DHS/FBI Ransomware Alert


The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network defenders about SamSam ransomware, also known as MSIL/Samas.A.

The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally. Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.


You may review the entire DHS/FBI alert here.

This threat is primarily targeting Remote Desktop Protocol (RDP) ports and systems.  The primary recommendation is close these ports or layer in two-factor authentication, at a minimum.  Onepath, the firm I work for, never recommends leaving RDP ports open to the Internet.  They should only be accessed from behind a firewall, through a VPN and always secure with two factor authentication.

The following are specific recommendations contained in this alert.  I strongly support each of these recommendations.  If you are unsure if your company is properly protected, reach out to your IT department or IT partner immediately to assess your vulnerability.

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Finally, here is a link to Onepath’s blog post on this matter.

More Data Breaches, Just In Time For The Holidays


The following was published in today’s Foster’s and Seacoast Sunday.

If you’ve been paying attention to the news over the last few days, you know that both the Marriott hotel chain and New England’s own Dunkin Brands, parent of Dunkin Donuts, have announced significant data breaches.

Let’s start with the breach at Marriott. There are several worrisome things about this breach. First and foremost, early reporting is indicating that this breach may have been underway for four years, beginning sometime in 2014. This speaks to the sophistication of hackers, in that they are able to gain access to a target network and take up residence, undetected for extended periods of time. This allows hackers to harvest untold troves of data from the targeted company, in this case Marriott.

Here is what we know about this breach. The attack targeted Marriott’s Starwood Preferred Guest rewards program database. This encompasses the Marriott brands including Aloft, Design Hotels, Element, Le Méridien, Sheraton, St. Regis, The Luxury Collection, Tribute Portfolio, W Hotels and Westin. If you have stayed at one of these brands, you could be impacted.

The data exposed in this breach is also a significant concern. Early estimates indicate the private information of as many as 500 million guests may be exposed. This includes personally identifiable information potentially including passport numbers, which is a major concern. Names, mailing and email addresses, phone numbers, account numbers, reservation details and more may have been breached.

Marriott uses advanced encryption algorithms for payment card data, so the hope is that the hackers may not be able to decrypt that data and gain access to credit, debit and bank account details. Regardless, if you have stayed at a Marriott property and may have an account in the Starwood guest system, you should keep very close watch on your accounts and enable any and all fraud alert features available to you.

You should obviously change your password if you have a login to any of the Marriott brand websites. And if there is any chance that you have used the same password for other accounts, you are best to change those account passwords as well.

Now let’s turn to Dunkin Donuts and its DD Perks rewards program. This one is a bit interesting in that Dunkin Brands, the parent company of Dunkin Donuts is not saying it experienced a data breach. Rather, it is saying other data breaches may have exposed usernames and passwords that may have given hackers access to come DD Perks accounts.

The company is warning customers who are DD Perks members or use their mobile app to pay for purchases at their stores, that their accounts may be exposed. The company is also saying this issue only impacts a small percentage of customers. Here’s hoping.

Time will tell how widespread the Dunkin issue is. As with the recommendations above, if you are a DD Perks member or use the mobile app, you should change your password immediately and closely monitor your linked payment accounts.

I expect far more details on each of these breaches will be coming out in the days and weeks ahead. With online shopping and mobile apps becoming more and more prevalent every day, you need to take prudent steps to protect yourself. These breaches will unfortunately continue. It’s up to each of us to take advantage of every available precaution to safeguard ourselves for the collateral damage that these breaches bring. I know I’m a broken record, but start by using a unique password for each and every account that you have.