Beware Fake USB Flash Drives and SSDs

Just a reminder for recognizing fake flash media (SSDs and USB flash drives), since I shopped for some recently.

OK I admit it. I look for bargains online that are not smart purchases, e.g. USB flash drives or solid state drives (SSDs) that are cheap. But those bargains may be hiding garbage technology or malicious software. In general, you should buy for the quality and dependability of a known manufacturer (see suggested manufacturers below). Also consider whether you want a lower or higher range drive from these companies as price will vary.

As to what you get for your money, some flash drives and solid state drives (SSDs) have actual storage capacity that is much lower than advertised. For instance, Kingston offers 1TB USB flash drives for about $180 and you cannot by a legitimate 2TB flash drive for less than $100 (Datarecovery.com). I saw this 16TB flash drive for sale on Bing.

Yeah, right.

Then I saw this one with no reviews and “generic” for the manufacturer.

As to 16TB SSDs, Datarecovery.com says they’re scams, “even if they’re shipped by an otherwise reputable seller.” The site notes that 8TB hard drives from a reputable manufacturer costs at least $150.

Review Geek found that one questionable 16TB SSD contained only 64GB and Datarecovery.com found a 2TB flash drive only had 32GB of storage. You may only see a problem when you try to save data to the drive. Your operating system may show a false capacity and the drive will look to be working correctly—but the data won’t save. Try to return the drive and you could end up with another bogus replacement.

Besides not getting the storage you want, some fake SSDs and USB flash drives can cause other security problems. You may know about the dangers of putting a flash drive you found in a parking lot into your computer: malware and viruses, theft of your data, ransomware infections, unauthorized access to your or your company’s network, or theft of your identity.

Know The Reviews

To prevent falling prey to these false drives and cybersecurity threats, you may find some guidance from your fellow shoppers. Amazon, Walmart, and eBay feature customer reviews from people who bought the product. While you should be careful to believe positive reviews, because shady sellers and scammers can produce false ones, reading the negative reviews may help.

Hallmarks of Fake SSDs and USB Flash Drives

Consider the following signs of fake SSDs and flash drives:

1. Price Too Good to Be True: As mentioned above, believe this old maxim. You get what you pay for.

2. Unusual Packaging that is off or inconsistent with the genuine packaging: look for typos, irregular fonts, or missing holographic seals.

3. Missing Brand Logo or Markings: Genuine USB drives typically have the brand logo, name, and model number prominently displayed on the drive enclosure.

4. Inconsistent Design: Counterfeits may have irregularities in the shape, size, or materials used.

5. Unfamiliar Brand: Be cautious when dealing with lesser-known or obscure brands, especially if the product is being sold at an unusually low price.

6. Fake Capacity: As I mentioned above; use a reliable capacity-testing tool to verify the actual storage capacity of the drive.

7. Poorly Printed Labels: Inspect the labels on the USB drive for signs of low-quality printing, smudged text, or uneven coloring.

8. Missing Security Features: Genuine USB drives often include security features like holographic seals, tamper-evident packaging, and serial numbers.

9. Suspicious Seller or Source: Unverified or unknown sellers lurk on online marketplaces or on street vendors.

10. Performance Issues: Counterfeit USB drives may appear to “hang forever,” i.e., exhibit slower data transfer speeds or may not function correctly. Test the drive’s performance with benchmarking tools.

11. Misspelled Words: Check the packaging, labels, and user manuals for misspelled words or grammatical errors.

12. Lack of Warranty or Support Information: Authentic USB drives typically come with warranty information and contact details for customer support.

Additionally, bogus SSDs also may feel lighter than genuine ones due to the use of cheaper or lower-quality materials.

Shop Wisely

It seems like most of the above can be avoided by buying from known and tested brands. Buy from a reputable manufacturer. Fake USB flash drives and SSDs often have branding from unknown companies and many have no branding whatsoever on their enclosures. Though Amazon and Walmart may be improving, to be ultimately safe you may want to avoid Amazon, Walmart, eBay, or other 3rd party shops and buy directly from the manufacturer’s.

Here are some recommended brands:

– SanDisk
– Kingston
– Samsung
– Lexar
– ADATA
– PNY
– Transcend

Conclusion: Buy for Quality and Backup

Stores such as Amazon, Ebay, and other online stores and auctions provide information on how to detect fake USB flash drives and SSDs using variations of the above recommendations. But as to reliability, one thing to keep in mind regarding flash media is that it can fail at any time (all flash media will eventually fail).

So for your files and media, you should have three backup copies–including one that is on a cloud backup, like Carbonite. Don’t fall victim to bogus disks you find and continue to update your anti-malware software and operating system, and protect your computer using write protection, which will prevent unauthorized file writes from those drives.

When it comes to your data, computers and devices, don’t go cheap. The old maxim stands: if it seems too good to be true, it probably is.

Norton AI Scam Scanner

I use Norton/Lifelock and they’ve put out this cool little AI-powered site (https://us.norton.com/products/genie-scam-detector) and app (https://apps.apple.com/us/app/norton-genie-ai-scam-detector/id6448706515), which will tell you if the text or image your upload is suspicious. You can upload a screencap of a message, social post, or other site. When you interact with Genie, you can learn if you have encountered a scam or malicious message. Some training still needed; it’s in early access right now, but will no doubt improve.

Safeguarding Customer Trust and Compliance: Why Organizations Are Embracing Zero Trust

Understandably, companies and organizations are embracing zero trust with the daily business pressures that have evolved over the last few years. The pandemic presented small businesses and organizations with new security considerations: remote workers with access to a much wider range of apps, new ways of working onsite, bring your own devices, cloud-based assets, and new supply chain and vendor processes. Furthermore, you may have added these changes to your network ad hoc. Now, you have an unwieldy patchwork of devices and computers at your business.

But the tweaks you put in place have also extended your network boundaries (or “perimeter”). In adding devices and computers as needed, you (and your administrators!) have added security vulnerabilities. You’ve lost track, and your problems are becoming more apparent every day. This new reality demands a new security paradigm.

What is Zero Trust?

Traditionally, your local area network requires permissions for users and computers to be verified once, who are then trusted by default, i.e., no more verification is needed. There is the old Russian proverb: “Trust, but verify.”

But if you use a zero trust security model or zero trust architecture (or “perimeterless security”), the proverb is intensified: your network must “never trust, always verify.” Zero trust requires continuous verification of user and system identities for each computer resource requested. The emphasis here is on resources rather than how your network is segmented (NIST).

While you previously may have trusted users and devices within your “corporate perimeter” or connected via a VPN, today’s complex corporate networks running under zero trust work without respect to your systems, user accounts, or the location of any of these. (Zero trust can also be applied to the CIA—confidentiality, integrity, and availability—of your data while it is accessed or managed. This access should be authenticated dynamically, and permissions should be based on the principle of least privilege.)

Wait a minute… I have to repeatedly log in now?

Despite the new authentication requirements, under zero trust security, the user is not significantly inconvenienced or aware of the security measures taking place in the background:

– If you use single sign-on (SSO), “an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems” (Wikipedia), this convenience is unaffected under zero trust.

– Multi-factor authentication (MFA) is also transparent under zero trust; users can only be required to reauthenticate from an unfamiliar device or location.

– Continuous authentication techniques, such as behavioral analysis or device health checks, may infrequently be performed in the background without disturbing the user.

– Zero trust access control policies can grant access based on user identity, roles, and permissions, but it is also usually transparent to the user.

– Trust decisions can be made in the background; if necessary, access can be restricted, generally without user involvement.

– The user’s session can also be continuously monitored without their input. Suspicious activity can result in blocked access or further user reauthentication.

For your organization, zero trust protects your data and systems by admitting only the right users and giving them access to the right data for the right reason and purpose. Zero trust can assign a risk score for every user or process recognized by their time of day, device, use of sensitive data, or level of authentication (including MFA). Risk-based vulnerability management can monitor for cybersecurity attacks, like transactional fraud.

Who’s Implementing Zero Trust?

Eighty-three percent of security and risk professionals say zero trust is an essential strategy for their organizations (Venture Beat), and as projected in 2022, eighty percent of enterprises planned to implement zero trust that year. Cloud-first zero-trust platforms have won most implementations because of the cost savings, speed, and scale they deliver over legacy systems (Venture Beat). Demand for endpoint security visibility and control grew faster than the market, leading all zero-trust priorities in 2022 (Venture Beat, https://venturebeat.com/security/zero-trust-trends-for-2022/). Now that the Biden administration has issued an executive order mandating zero trust for all governmental entities, many organizations follow suit. According to Gartner, zero-trust solutions will grow from $820 million in 2022 to $1.674 billion in 2025 (Instasafe).

How Does Zero Trust Work?

Implementing zero trust for your small to medium-sized business may require a pragmatic and scaled-down approach; you may need more money or time. Here are some suggested steps:

– First, perform an asset inventory of your network’s devices, servers, applications, and data.

– Implement the principle of least privilege to restrict user and system access.

– Implement multi-factor authentication (MFA) wherever possible.

– Use micro-segmentation to segment the network into smaller zones to limit lateral movement and contain potential threats.

– Enforce access controls for applications and data. Use access control lists (ACLs) or role-based access control (RBAC) to restrict access to specific resources.

– Use secure VPNs or Cloud Access Security Brokers (CASBs) for cloud applications to ensure all users and devices are authenticated before granting access to resources.

– Implement endpoint security measures, such as installing updates and patches, deploying anti-malware solutions, and configuring host-based firewalls.

– Set up basic logging and monitoring. Use cost-effective SIEM (Security Information and Event Management) solutions or open-source options.

– Train employees on best practices to reduce the risk of security incidents.

– Develop an incident response plan.

– Ensure that third-party vendors and contractors adhere to security best practices and align with your Zero Trust approach.

– Regularly review and update security policies and controls to keep up with security threats and adjust your security strategy.

These steps are cost and time-efficient.

Types of Zero Trust Solutions

Three ways of achieving the complicated tracking of resources and users are:
Endpoint agents.
Combined behavioral detection and machine learning.
Cloud-delivered, clientless, zero-trust platforms.

Endpoint Agents

Ivanti Neurons for Unified Endpoint Management (UEM) is an example of a self-healing endpoint solution. UEM uses AI-based undeletable agents installed on the endpoint with a firmware-embedded connection and cannot be deleted from a PC. If the self-aware agent detects a suspected or actual attack, it takes steps to thwart the intrusion. The endpoint shuts itself off, re-checks all OS and application versioning, then rebuilds itself with new software patches and firmware updates. Self-healing endpoints perform all these functions without human intervention.

Behavioral Scans and Threat Data

Microsoft Defender 365 is an example of the second type of zero-trust solution. It detects anomalies through behavioral-based scans and then uses machine learning to correlate threat data from emails, endpoints, users, and applications.

Cloud-based Zero Trust Solutions

Zscaler Zero Trust Exchange is an example of a cloud-based zero-trust solution. It provides secure access to applications, whether they are hosted in the cloud, data centers, or on-premises, by routing traffic through the Zscaler cloud platform. With the cloud option, trust is removed from the tech stack because of its liability.

You Need to Educate Your Users

While zero trust aims to be transparent, your user education should still cover the importance of MFA or how to recognize phishing attempts.

Zero Trust and Cyber Insurance

Today, it’s unreasonable not to have cyber insurance. Zero trust can aid your organization by enforcing regulations and auditing compliance. Zero trust can help give you more affordable rates for cyber insurance by providing the insurer with more information about your cyber readiness and lowering your risk by getting ahead of where the vulnerabilities and potential attackers are.

Conclusion: You Need Help Configuring Zero Trust

To configure zero trust, your administrators need the proper tools for provisioning and de-provisioning user accounts, MFA, SSO, and authentication hardware like smart cards and dongles. Your admins must be alerted to account expiration, unused VPN accounts, the reuse of passwords, the location of remote workers, patch requirements, and which apps are installed on your remote and in-house systems. Integrating your legacy systems is part of this preparation.

Zero trust is designed to provide robust security without being intrusive or an inconvenience to the user, but your small-to-medium business (SMBs) is cost-driven. You should look for a cybersecurity vendor who can assist with these measures. They should offer well-documented and secure APIs and consumption-based or subscription pricing.

While you don’t have to spend much money or encounter too much difficulty to implement zero trust, you should spend your valuable time with an expert security provider who can help you implement zero trust comprehensively and cost-effectively.

Scam map!

This is a pretty cool tool.
https://www.aarp.org/money/scams-fraud/tracking-map.html

You can search by scam keywords used, zip/location, type of scam, dates, or type of contact, or if the alert was from AARP users or law enforcement.

Similarly, the FTC’s Consumer Sentinel Network has this tool: https://public.tableau.com/app/profile/federal.trade.commission/viz/FraudandIDTheftMaps/FraudbyMetroArea

Clear your defaults

Over 50% of enterprise routers are not cleared of data before reselling them. This includes sensitive information like login credentials. Make sure your router creds are not out on the dark web, vulnerable to reuse.

The first thing you should do when starting a new cyber position is an inventory of networking and computer assets. But this also should be an ongoing practice. What is not known becomes an attack vector. Then you’ll be the smart guy. Save yourself from embarrassment…and worse.

Job deposit check scam

Just wanted to touch on one scam that is making the rounds. Many users know the scams to do with sending money to anyone over the internet. But what if you are given a check from a potential employer, such as to buy equipment or work tools, to deposit? What could happen? I interviewed a Chase representative, who told me that he has had recent cases where someone would deposit the check and then the scammer would tell the victim to send on part of the money, or buy gift cards with it. Similarly, “reshipping scams” will ask you to send on a package or funds to another address.

Another such scam can make use of your bank tracking number.

From the FTC’s Consumer Advice:

“The check will bounce, and the bank will want you to repay the amount of the fake check.”

Another warning here is a request to send ID such as a driver’s license as part of pre-employment requirements.

It all goes to the age-old maxim “if it’s too good to be true, it probably is.”

Protecting your PC using Malwarebytes

It used to be that antivirus tools focused on Trojans, worms, and viruses. This AV software relied on strong signature-based detection and regularly-updated signatures. Newer AV software has added behavior-based protection against unknown threats.

Antimalware software now also focuses on exploit tools and off-the-cyber-shelf software used by malicious long-term threat actors (Advanced Persistent Threats) to maintain access over time and continue their exploit.

Continue reading “Protecting your PC using Malwarebytes”

Ransomware Timeline

Utilities and infrastructure, government agencies, hospitals and healthcare institutions, schools, food production and distribution industries–even ferry service to Martha’s Vineyard, all have been attacked by cybercriminals using ransomware, probably now the most used kind of exploit of network systems.

“Even as we speak there are thousands of attacks on all aspects of the energy sector and the private sector generally…it’s happening all the time,” said Energy Secretary Jennifer Granholm to CNN. Continue reading “Ransomware Timeline”

What in the World is a Penetration Test?

A penetration test is an agreed-upon simulated, offensive cybersecurity engagement that tests for vulnerabilities in the target’s systems. The red team is the offensive team and the defenders are the blue team. The organization being tested is looking for weaknesses in their systems.  (Optionally, an organization may set up a purple team to support the engagement.)

In order to do a penetration test you need written permission with specific rules of engagement. You cannot deviate from the plan that is agreed upon. Even scanning the ports of the target system can throw up red flags for the responsible organization and can lead to legal trouble for you if not documented.

Though many red-team/blue-team exercises use in-house teams for both, an outside hacker can actually make some good money doing this. Some hackers make a career out of it. I’ve heard of a contract tester making $50,000 for one engagement; though in-house team members can make $140,000.  There’s even two certifications specifically for penetration testing, the Certified Ethical Hacker and PenTest+ certs.

Halo’s red team/blue team borrows from this concept: Spartan Showdown: Blue Team vs Red Team – YouTube

Defense in Depth

Layering security measures is called Defense in Depth. Though zero trust is the phrase of the day, defense-in-depth can be a complementary approach to security.

Preventive measures can prevent breaches of confidentiality, for example, measures such as file encryption, TLS encryption for websites, or protecting a certificate key.

Detective measures include intrusion detection/prevention systems (IDS/IPS) or other measures that alert you when there is an unauthorized intrusion on the network.

Recovery measures include backups and other measures to maintain resource availability. Whether daily, incremental, or full, you need a backup plan.

Continue reading “Defense in Depth”

What is the CIA Triad?

No, not the Yankee security agency; the CIA Security Triad is a model organizations can use to guide policies for their cyber and information security. CIA stands for Confidentiality, Integrity, and Availability. It’s also useful during the acquisition of new technology assets and data to guide policymaking.

Confidentiality – Keeping sensitive, confidential, or private information safe from unauthorized access. It’s common to categorize sensitive data by the potential for damage if the data is released or stolen in case of a security breach. The question of who needs what kind of access to the information should be a consideration. Organizations can set access control lists (ACLs), encryption, and permissions for systems, files, and folders.

Integrity – Preventing data from deletion, tampering, or modification by an authorized or unauthorized party. This includes mistaken but authorized changes. Data at rest (stored), in transit, or in use should be protected for consistency, accuracy, and trustworthiness.

Availability – Accessing or refusing access to files, folders, and systems. The information the security measures protect and ensure should be available despite hardware failures, system upgrades, or power outages. The security measures should be consistent and provide ready accessibility by authorized parties.

The difference between tech support and cybersecurity experts lies with CIA. Tech support can help with your availability (connection), but integrity and confidentiality are usually the domains of cyber.

Hacking Paywalls: You Only Thought You Needed To Subscribe

Note: This tutorial is for Chromium browsers, but the developer tools on other browsers are similar. Leave a question if you need help.

Just a brief introduction to this tutorial is needed. Web pages are text files that contain text and HTML. When you go to a website your browser downloads the HTML text file and you now have a copy of the page on your computer. The file also downloads copies of images, videos, and programming that are referenced inside the HTML. Each item on the page is in a box, which may be contained in other boxes and which may have boxes inside it as well. These items are called elements. With the developer tools in each browser you can edit your copy of the page to remove or change elements. If you refresh the page, it will return to the version you downloaded. Continue reading “Hacking Paywalls: You Only Thought You Needed To Subscribe”

Using Publicly-available Information To Learn More About A Target (Passive Footprinting)

Even a novice can research a target using publicly-available information. This is also called passive footprinting and there are numerous tools and commands to find this information: Continue reading “Using Publicly-available Information To Learn More About A Target (Passive Footprinting)”

First six months of 2022 hacks

Wired did a rundown of the first 6 months of major hacks:
https://www.wired.com/story/worst-hacks-breaches-2022

This part sounds concerning. For whom and for what reason was this attack carried out?
“This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” state attorney general Rob Bonta said in a statement. “The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.”

CIS Security Controls Explained

When we talk about security controls we are talking about technical and operational steps and settings for preventing or minimizing attacks. The Center for Internet Security has listed 18 controls as critical. With them you can minimize the risk of data breaches and exfiltration, IP and ID theft, corporate espionage, privacy loss, and denial of service attacks, among other cybersecurity threats. Continue reading “CIS Security Controls Explained”

Pandemic Blues: the Clock is Ticking and the Hackers are Calling.

2021 was witness to a number of major cyberattacks: SolarWinds, Microsoft Exchange, Quanta, Colonial Pipeline, Kaseya, and Log4j. These attacks proved that food companies, utilities, supply chains and software providers could all be compromised. Cybercrime is up 600% since the pandemic began: Continue reading “Pandemic Blues: the Clock is Ticking and the Hackers are Calling.”

Bank cyber recommendations

A local bank sent out a newsletter about how relying on caller ID is no longer possible. Scammers can spoof phone numbers. 

Also, watch out for callers impersonating a bank, credit card or other financial account representative. Don’t provide any PII or financial account information over the phone. Hang up and call your institution directly. Do not click any email links or texts if you don’t know if they are from who they say they are.

Watch out for scammers saying fraud has occurred and phone calls, texts, links or emails that try to get you to provide real information about your accounts. Don’t perform any sending or transferring of money by phone, text or email. Banks will never get you to transfer money to yourself.

  • Who are you sending money to?
  • Who are you talking to or emailing?
  • Avoid giving out PII or account details.
  • When in doubt, hang up and call your bank directly.
  • Avoid urgent requests for money or supposed account problems.