they were safe from cyber threats, although just 17% of the 1,015 companies had a formal plan for cyber security.  Other contradictory items:

  • Although 77% recognized that strong cyber security was important for their brand, 59% had no plan on how to respond to a data breach.
  • Only 13% had a written Internet policy, but 62% believed that their employees knew the company’s Internet policy and practices.

 

Visit Small biz survey: No cybersecurity plans — no worries. What? for the full CNet article by Charles Cooper.

 

In a separate survey during the fall of 2011, research firm Opinion Matterspolled 200 IT decision makers working in companies of five to 250 employees.  Although almost 88% had web-monitoring/filtering software, over 40% of respondents have had a security breach due to unsafe web browsing.

 

Visit 40% of SMB have had a security breach due to unsafe Web surfingfor the full ConnectIT article by Mark Cox.

 

Both studies suggest that these businesses are not as secure as they think.

Protect your mobile device – Part 3: Enforcement, Tools, and First Steps

We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.

 

Enforcement

 

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

 

MDM features typically include:

  • Enforce user security policy:

o   Require complex password with frequent changes

o   Permit remote access only via SSL or VPN

o   Lock-down browser settings

o   Enable encryption

  • Recover lost or stolen devices:

o   Activate alarm (set off an audible alarm on the device)

o   Enable track and locate (track and locate the device via GPS)

o   Permit remote wipe (complete erasure of the device as a last resort)

  • Control mobile device applications:

o   Recognize and prevent installation of unauthorized applications

o   Permit whitelisting and blacklisting of application

o   Restrict or block application stores

  • Remotely deploy and configure applications (email, etc.)
  • Audit the mobile device for installed software, configuration, and capacity

 

ComputerWorld has a comprehensive article on the challenges of MDM. View it at

Mobile device management: Getting started.

 

To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

  • AirWatch
  • LabTech
  • MobileIron
  • Symantec
  • Zenprise

 

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

 

Non-MDM Tools

 

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

  • Password security policies
  • Encryption required
  • Remote wipe

 

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

  • Allow/disallow Internet browser, consumer email, unsigned installation, etc.
  • Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
  • Allow/block specific applications
  • Per-user journaling
  • Integrated archive

 

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

 

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

 

Other recommended tools include:

  • Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
  • Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

 

First step suggestions

 

These are our minimum, first-step suggestions:

  • Deploy anti-malware software immediately and manage it continuously
  • Require password to activate the device with a low auto-lock time
  • Update mobile devices through vendor-approved patching
  • Enable on-board encryption if handling sensitive data

 

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.

DNS-changing malware in the news this week

A well-publicized, DNS-changing malware was detected and temporarily thwarted by the FBI late last year.  The FBI will remove its temporary fix at midnight on Monday, July 9th, which could cause any remaining infected machines to lose their Internet connection.

 

Windows-based PCs managed by Bryley Systems under our Comprehensive Support Program are not at risk.  The risk to all other PCs exists, but most carriers of the DNSChanger malware had been notified previously.

 

To determine if your PC might have this malware, please visitwww.DNS-OK.us, a US site created to check the DNS settings on your computer.  If infected, the banner on this site will be red in color and will alert you.  (A Canadian version of this same test is available athttp://www.dns-ok.ca/. in both English and French.)

 

There are tools to remove this infection, but please feel free to contact us at 978.562.6077 if you require assistance.

 

 

See DNS-Changer Malware for additional information.