Category: Security

Job deposit check scam

Just wanted to touch on one scam that is making the rounds. Many users know the scams to do with sending money to anyone over the internet. But what if you are given a check from a potential employer, such as to buy equipment or work tools, to deposit? What could happen? I interviewed a Chase representative, who told me that he has had recent cases where someone would deposit the check and then the scammer would tell the victim to send on part of the money, or buy gift cards with it. Similarly, “reshipping scams” will ask you to send on a package or funds to another address.

Another such scam can make use of your bank tracking number.

From the FTC’s Consumer Advice:

“The check will bounce, and the bank will want you to repay the amount of the fake check.”

Another warning here is a request to send ID such as a driver’s license as part of pre-employment requirements.

It all goes to the age-old maxim “if it’s too good to be true, it probably is.”

Protecting your PC using Malwarebytes

It used to be that antivirus tools focused on Trojans, worms, and viruses. This AV software relied on strong signature-based detection and regularly-updated signatures. Newer AV software has added behavior-based protection against unknown threats.

Antimalware software now also focuses on exploit tools and off-the-cyber-shelf software used by malicious long-term threat actors (Advanced Persistent Threats) to maintain access over time and continue their exploit.

Continue reading “Protecting your PC using Malwarebytes”

Ransomware Timeline

Utilities and infrastructure, government agencies, hospitals and healthcare institutions, schools, food production and distribution industries–even ferry service to Martha’s Vineyard, all have been attacked by cybercriminals using ransomware, probably now the most used kind of exploit of network systems.

“Even as we speak there are thousands of attacks on all aspects of the energy sector and the private sector generally…it’s happening all the time,” said Energy Secretary Jennifer Granholm to CNN. Continue reading “Ransomware Timeline”

What in the World is a Penetration Test?

A penetration test is an agreed-upon simulated, offensive cybersecurity engagement that tests for vulnerabilities in the target’s systems. The red team is the offensive team and the defenders are the blue team. The organization being tested is looking for weaknesses in their systems.  (Optionally, an organization may set up a purple team to support the engagement.)

In order to do a penetration test you need written permission with specific rules of engagement. You cannot deviate from the plan that is agreed upon. Even scanning the ports of the target system can throw up red flags for the responsible organization and can lead to legal trouble for you if not documented.

Though many red-team/blue-team exercises use in-house teams for both, an outside hacker can actually make some good money doing this. Some hackers make a career out of it. I’ve heard of a contract tester making $50,000 for one engagement; though in-house team members can make $140,000.  There’s even two certifications specifically for penetration testing, the Certified Ethical Hacker and PenTest+ certs.

Halo’s red team/blue team borrows from this concept: Spartan Showdown: Blue Team vs Red Team – YouTube

Defense in Depth

Layering security measures is called Defense in Depth. Though zero trust is the phrase of the day, defense-in-depth can be a complementary approach to security.

Preventive measures can prevent breaches of confidentiality, for example, measures such as file encryption, TLS encryption for websites, or protecting a certificate key.

Detective measures include intrusion detection/prevention systems (IDS/IPS) or other measures that alert you when there is an unauthorized intrusion on the network.

Recovery measures include backups and other measures to maintain resource availability. Whether daily, incremental, or full, you need a backup plan.

Continue reading “Defense in Depth”

What is the CIA Triad?

No, not the Yankee security agency; the CIA Security Triad is a model organizations can use to guide policies for their cyber and information security. CIA stands for Confidentiality, Integrity, and Availability. It’s also useful during the acquisition of new technology assets and data to guide policymaking.

Confidentiality – Keeping sensitive, confidential, or private information safe from unauthorized access. It’s common to categorize sensitive data by the potential for damage if the data is released or stolen in case of a security breach. The question of who needs what kind of access to the information should be a consideration. Organizations can set access control lists (ACLs), encryption, and permissions for systems, files, and folders.

Integrity – Preventing data from deletion, tampering, or modification by an authorized or unauthorized party. This includes mistaken but authorized changes. Data at rest (stored), in transit, or in use should be protected for consistency, accuracy, and trustworthiness.

Availability – Accessing or refusing access to files, folders, and systems. The information the security measures protect and ensure should be available despite hardware failures, system upgrades, or power outages. The security measures should be consistent and provide ready accessibility by authorized parties.

The difference between tech support and cybersecurity experts lies with CIA. Tech support can help with your availability (connection), but integrity and confidentiality are usually the domains of cyber.

Hacking Paywalls: You Only Thought You Needed To Subscribe

Note: This tutorial is for Chromium browsers, but the developer tools on other browsers are similar. Leave a question if you need help.

Just a brief introduction to this tutorial is needed. Web pages are text files that contain text and HTML. When you go to a website your browser downloads the HTML text file and you now have a copy of the page on your computer. The file also downloads copies of images, videos, and programming that are referenced inside the HTML. Each item on the page is in a box, which may be contained in other boxes and which may have boxes inside it as well. These items are called elements. With the developer tools in each browser you can edit your copy of the page to remove or change elements. If you refresh the page, it will return to the version you downloaded. Continue reading “Hacking Paywalls: You Only Thought You Needed To Subscribe”

Using Publicly-available Information To Learn More About A Target (Passive Footprinting)

Even a novice can research a target using publicly-available information. This is also called passive footprinting and there are numerous tools and commands to find this information: Continue reading “Using Publicly-available Information To Learn More About A Target (Passive Footprinting)”

First six months of 2022 hacks

Wired did a rundown of the first 6 months of major hacks:
https://www.wired.com/story/worst-hacks-breaches-2022

This part sounds concerning. For whom and for what reason was this attack carried out?
“This unauthorized release of personal information is unacceptable and falls far short of my expectations for this department,” state attorney general Rob Bonta said in a statement. “The California Department of Justice is entrusted to protect Californians and their data. We acknowledge the stress this may cause those individuals whose information was exposed. I am deeply disturbed and angered.”

CIS Security Controls Explained

When we talk about security controls we are talking about technical and operational steps and settings for preventing or minimizing attacks. The Center for Internet Security has listed 18 controls as critical. With them you can minimize the risk of data breaches and exfiltration, IP and ID theft, corporate espionage, privacy loss, and denial of service attacks, among other cybersecurity threats. Continue reading “CIS Security Controls Explained”

Pandemic Blues: the Clock is Ticking and the Hackers are Calling.

2021 was witness to a number of major cyberattacks: SolarWinds, Microsoft Exchange, Quanta, Colonial Pipeline, Kaseya, and Log4j. These attacks proved that food companies, utilities, supply chains and software providers could all be compromised. Cybercrime is up 600% since the pandemic began: Continue reading “Pandemic Blues: the Clock is Ticking and the Hackers are Calling.”

Bank cyber recommendations

A local bank sent out a newsletter about how relying on caller ID is no longer possible. Scammers can spoof phone numbers. 

Also, watch out for callers impersonating a bank, credit card or other financial account representative. Don’t provide any PII or financial account information over the phone. Hang up and call your institution directly. Do not click any email links or texts if you don’t know if they are from who they say they are.

Watch out for scammers saying fraud has occurred and phone calls, texts, links or emails that try to get you to provide real information about your accounts. Don’t perform any sending or transferring of money by phone, text or email. Banks will never get you to transfer money to yourself.

  • Who are you sending money to?
  • Who are you talking to or emailing?
  • Avoid giving out PII or account details.
  • When in doubt, hang up and call your bank directly.
  • Avoid urgent requests for money or supposed account problems.

Don’t think it can’t happen to you. What’s at risk?

You may not want to address cybersecurity, thinking it can’t happen to you. But it can. You hear the stories about the big companies hit with a cyberattack, but thousands of attacks are happening right now. Sixty seven percent of SMBs with fewer than 1,000 employees have experienced a cyberattack; fifty-eight percent have been hit with a data breach. An attack will affect everything you do–and more than likely (60% of SMBs) lead to bankruptcy within a year.

Everything you’ve worked for and love.

Finances are the thing that you as a business owner are, rightly, concerned about. Even if your company does not end up bankrupt, your business could be saddled with immense costs, possible fines and lawsuits over a data breach. Day-to-day operations that could be disrupted:  employee daily workflows, customer service, and regulation and compliance requirements.

Your plans for the future could also be threatened. You saw a vision for the future, attracting new customers, generating new business and creating a well-known brand. Your reputation could be damaged.

Part of the growth threatened is improvements in employee communication, performance, motivation and cyber savvy, and you can’t attract new, diverse talent to a company with a bad rep.

Over 92% of cyberattacks start with email. It may have been a careless employee who put your business at risk, clicking a phishing link or being scammed by email. That’s means you know how to stop most attacks: cyber education for your employees.

You need to prepare. Fight for what you love and built.

Wizard Spider call centers

On the dark web you can buy call center services and bot armies that are amazing in scope (“hundreds of millions of dollars in assets. ..The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,’ the researchers say. ‘Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.'”).  https://www.zdnet.com/article/wizard-spider-hacking-group-hires-cold-callers-to-scare-ransomware-victims-into-paying-up

It is impressive. Wizard Spider also leverages BEC.

 

Funny passwords!

As a system admin you need to be on the lookout for people who make these. “[T]here were 1,862 data breaches in 2021 — a 68% increase over breaches in 2020. And, new year-over-year results indicate a fast start to data breaches in 2022, as more than 90% of data breaches are cyberattack-related.”
https://www.securitymagazine.com/articles/97518-the-20-most-common-passwords-leaked-on-the-dark-web

Mailchimp: the hack, the user education?

Took some time with 300 accounts being compromised and getting personal information through them.  Used social engineering and hit client Trezor. Here a corporate policy that recommends exactly what they are hit with.

Took some planning:

“The phishing application is a cloned version of Trezor Suite with very realistic functionality, and also included a web version of the app,” the crypto wallet company wrote in a blogpost.”

As usual, some irony dripping off this one when compared to the recommendations on their site help:

“You received an unexpected email from Mailchimp staff or service teams. This may include forgot username emails or password reset emails you didn’t request…For an extra layer of security, we encourage you to set up two-factor authentication with SMS or a two-factor authentication app”

https://mailchimp.com/help/i-think-my-account-has-been-compromised/

Cyber recommendations for wartime

Saw these recommendations for cyber today. Organizations should be vigilant for the evergreen practices: employee training about phishing and social engineering, give only the permissions needed to users, and scan for vulns and lock down ports you don’t use. But it adds, clean up old accounts (a practice for admins) and resist trying out new security measures.

Four key cybersecurity practices during geopolitical upheaval | Malwarebytes Labs

CISA has also put out some recommendations: Shields Up | CISA