The Growing Ransomware Threat

Standard

Ransomontherise

If you aren’t aware of ransomware and the damage it can do, I don’t know how you found this blog and are reading it.  If you have any association with the Internet and blogs or other resources like mine, you must know about ransomware.  I’ve blogged about it numerous times and I’m quite concerned by some of the trends I’m noticing over the past year.

A glaring example is this month’s ransomware attack on the City of Augusta, Maine, the state capital.  It essentially shut down the city, including the police department, which fortunately was able to be brought back online before any serious impact took place.

The ransomware that hit Augusta was particularly nasty in that it focused on shutting systems down and making them inaccessible.  It did not steal data, at least not that has been discovered as of now.  What was also particularly nasty was the amount of ransom that the hackers demanded.  One hundred thousand dollars.  You read that right, the hackers demanded at least $100,000 to restore Augusta’s network.  The city elected not to pay the ransom and actually rebuilt much of its infrastructure from the ground up.  That itself is not inexpensive and it was time consuming, but it did not reward the bad guys for their attack.

Augusta is not the only city to be hit hard.  The cities of Albany, New York, Atlanta, Georgia, Greenville, North Carolina, Portsmouth, New Hampshire, Stuart, Florida and Tallahassee, Florida are among many US cities that have suffered ransomware attacks.  Just this past week, Cleveland Hopkins International Airport was hit with a ransomware attack.  Fortunately, it appeared to only impact terminal systems and not critical air traffic control and safety systems, but it certainly caused many to think hard about the risk ransomware poses.

Ransomware is getting smarter, and the ransoms are getting larger, meaning a successful attack could very easily put a business out of business in a short amount of time.  I know of more and more entities, private and government, that are suffering more advanced ransomware attacks.

While a layered defense is more important than ever, user education is equally important.  You can throw all the technology available at ransomware and it could still sneak in to your systems.  Being sure you have done everything possible to thoroughly educate your users on how to defend themselves against ransomware cannot be overstated.

Test your users and see who may be vulnerable to email phishing attacks, still the most common way ransomware enters a network.  Lock down your networks and employ web filters to control where you allow your users to go online.  I could go on and on about the different ways you can defend against this threat, but at the end of the day there is just one word; education.

Not one time education, but ongoing education and simulated attacks.  Just like first responders and others train for crisis situation, so they reflexively know how to properly respond, we need to adopt a similar strategy to protect our businesses and online assets.  Continually educate, test, refine the educations based on the results of testing and test again.  Repeatedly.  Make it part of your corporate culture, just like every other routine critical to the success of your business.  You’ll be glad you did!

Be Sure To Secure Your Home Devices

Standard

This post was originally published as the Tech Talk Column in the Sunday, April 28, 2019 editions of Foster’s and Seacoast Sunday.

Do you have a Nest product in your home?  Nest, best known for Nest Cameratheir connected thermostats, is coming under fire for what many feel are weak security controls. Why? Because the company is concerned about turning off users by making the logon process more than just a username and password. In today’s world, that’s practically negligent.

Nest makes several home devices along with their market leading thermostats. They make webcams, smoke and carbon monoxide detectors, locks, video doorbells and a security system. All interconnected and manageble via an app or the web. In other words, all connected to the internet. This makes them incredibly convenient, but also incurs some risk, as do all connected devices. While I mention Nest by name, many manufacturers could be at risk.

Here’s the issue. Nest has had some embarrassment of late, where hackers have been able to gain access to user accounts and take control of the devices in someone’s home. Reports reference thermostats changing temperature when the owner of the device was not the one to make the change. More concerning are reports of Nest’s webcams being taken over by hackers.

In the case of the webcams, hackers could watch what is happening in the home. Perhaps more disturbing are the reports of hackers using the webcam’s microphone and speaker to actually interact with someone in the home. In effect, the hackers are able to break into the home without ever physically being there. In one recent report, the hackers played pornographic sounds through the webcam, which was located in a child’s room. Frightening.

Many reports suggest the reason this is possible is because companies like Nest only require a username and password to login to these devices. These manufacturers worry if they make logging in more complex, like requiring two-factor authentication or using other methods to verify the user is who they say they are, will make users look to easier to use products. In response to the well-publicized issues with Nest’s products, the company asked users to enable a two-step login process that relies on a entering a unique code sent to the user via text message when logging in. This is a step in the right direction, albeit long overdue and in response to negative press, instead of a proactive approach to making sure their products are as safe as possible from hackers.

Another reason these types of vulnerabilities exist is because many people use weak passwords. Additionally, a majority of people use the same username and password to access multiple sites. The problem is that when one of these sites is hacked and user credentials are stolen, they are often posted online and then used to gain access to accounts at other sites. A practice known as credential stuffing is often employed. This is where hackers use software to test known usernames and passwords against online sites, to see if the hacker can get in to your account. It’s not as complicated as it may sound.

Obviously, the best defense is a good offense. You should use a unique username and password combination for every web site you login to. You should enable two factor authentication everywhere it is supported. If it’s not, you should seriously consider not using the site or product until it does. How can you find out if your user accounts have been compromised? Check the web site https://haveibeenpwned.com. Enter your email address and the site will let you know if your account has been exposed and if so, which website exposed it. Make sure you change the password on that site, or delete your account completely if you no longer need it.

Most importantly, if you have accounts that have been breached, be absolutely sure you change your password on any site where you may have used the same password. Even if you are fortunate enough not to have one of your accounts exposed, do some digital spring cleaning. Check your online accounts and be sure each one uses a unique and complex password. You’ll be glad you did.

Digital Spring Cleaning – Suns Out!

Standard

With the warmer weather and increasing sunshine, thoughts turn to spring cleaning.  While you’re working in your yard and around your home, don’t forgot about digital spring cleaning as well.

Throughout the year, most people collect a lot of digital information about themselves.  Just think of all the records you just went through, in order to file your taxes!  What will you do with all of this information?  Especially the sensitive stuff.

The National Cyber Security Alliance and the Better Business Bureau are encouraging everyone to spend some time doing digital spring cleaning.  They are asking people to focus on three simple actions:

  1. Lock Down Your Login: Be sure you use strong passphrases and not just simple passwords.  Whenever possible, enable two-factor authentication to further lock things down.
  2. Update Your System and Software: Hackers love out of date systems and software.  Apply the latest updates to be sure your systems and software are properly protected.
  3. Back It Up: A good backup is so important.  Cloud based backup options are quite afforable, so there’s no reason not to have a solid backup of your data.

DigitalSpringCleaning

Don’t forget, when disposing of electronic devices, they may need to be digitally shredded to insure that no data is left behind.  Don’t just throw your old computers, mobile devices and memory sticks away.  Be sure they are wiped of any personal data.  This is true for office equipment as well, especially copiers, which often scan and store a digital image of what is copied.  Click the image above and review the tip sheet for more information.

Inspiring Innovation

Standard

This week, I had the pleasure of attending the latest CompTIA Board of Directors meeting.  We were in New York City for this meeting and as a result, had the opportunity to tour the SAP Leonardo Center in the beautiful new Hudson Yards development.

SAP has four Lenoardo Centers located in Bangalore, India, New York City, Paris, France and Sao Leopolo, Brazil.  These are inspiring places.

Our tour took place on the 48th floor of the New York center and we learned from our hosts, about how SAP is driving innovation and encouraging start-ups in an open, collaborative environment.  In some cases, SAP’s venture fund may invest in some of these businesses.  In others, SAP customers may simply leverage the resources at the innovation center to help accelerate their growth.  Our hosts were Marvin, orginally from Germany and Charlotte, a native of Denmark.

You may click on each image above for a caption.  Being on the 48th floor, the innovation center has amazing views, but more importantly, a strong message.  The center stives to support the 17 United Nations Sustainable Development Goals (SDGs) to transform our world.  These goals are:

  1. No Poverty.
  2. Zero Hunger.
  3. Good Health and Well-being.
  4. Quality Education.IMG_2347
  5. Gender Equality.
  6. Clean Water and Sanitation.
  7. Afforable and Clean Energy.
  8. Decent Work and Economic Growth.
  9.  Industry, Innovation and Infrastructure.
  10. Reduced Inequalities.
  11. Sustainable Cities and Communities.
  12. Responsible Production and Consumption.
  13. Climate Action.
  14. Life Below Water.
  15. Life on Land.
  16. Peace, Justice and Strong Institutions
  17. Partnerships for the Goals.

E_SDG_logo_with_UN_Emblem_horizontal_rgb-e1531342065592

As our tour continued, we learned about projects to provide real-time data to allow airports to operate more efficiently.  Imagine security officers being able to be deployed to open more screening lanes based on a heat map of the security checkpoint.  Or how about an aircraft being redirected to a gate that has more of the needed ground services close by, instead of having to wait for vehicles to travel across the ramp.  All making the operations more efficient and the traveling experience more timely and less stressful.

We saw all sorts of examples of virtual reality and other technologies enabling wonderful innovation to improve our world.  Of course, I loved the ice hockey virtual reality example above in the lower right :).

IMG_2376.JPG

Above is a picture of most of the CompTIA Board Members and Staff, who were able to tour the Innovation Center, thanks to our fellow-Board member John Scola of SAP, 3rd in from the left.

And finally, some of the incredible views from the 52nd floor terrace.

Time Running Out on Old Versions of Windows

Standard

The following was published in the April 14, 2019 editions of Foster’s and Seacoast Sunday.

Do you run Windows 7 on your computer at the office or at home? Do your servers run Windows Server 2008? If the answer to either question is yes, you’ve got less than nine months to replace these operating systems.

Win7-Win10

Why? Because Microsoft is ending support for both Windows 7 and Windows Server 2008 on January 14, 2020, nine months from today. That is not a lot of time, not at all. Windows 7 has been the most widely installed version of the Windows operating system on desktop and laptop computers. Depending on which estimates you believe, Windows 7 is still thought to be running on approximately half of the PCs in use worldwide. This is a staggering number.

Depending on the generation of your computer, you may or may not be able to update a Windows 7 computer to Windows 10, Microsoft’s latest version of the Windows operating system. If your computer is less than five years old, you may be able to upgrade it and still have it perform well, though many computers will simply need to be replaced. As people keep their computers longer, upgrading to the latest operating system may not provide acceptable performance due to increased resource requirements and capabilities that older hardware may not be able to support.

While nine months may seem like plenty of time to get a Windows 7 computer upgraded, especially for businesses that may have several, in not dozens or hundreds of computers to upgrade, time is absolutely of the essence. We have already experienced significant shortages in critical computer components through the first quarter of 2019. Intel CPUs were severely constrained since late last year, and this pushed out delivery dates for every major computer manufacturer to the point where back orders stretched well over a month. This situation may only worsen and organizations put stress on the supply and demand cycle for computer manufacturers.

Many sources are predicting significant shortages of available computers by the third quarter of the year, based on present trends. It would not at all surprise me to see a rush on PC demand come the summer months, when many companies look to undertake significant disruptive projects during the traditional summer vacation season. Certainly, replacing large fleets of computers across departments and entire companies may be easier to manage when more people than usual are on vacation. I am concerned those individuals and organizations that wait until summer to start planning these replacements may not be able to complete them before the end of support.

When support ends, no updates will be released for these operating systems and you can be assured that hackers will be waiting in the wings to exploit unprotected systems. You do not want to be caught in that coming wave. In fact, many cyber insurance policies require that you maintain currently supported hardware and software in order for the coverage to protect you in the event of a cyber related incident. The risks of inaction are significant.

The situation for Windows Server 2008, the operating system running many servers still today is no less of a concern. Servers are naturally more complex to replace than an individual PC. Servers are the foundation of IT infrastructures and support the applications, databases and services that we all rely on every single day. Together, the end of support of each of these versions represents a growing threat and trend that we all need to be aware of. As technology advances, companies like Microsoft and others simply cannot maintain the level of support necessary to keep them all supported indefinitely. The threat landscape is simply too fluid to devote the significant resources to keep all of these versions supported.

If you have yet to focus on this, I urge you to make this your number one IT priority this year. Talk with your IT department or IT partner and be sure you have a plan to act now, not later. You will need every bit of time between now and the end of the year to plan, budget, procure and implement. As the saying goes, time is a wasting. Make yourself a note to start your plan tomorrow morning, if you have not already.

VPN Vulnerability

Standard

InsecureVPNDo you use a VPN to connect to your office network?  If you do, you should be aware of a vulnerability alert issued by CERT (Computer Emergency Response Team) yesterday.  Many major VPN’s require an update to ensure safety.

I have pasted the CERT announcement below:

Multiple VPN applications insecurely store session cookies

Vulnerability Note VU#192371

Original Release Date: 2019-04-11 | Last Revised: 2019-04-11


Overview

Multiple Virtual Private Network (VPN) applications store the authentication and/or session cookies insecurely in memory and/or log files.

Description

Virtual Private Networks (VPNs) are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files.

CWE-311: Missing Encryption of Sensitive Data
The following products and versions store the cookie insecurely in log files:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2

The following products and versions store the cookie insecurely in memory:
– Palo Alto Networks GlobalProtect Agent 4.1.0 for Windows and GlobalProtect Agent 4.1.10 and earlier for macOS0 (CVE-2019-1573)
– Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2
– Cisco AnyConnect 4.7.x and prior

It is likely that this configuration is generic to additional VPN applications. If you believe that your organization is vulnerable, please contact CERT/CC at cert@cert.org with the affected products, version numbers, patch information, and self-assigned CVE.

Impact

If an attacker has persistent access to a VPN user’s endpoint or exfiltrates the cookie using other methods, they can replay the session and bypass other authentication methods. An attacker would then have access to the same applications that the user does through their VPN session.

Solution

Apply an update
Palo Alto Networks GlobalProtect version 4.1.1 patches this vulnerability.

CERT/CC is unaware of any patches at the time of publishing for Cisco AnyConnect and Pulse Secure Connect Secure.

Nasty Tax Phishing Scam

Standard

It’s that time of year again, tax time.  This is also a time for increased hacker activity, trying to trick you in to clicking links and opening attachments related to your taxes.  The activities are designed to get you to enter your credentials to what may look like a real web site, but is really one that is only designed to steal you username and password to access your real data.  Another activity is to get you to open something that will silently install malware on your computer, which is designed to quietly watch all that you do in the hopes of stealing valuable information.

I want to share a very nasty example of one such risk.  This is a classic phishing email, trying to trick me into clicking on a link that looks very legitimate.  In the image below, I have redacted any sensitive or identifying information to protect myself and my accounting firm.  They have already taken necessary steps to insure their systems are safe in the wake of this.  It points out the very serious risk that accounting firms are facing.  The nasty thing about this message is that it includes actual email messages exchanged last September, 7 months ago!  This gives the message an aire of authenticity, when it is anything but.  Check it out below and be extra vigilant and check every sender address, link and attachment before you take any action…

Accounting Phish

 

Time For A Fireside Chat On Cybersecurity

Standard

This was originally published in the March 31st editions of Foster’s and Seacoast Sunday.

This past Thursday, Onepath held a Cybersecurity Fireside Chat at the Harvard Club in downtown Boston. We were honored to bring Brian Shield, vice president for information technology for the Boston Red Sox and Eric Rosenbach, co-director of the Harvard Kennedy School’s Belfer Center for Science and Internal Affairs and former assistant secretary of defense for global security together for this intimate and informative chat.

I have participated in many events like this over my career and for those in attendance, they were witness to one of the absolute best cybersecurity talks I have ever witnessed. Despite their impressive credentials and experience, Brian and Eric were incredibly gracious, humble, down to earth and relatable. They shared their experiences throughout their careers in dealing with the evolving cybersecurity threat landscape and shared many actionable tips to help others improve.

Eric shared the three things that most concern him when it comes to the current cybersecurity threat landscape. First is ransomware, a malicious software you can be tricked into launching on your computer that will encrypt all the data that computer can access. This renders the data inaccessible. When anyone tries to access the data, they are presented with a ransom note they must pay to regain access to the data. Eric shared that one of his great disappointments with our nation is that ransomware came to be because of leaks from the NSA and Department of Defense of offensive cyber weapons that fell into the hands of bad actors and adversarial nation states. He expects ransomware to continue to evolve.

Second, he shared his belief that nation states will continue to be the lead bad actors. Cyber is an asymmetrical weapon that can level the playing field for adversarial nations that cannot compete with the West militarily. As an example, he shared that countries like North Korea use ransomware to raise funds to get around sanctions and as we now know, the Russian government launched info ops to seed dissent to create doubts about our democracy. He expects such info ops to continue and evolve. Third, Eric feels artificial intelligence will help defensively, but could also be used to increase the effectiveness of AI based info ops.

Brian talked about the importance of intellectual property within organizations like a Major League Baseball organization. From the medical information about their players to the extensive database of prospective players, these are some of the most important assets of the organization and protecting them is a priority. A compromised account of a former MLB team employee spurred the MLB to act and create a cybersecurity program for all MLB teams.

cyber_shield_knowledge1Cybersecurity requires a holistic approach. It’s not just about deploying defensive technologies. Education and a culture of awareness and prevention are critical to an organization’s success in keeping itself safe. You can deploy all the technology available and still be a victim due to an uneducated user making a poor choice.

Incident response plans are critical. The last thing you want to do is create a plan while responding to a cybersecurity incident. Brian and Eric recommended doing a table-top exercise to test your plan before you need it. This will help identify gaps, whether it is how to restore access to critical IT systems or how to inform your employees, customers and the public should you have an incident.

Cybersecurity is very interconnected. Private industry is constantly being targeted. Assume you are and recognize we are all on the front line. Eric said he feels we have an obligation to our country to confront and protect ourselves against these threats. He feels it is our patriotic duty to do so as this is a national security issue for us all. Imagine if bad actors are able to disrupt enough businesses or cause failures for iconic American brands. It could shake the confidence of our society, thus the imperative to take this more seriously than we ever have.

While daunting on the surface, we have access to more resources than ever. A simple thing everyone can do is use two factor authentication across all of your accounts. A great resource to determine how to enable two factor authentication is https://twofactorauth.org. Check it out and enable your accounts. It’s your patriotic duty.

Onepath’s Top 5 Cybersecurity Threats – April 2019

Standard

Stay informed on the latest in information security with these five handpicked articles from around the web.


GT

Georgia Tech Stung with 1.3 Million-person

Data Breach

SC Magazine

Georgia Tech reports that it suffered a data breach when a web application exposed the information of 1.3 million current and former students, student applicants, and staff members.


Norsk Hydro

Ransomware Behind Norsk Hydro Takes on

Wiper-like Capabilities 

ThreatPost

LockerGoga, the malware that recently took down Norsk Hydro, has taken the industrial world by storm as researchers race to uncover more about the mysterious ransomware. Here’s what we know.


Insurance Risks

Insurers Gear Up for Continued Rise

in Cybersecurity Attacks

Onepath

As cyber attacks rise, insurance companies collaborate on a program to help companies evaluate the effectiveness of security products and services.


Cyber Event

Why Cybersecurity Culture

Is a Leadership Responsibility  

Onepath

When it comes to cybersecurity, there’s a cultural shift taking place. Brian Shield, CIO for the Boston Red Sox, and Eric Rosenbach, former assistant Secretary of Defense for Global Security, discuss the current state of global security and what leaders can do to help defend the United States.


Dark Web Dog

What Is the Dark Web and Why Should You Care?

Alert Logic

You’ve probably heard of the term “dark web,” but what is it exactly?
And why does the dark web matter?

Onepath Career Fair

Standard

If you’re interested in a career in Information Technology Services in the Merrimack Valley or Southern New Hampshire, Onepath is hosting a Career Fair this Saturday, April 6th from 9 AM to Noon.  Bring your resume for an instant, on-site interview!  Details below.

2019 Onepath Career Fair.jpg