Category Archives: Uncategorized

Florida Information Protection Act of 2014

Florida Governor Rick Scott Attends Bill Signing

Governor Rick Scott signed the Florida Information Protection Act of 2014 on June 20.  It goes into effect July 1, 2014.

The new law has been described by legal analysts as the broadest and most encompassing data protection law in the United States.

FIPA requires companies to take reasonable measures to protect the covered electronic data of Floridians.  It also requires notifications to individuals of any security breaches involving their information.  While those provisions as similar to data breach laws in other states, FIPA defines covered personal information differently.

In addition to the usual sensitive records (medical, social security numbers, and credit cards), FIPA includes a username and password that provides a login to an online service.

Should a breach occur, the organization has 30 days to notify effected individuals once the breach has been discovered.  Any breach involving 500 or more individuals requires notifying the Florida Department of Legal Affairs, who will require a full breach investigation report and evidence, along with copies of applicable policies and procedures.

Companies will need to be aware of the provisions within the Florida Information Protection Act of 2014 to ensure they don’t find themselves out of compliance.

More information can be found here:

http://www.cfjblaw.com/florida-legislature-unanimously-passes-florida-information-protection-act-05-12-2014/

http://www.flsenate.gov/Session/Bill/2014/1524/?Tab=BillText

Defender’s Advantage Series – An Introduction

The Defenders certainly have the advantage here.
The Defenders certainly have the advantage here.

During my (informative and rewarding) time in the Air Force, I was fortunate enough to take some military strategy courses.  One of the main tenets of military strategy (borne out over 5000 years of human combat) is the notion of “Defender’s Advantage”, which essentially states that a defender force will be able to hold off an invading force up to 3 times its size.  Which makes sense: if you are the defender, you know the terrain, have time to prepare defense fortifications, and can stock up on supplies.  But in information security, its seems like anything but a Defender’s Advantage.

It’s a curious reversal of a time honored maxim.  Time and again we see large organizations completely defeated by small groups of electronic attackers. Why does the defenders advantage disappear in the information security world?

Let me be very clear: I do not at all mean to trivialize war and physical violence by comparing that with IT security, there is a clear distinction.  OK, let’s press on!

Perhaps the nature of electronic attacks are better modeled after guerilla style warfare.  In guerilla warfare, the smaller attackers look to harass and cause specific impacts against the larger force, using their agility to their benefit.  Prized resources are targeting for destruction or theft, will the goal being disrupt the operations of the larger force.

George Washington employed guerilla tactics during the Revolutionary War to counter the advantages the British possessed.
George Washington employed guerilla tactics during the Revolutionary War to counter the advantages the British possessed.

Even so, there is plenty of work on strategies and tactics to handle this type of “asymmetric warfare”.  So the question remains, why don’t we see an inherent advantage towards the defender?

Seize the Advantage #1 – Know the Terrain

Do you know all the devices on your network and how they connect?
Do you know all the devices on your network and how they connect?

This is probably the biggest area for improvement in most organizations.  It’s important to know exactly what systems are connected to your enterprise, how they are connected, what they do, and who uses them.

  •  Conduct regular inventories of all systems connected to the network
  • Implement a vulnerability management program
  • Documentation on your network should be up-to-date and available (perhaps in an offline fashion as well)

Seize the Advantage #2 – Decide Who Gets In and Out

ContentFiltering

A standard model of preventing attacks before they happen necessitates blocking malicious traffic on its way into your network.  Of course, that method is not a reliable method for defending a network, although the majority of the attention (and budget) goes there.  In reality, we need to use a model where we prevent as much of the obviously malicious traffic as we can, and then start watching for traffic that is leaving our network.

The truly dangerous attacks usually require outbound access from the network, either to send home the stolen loot, or to check in with the mothership and ask for new instructions. Fans of the kill-chain model (myself included) will recognize this either the Command and Control or Action stages, and know that this is where the majority of malware is detected and thwarted.

Within the context of the Defender’s Advantage, we need to ensure we are completely leveraging the control that we can assert over the entry and exit points of the network.  We should be monitoring and blocking the outbound traffic just as much as the inbound traffic.

  • Firewalls should have outbound access-control entries configured too – set them up and monitor them!
  • Whenever possible, use a proxy or content filter capable device to control the traffic that does leave your network
  • Monitor outbound DNS requests

Seize the Advantage #3 – Segmentation and Depth

Lots of defenses the bad guys have to deal with... assuming no one on the inside opens the dorr for them.
Lots of defenses the bad guys have to deal with… assuming no one on the inside opens the door for them.

Getting back to our martial metaphor (and alliteration too, my English teachers would be so proud!), the guerrilla warfare tends to be waged against the isolated outposts of the larger organization.  This occurs for a number of reasons, mostly because the outposts tend to be less well defended, are closer to the attacking guerrilla force, and enable to the guerrilla force to be successful without having to overextend their time and resources attacking a deeper target.

In the case of designing our network, we need to provide ourselves with some segmentation and depth in our networks to ensure that getting to the principal resources are as costly and expensive for the opponent as possible.  That is not to say it makes the process impossible, it just means that we give ourselves a few more hops to monitor, and make the attacker work a little harder (and a little longer).

Seize the Advantage #4 – Build Your Own Robot Army

450px-RobotArmy

If you read our review of the Verizon DBIR we posted earlier this year, you’ll remember that attackers go from initial compromise to data exflitration in minutes or hours.  They’ve found a way to leverage automation to their advantage.  Let’s take a cue from these (highly successfully and extremely detestable) folks, and do the same thing ourselves!

So what do you need to start your own robot army? Well, first you’re going to need:

  • A log management solution (or a SIEM)
  • Detailed and complete network inventory
  • An action platform (you’re going to need a way to respond and execute commands)

When we start working on automating-for-good, its important to realize I’m not necessarily talking about automating an end-to-end action (although that would be awesome!).  Start by automating components of the security operations.  Let’s you have an alert from your IPS that opens a priority 1 ticket.  When your team goes to respond to that alert, do they have all the information they need to make a decision, or do they have to go into hunting mode?  Why not have all of that information available in the ticket?  Snag the firewall logs associated with the alert, gran the AV and system logs for the target for that time frame, and put all that together in one place?  Now instead of logging in and tracking down enough information to investigate, we skip right to the part where the human does what humans do best: make a decision.

As you automate portions of these activities, you may find that the decisions being made can also be pretty easily automated as well.  Maybe 90% of the alerts follow a pattern that indicates no issues.  Go ahead and automate that, and only alert for the outliers.  I can’t imagine a security engineer in the world who wouldn’t mind having a 90% reduction in P1 alerts.

We’re going to expand on each of these sections in the next few posts.  Time to go reclaim the advantage.

Stay safe out there.  And thanks for reading!

Securing Your Cloud Services – Watch that admin console!

New take on an old joke: If a cloud service is hacked and no one is around, does it make a sound?

We’re living in a golden age of disruptive technologies, least of which is the rise of the “cloud”.  Cloud computing is one of those terms that varies based on your perspective, so for the sake of our discussion today, we’re going to break it down to the basics:  There is no cloud, only other people’s computers.  Cloud is a nifty way to sell tiny slices of those computers resources, like storage and computing.  That’s really all it is.  But make no mistake, it’s someone else’s computer running with your data.

There are tremendous advantages to be gained from leveraging these services, without a doubt.  The flexibility to pay for what you use, to scale up or down as necessary, to avoid capital expenses related to hardware and software, the redundancy and DR capabilities, the ubiquitous Internet access, all awesome things.  We’re just going to take a look at how you can leverage these technologies safely.

Administrative Controls

Virtually every public cloud service provides you, the subscriber, with access to an administrative portal, usually a web application, where all of the administrative functions happen.  Which makes sense, because your are using someone else’s computers after all, so they need to give you control over just your stuff.

May or may not be the actual control panel for modern cloud services….

How do you prevent unauthorized actions within this portal?

Well, usually the group of people designated as “admins” are given access to the portal, usually secured with a username and password.  So technically they are the only people with access.  Unless their password is easily guessable.  Or they are victims of a phishing attack and disclose it.  Or if it’s the password they use everywhere, and one of their other accounts is compromised.  Oh, or if an attacker installs a key-logger on their system.  Or if they log in from an unprotected wireless network.

Yeah, I know, the whole password thing isn't great...
Yeah, I know, the whole password thing isn’t great…

Maybe your cloud provider has a two factor authentication solution you can utilize.  That would help.  Some private cloud service providers (including EI’s Cloud+) don’t even expose the admin console to the Internet to provide additional security.

Of course, if this system were hosted in our own data center, we would find a way to monitor that kind of login activity, both to log for patterns of brute forcing attempts, or to catch login attempts from unusual locations (someplace in Asia, let’s say).  Unfortunately, most cloud providers do not provide the ability to log this type of data, and certainly not in anything like the real-time type nature we have grown accustomed to.

What this basically means is that the detective parts of your controls go out the window, and you are left with hoping that the authentication controls are sufficient.

Consider the case of Code Spaces, a service providing hosting for teams to collaborate on software projects.  Their entire business was built using cloud services (in this case, Amazon’s Infrastructure as a service offering).  Late on a Tuesday, the Code Spaces team realized they were the target of a massive distributed Denial of Service (DDoS) attack.  The Code Spaces team was able to reach out to the attacker, who demanded a ransom to stop the attack.  How did the Code Spaces team know how to contact the attacker?  Because the attacker left their contact details inside of the admin dashboard of their Amazon account!

Realizing that the attacker had access to their control panel, they began to attempt to regain control over all of their accounts, but the attacker had created a few additional accounts, and started deleting everything inside of the Code Spaces account.  Everything.  All of the virtual machines, all of the virtual machine snapshots, all of the storage, and all of the backups.

Really easy to delete things unfortunately....
Really easy to delete things unfortunately….

Code Spaces had touted their ability to protect customer data from catastrophic events as one of their main selling points.  To be fair, they probably were pretty well set up to recover from specific hardware or site failures, but no one had taken into account recovering from an instance where all of their data was deleted from the admin console.

As a result, Code Spaces is closing their doors.  The cost of recovering their customer’s data plus the damage to their reputation was too much to overcome.

We don’t have many details on the exact nature of the attack at this point, but what little we know seems to indicate that a phishing attack targeted key individuals at Code Space, and was successful enough for the attacker to gain access to the Amazon dashboard.

So, how can you secure the admin console for your cloud services?

First, securing the admin portal should be as important to the cloud provider as it is to you.  In most cases, the admin portal should be restricted, not just to authorized users, but from the Internet in general.  While remote access is great, very rarely will you need access from absolutely anywhere on the Internet.  Incorporating a VPN (with different credentials) to access administrative functions can provide an additional buffer.  Most managed private clouds will work with you to only provide access to admin consoles through very restricted access.  Obviously you can’t request physical access to most cloud service providers, which would enable physical access controls as well as logical ones.

Physical access controls are generally not an option for you in cloud services...
Physical access controls are generally not an option for you in cloud services…

Second, there should be some logging and alerting built in.  Basic things like looking for series of incorrect passwords or connections from unusual locations is a good start.

Redundancy Outside of the cloud

Offiste (or off-service) backups are crucial
Offiste (or off-service) backups are crucial

Backups are such a critical component of DR/BC plans because you can always restore the app, but once you’ve lost the data, well that’s it.  The Code Spaces team had designed their solution to handle lots of adverse conditions, just not one in which an attacker had access to their admin console.  Had they leveraged a backup solution that kept their data outside the Amazon cloud (and away from the control of the attacker) they would have suffered an outage, but would have been able to restore to full functionality.

Cloud Security – Lots more!

The proliferation of various cloud services provides lots of additional attack surface that needs to be secured.  We’ll be discussing additional cloud security concerns in upcoming blog posts.

Thanks for reading!

More details on the Code Spaces story can be found here:

http://www.codespaces.com/

http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/

http://www.csoonline.com/article/2365062/disaster-recovery/code-spaces-forced-to-close-its-doors-after-security-incident.html

 

How To Pick a Good Password

As a regular reader of this blog, you’ll know we’re sticklers for good passwords.  And if this is your first visit, welcome to the show!

welcome-to-the-show

To be completely honest, a username and password is actually not an ideal way to secure a system.  Usernames are almost always easily guessable, and passwords usually are too.  But, for a lot of systems, that is what we have, so it’s important to pick good strong passwords to protect your information.

Before we dive into good password rules, I’d like to look at how passwords get compromised in the first place, so you’ll know what we’re up against.

Generally speaking, there are 4 ways that your super secret password becomes, well, not so secret:

remember-windows-password

  1. Your password is really easy to guess
  2. One of the websites you use experiences a breach (and you use that password everywhere!)
  3. Someone is able to use a “Forgot My Password” function to reset your password
  4. You get tricked into telling someone your password

Easy to Guess?

Why did I use "password" as my password?!
Why did I use “password” as my password?!

Just about everyone knows that your password shouldn’t be obvious.  Hilariously bad examples exist like “password”, “123456”, and “password1” (you know, to make it complex).   I know I sound like the stuffy old security guy when I say that, but it’s not something I just think, I know that those passwords are used all the time.  How could I possibly know, you ask?  Well, lots and lots or websites suffer breaches every year, and lots of those websites do a really crumby job of taking care of your password, and then the attacker usually ends up posting them for everyone to see, so security nuts like me get to chart these things.  In 2013, “123456” was the MOST POPULAR password in use, followed by “password”.  Not kidding:

http://splashdata.com/press/worstpasswords2013.htm

You also shouldn’t use your username as you password.  It sounds silly, but it happens.   Not too long ago we were performing a security audit on a web application, and one of the concerns the client had was over their ability to detect password guessing activity.  We scripted up some automated login actions, fed it a list of 2000 common usernames, and tried logging in with either “password” or the exact same word as the username.  To the client’s surprise (not ours) about 130 of the accounts used the same word for their username and their password. Another 35 or so used “password”.  It took us about 30 minutes.  Seriously.  Don’t use your username as your password.

One of your favorite websites is breached! (Gasp!)

website-security-breach-538x218

OK, so let’s say you’ve figured out a super awesome password.  It has numbers, capital letters, special characters, the works.  It’s 15 characters long, and no one would ever guess it.  Awesome, nice job.

So you take your super awesome password, and register on a site that sends you coupons for things like spray tans and dog spas (hey, no judgement here).

Also not good at protecting passwords, it turns out....
Also not good at protecting passwords, it turns out….

Turns out that the oddly orange dog loving entrepreneurs aren’t good at securing their website, and someone steals the user database and posts it for the world to see.  The usernames and the passwords are stored in cleartext, which means they look just like you type them.  It has your email address, and your password, right there, plain as day.  Your super awesome password is no longer secret, super, or awesome.  If you used this password on everything (Facebook, LinkedIn, your email account, your bank), it’s just a matter of time before someone bothers to try it.

Now let’s say that a few months later, another website you use suffers a breach, only they do something called hashing.  A hash is a one-way math function, that takes in your password and spits out a stream of numbers and letters.  Think of it like a meat grinder.  You put a steak in one end, and ground beef comes out the other side.

Stainless-Steel-Manual-Meat-Mincer-22-

In this case, the “grinder” always spits out the same hash value when you enter the same password, so instead of storing your actual password, they compare the hashed results of the password you just entered, and the hashed results they have on file.  And just like a meat grinder, there is no way to reverse the process. (How many times have you seen someone put a steak together from ground beef? Exactly.)

Attackers know this, and so have built these enormous tables called Rainbow Tables, where they take huge lists of potential passwords, perform the same hashing function, then use those tables to compare the hash values they just stole from the web site.  There are some things that you can do to make that harder, but lots of websites just get to the hashing part, and not further.

Note: Not an actual rainbow table.
Note: Not an actual rainbow table.

So the moral of this story is to use different passwords for different sites.  That way, if the above scenario unfolds, you only have one site to worry about, instead of your entire online identity.

Forgot your password?

You see these same questions every time you register on a site.  Mother’s maiden name?  City you were born in?  Maid of Honor at your wedding?  These are the questions you get asked when you want to reset your password.  And this is great, since you are now using separate passwords for all of your sites (right?) its possible from time to time you may need assistance getting into one of these.

Some sites handle the password reset issue well, some not so much.  Most sites will ask you a question, then send you a temporary code to your registered email address, which is good.  Even if someone guesses the answer, they still need access to your email.  Other sites will ask a security question, then let you reset the password right there if you get the right answer.  Those are dangerous, so you need to make sure the answers to those questions can’t be discovered in 2 minutes or looking at your Facebook profile.

OK, let’s pick a good password!

Now that we’ve seen the different ways that passwords can be compromised, let’s look at what makes a good password.

We know it shouldn’t be easy to guess, so regular words are out.  And since the attackers can use those Rainbow Tables to compare possible passwords, we need to use a password that is pretty long and has lots of different characters in it.

good_password

Some rules to use:

  1. Make sure your password is at least 10 characters long
  2. Use capital and lower case letters
  3. Use a number (or several)
  4. Use some punctuation (!@#$%^&*)

If you follow the above rules, an attacker would need a rainbow table roughly 100 pedabytes to ensure they have your password hash in their table.  If you drop one of those out though, it reduces fast.  Let’s say you only use letters and numbers.  That drops the rainbow table to 13 pedabytes.  Still huge, but not nearly as huge as before.  Let’s say you use a shorter password, like 7 characters.  Even if you follow the other rules, we’re down to about 250 gigabytes, much more manageable.  Let’s not make it manageable.   Every additional character you put in your password makes it exponentially harder for the attacker.

Time to change your EBay password!

ebay-reveals-new-company-logo-7cfa25d9f9

News reports coming out this morning indicate that EBay will be asking all of it’s 112 million users to reset their passwords on the site as soon as possible.  We highly recommend you do that, and use a good, hard to guess password that you don’t use anywhere else.

EBay is obviously an incredibly popular site, and emails about needing a password reset on EBay have long been a favorite ruse of email scammers.  Today’s email (which may or may not be caught in your spam filter) is actually legit (but you’re going to follow the rules for not getting phished, right?  Thought so..)

We’re still waiting on more details from EBay, but at this point it appears that attackers used stolen employee credentials to access the database containing all of the encrypted passwords for all EBay users sometime in February or March.  It appears at this point that no confidential information was contained within that database, but it does include usernames, email addresses, phone numbers, and addresses.

Paypal, a sister company of EBay, was not involved in this breach and as of right now there is no indication that this breach has effected PayPal at all.

Although the passwords were encrypted, EBay (and others) believe that sufficient tools exist that the attackers may be able to reverse the encryption.  So, better safe than sorry.  Oh, and while you’re at it, you don’t use the same email and password to log in to Facebook, do you? Or Twitter?  And certainly not any of the financial institutions you do business with, right?  Good, just checking.  Because you shouldn’t use the same password for everything, right?  Right.  Good.  Glad we got that cleared up.

Now if you’ll excuse me, I have an EBay password to change.  And while I’m there, I may as well check on my bid on that Atari 7800.  It’s vintage!

atari_7800

Thanks for reading!  More updates as they become available!

Additional Reading:

http://www.theverge.com/2014/5/21/5737914/ebay-will-ask-all-customers-to-change-passwords-after-massive-breach

http://www.engadget.com/2014/05/21/ebay-paypal-password-notice/

http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521

 

 

2014 Verizon Data Breach Report – An overview

knowledge_is_power

As information security professionals, we crave reliable information about  our adversaries and their tactics.  As you can imagine, this kind of data can be difficult to get (for a variety of reasons), so we take full advantage of any good information we can obtain.  One of the great sources of information over the past few years is the annual Verizon Data Breach Investigations Report (DBIR).

 

The DBIR started out as Verizon Enterprise (the part of the division that was previously known as Cybertrust) publishing anonymous statistics on the cases they had conducted over the previous year.  Since they were only called in when it was already known that a security incident resulting in information loss  occurred, they were in a good position to describe the chain of events leading to a data breach and look for patterns there.

Over the years, a number of other groups have added their caseload to the study.  The DBIR team has continued to refine their approach, and are consistently looking to use a new perspective to see if patterns emerge from the data.  This year the report includes all security incidents, not just cases where data loss was confirmed. This helps to grow the sample size of cases.  The annual DBIR is one of the best insights we have into how the bad guys work, and something we always look forward to reading.

There are lots of great pieces in this year’s report, and a lot of it aligns with trends we have seen in the past year as well.  In this year’s DBIR, a fresh perspective revealed that 92% of all information security attacks can be described with 9 basic patterns. This proves that a) these attack patterns are successful across industry verticals and b) the vast majority of attacks don’t require an extraordinary level of sophistication.  Which is both good and bad news.

One of the more eye-opening data points within the report every year is the difference in time between how long the initial (successful) attack takes (usually measured in minutes) and then compare it to discovery and containment (usually measured in months!).  This year’s report doesn’t disappoint in this area.  To the charts!

2014 DBIR - Compromise versus Contain
A look back over the last 10 years…. not getting much better. © Verizon

The above chart shows that the attackers have a much better ratio of successful attacks in less than a week than defenders do in just finding the evidence of the attack.  And the attackers are getting better.  Let’s look at one of the nine specific attack patterns highlighted in this year’s DBIR to see the gap between compromise to containment:

POS INfcetion Compromise versus Contain
© Verizon

There were several publicized breaches involving retailers in 2013.  As you can see (from the mildly terrifying graph above) the attacker successfully compromises their target and exfiltrates data from the network in minutes.  The information security team responsible for defending these systems may not find out that they have a problem for weeks.  But how did they find out they had a problem?

POS_discovery
© Verizon

Turns out that (for the POS attack vector) it’s always an external party that makes the discovery, usually because the data the attackers exfiltrated in for sale on the various marketplaces that traffic in such things.  While the overall trend isn’t quite that bad, it’s not great either:

All_Detection_Types
© Verizon

As you can see, internal detection checks in as the source of detection in 20% of the cases over the last 10 years.

We’ve got to do better.  We can do better.  We’ve got two major places to improve: detection and response time.

It’s a (sad) fact of life in the information security field these days, but we know that prevention isn’t enough.  We’ve got to be able to detect and correct when our preventative defenses are breached.  We’ve got to build better segmentation into our networks, manage the configurations and patch levels of our systems, and ensure we provide our defenders time to look around and find potential problems.

Even with increased detection, how do we fix the response time gap?  The DBIR notes in a few places that the attacker speed is most likely an indication that the attack sequence has been heavily automated.  It’s time for the blue teamers to automate too.  And we’re not talking about scripts for specific tasks.  We’re talking about digital robots executing the same standard operating procedures you’re security analysts would use, only faster and at scale.

Over the next few weeks we’ll be following up with some of our strategies on both detection and automation.  Let’s make a dent in these numbers for next year!

Thanks for reading!

Cryptolocker – the latest addition to your “Most Annoying Things” list….

iced-coffee

A few months ago I was at the airport, ready for my 6:50 am flight.  Yeah, that’s right.  6:50 AM.  In the morning.  I am going to be totally honest, I wasn’t even sure oxygen is out that early in the day, but evidently it is.  Anyway, arriving in the terminal mere moments before my flight, it occurs to me I have but a brief chance to obtain caffeine before wheels up.  Luckily, a Starbucks presented itself across the hallway.  Ducking inside, I order an iced coffee, to which the barista replies “We’re all out.”

Me: “Oh, are you having a problem with the ice machine?”

Barista: “Nope.”

Me: <Long Pause> “So…. are you out of coffee?”

Barista: “Nope, we have coffee.  We usually make a batch of coffee and cool it down, but we don’t have any right now.”

Full disclosure: I am not a physicist.  I have limited training in fluid thermo dynamics.  I am not a barista.

Me: “Umm.  OK.  Can I have a regular coffee and a cup of ice then?”

Barista: “OK, here you go.” <Hands me a cup of hot coffee and a cup half full of ice.  I drain the hot coffee into the cup with ice and hand back the hot coffee cup>.

I walked away celebrating my victory over inside-the-box thinking.  And then I promptly spilled the coffee on my shirt.  Oh yeah, and my flight ended up delayed for two hours.

Why did I just bore everyone with that story?  To illustrate how annoying and aggravating today’s topic is.  I’d rather repeat the iced coffee saga every morning than deal with this other thing.

annoying-computer

Hopefully you never have to deal with Cryptolocker.  It really is one of those don’t-even-wish-it-on-your-enemies kind of thing.  But at some point you or someone you know will.  So here we go:

Cryptolocker: A brief primer:

It can go by lots of names, but the most famous is Cryptolocker.  A member of the ransomware family of malware, Cryptolocker is installed on your computer like any other piece of malware, and then proceeds to encrypt all of the files on your computer.  Everything in your Documents folder, everything in your Pictures folder, and even files on network shares that your computer has connected.  Then you get the message pop-up: You can have the key to decrypt your files… for a fee.

cryptolocker

The malware itself isn’t actually that hard to remove.  The only problem is you are still left with all of your files encrypted.  Should you pony up the cash if this hits your computer?  While there are certainly stories of people trying this route and re-gaining access to their files, there are also plenty of stories of payment leading to no action on the bad guys part.  My suggestion is that you take some basic precautions that will allow you to survive an attack of this sort without having to deal with this decision at all.

An ounce of prevention…

True Story: Benjamin Franklin was actually referring to Cryptolocker - what a futurist!
True Story: Benjamin Franklin was actually referring to Cryptolocker – what a futurist!

When it comes to defending yourself, the very best thing you can do is follow some good practices before you ever have to deal with something like this.

A good backup routine is the single most important thing you can do to ensure your ability to survive any of these types of attacks.  The simplest way to do backups is to get an inexpensive USB hard drive and backup your important files once a week or so.  Don’t leave it connected all the time though!  In fact, if you have a fire safe, that would be a good place to keep it when not actively backing up your PC.

fire-safe

There are also an abundance of “cloud” backup solutions available, and the costs are dropping rapidly.  They have the added advantage of being offsite, available anywhere, and usually have some kind of automatic backup application that handles everything for you.  Even if Cryptolocker strikes, you can usually access the previous non-encrypted version of your files.

cloudbackup

The basic rule of thumb for determining if your backups are sufficient is by answering the following question: If I had to replace my current computer with a new one and all I had was this backup, could you do it?  Would you have everything you needed, like documents, pictures, music, and email?

After backups, the best prevention is following the basic safe computing practices: Don’t open attachments in your email from people you don’t know, keep your computer up to date on patches, and run an up-to-date host protection suite (won’t catch everything, but will certainly catch the obvious stuff).

If you’re already infected with Cryptolocker

I hope you have good backups.  So far none of the white hat researchers who have tried have been successful in reverse engineering the malware to find a method to obtain the decryption key.  The only way to fix a computer infected with Cryptolocker is to do a complete reinstall of the operating system, and then bring back in your documents from a backup.  Much like my shirt with the giant coffee stain, an infected machine needs a fresh start before it will be useful again.

That’s it for this post.  Thanks for reading, and stay safe out there!

Teach a person to phish, and they will never click on a link in an email again.

psa

Let me start by saying that I realize that a lot of important messages with links arrive in your inbox everyday.  I get it.  It’s painful to not use the links.  And so many legitimate emails come through this way!  The problem is lots of phony ones do too.

For the most part, computers are pretty well set up to prevent direct attacks.  You have to do something to help along this process.  One of the most useful ways of attacking your computer is to take advantage of vulnerabilities in your web browser (see our previous post on a recent IE vulnerability).

In order to obtain anything of value from you (money, passwords, control of your computer, etc.) the attacker needs to get you to visit a webpage that runs code specifically designed for their purpose.  So the attacker needs to make a choice: hijack an existing webpage that you are likely to go to, or use some tactic to prompt you to visit a new website.  Phishing is one of those tactics.

No, a different kind of fishing...
No, a different kind of fishing…

One of those words that nobody would recognize 15 years ago, phishing is the act of using Internet communications like email, instant messaging, and social media messaging to entice a user to click on a link to an attacker site.  Email is a very popular vector because it is cheap, it is (nearly) universal, and it is effective.  Now the attacker only needs to craft a message that looks important enough for at least some of their audience to click on.

There are several methods the attacker can use here.  They may copy notification messages from a universal type of Internet service that nearly everyone uses (PayPal, Ebay, Facebook, etc.).  They could try to fake a message from a common financial institution.  Or they could pose as UPS or Fedex, letting you know that action is needed on your part or your shipment will be cancelled.  They might pretend to be a large retail chain or consumer electronics company.  Last, but certainly not least, is the lottery method (“You’ve won a Starbucks giftcard, click here to give us your mailing information!”).

The point is, if you think about it, it wouldn’t be hard to craft a fake email that you could get your friends to click on.  And the click is all it takes.  The action is over and done before you’ve had time to rethink your decision and close the browser tab.

do-not-press

So what can you do to protect yourself?

Rule #1 – Go direct.

Got an email from Paypal that your account needs attention?  Open a new browser tab and go directly to Paypal.  Message from your bank? Same thing.  If you need to call these companies, go directly to their website and find the Contact Us info.  And if it was actually legitimate, let them know you think their communications need some work.

Rule #2 – Hover over the link

Did you ever notice that if you put your mouse cursor over a link and leave it you get a little dialog box that pops up?  That dialog box shows you the actual link that you will be going to if you click on it.

Good News!
Awesome, I love ice cream!

Try hovering over the link:

Oh no!
Hmmm, that doesn’t look right….

This trick is not fool-proof, especially when the link is created by a marketing firm who wants to help their customers measure exactly who clicked on their link.  I find though that going to Google and search for whatever the email refers to gets me there just the same.

Rule #3 – There’s no need to rush.

It probably isn't really urgent.
It probably isn’t really urgent.

A common theme among these phishing schemes is that they often are crafted to create a sense or urgency in the recipient.  After all, if it doesn’t look like you need to deal with it right away, you will probably push it off until later.  If the message is screaming for immediate attention, alarms should be sending in your head.  Follow step 1 and 2 very closely on these.

Preventing phishing is a way bigger topic than what I can fit here in a blog post, but there are a number of additional resources to help you protect yourself from these kinds of scams.  And if you think you may have accidentally clicked on a link that may be suspicious, please don’t hesitate to report it to our Service Desk.

Some additional resources on protecting yourself from phishing attacks:

http://www.microsoft.com/security/online-privacy/phishing-faq.aspx – Microsft’s guide to preventing phishing.

https://www.sec.gov/investor/pubs/phishing.htm – The Securities and Exchange Commision offers their two cents.

http://stopthinkconnect.org/ – A joint paternship between the Department of Homeland Security and industry groups, this site has lots of good information intended for consumers.

That’s it.  Thanks for reading!

Attacks against Internet Explorer browsers – What to do if you still run Windows XP

internet-explorer-pictures-internet-explorer-logo-pictures-ie-logo

{Updated April 30 @ 3 PM] -Late Sunday evening Microsoft released details about an ongoing series of attacks against Internet Explorer browsers.  This is a serious  vulnerability that  enables an attacker to gain control of a target computer by simply browsing to an infected website.

Microsoft has been working on researching this vulnerability with FireEye, one of EI’s antimalware partners, and have provided some information on the technical details of the attacks and some mitigation strategies while Microsoft works on a patch.

While this vulnerability affects virtually every version of Internet Explorer, the biggest concern is for those systems still running Windows XP, which reached End of Support status earlier this month, meaning no patches for security vulnerabilities are forthcoming.  So what can you do to protect yourself?

1. Use a different web browser.

chrome-ie9-firefox-logos-together

While Internet Explorer 8 is the latest version that will run on Windows XP (newer versions of Windows currently run Internet Explorer version 11), the latest versions of both Google’s Chrome and Mozilla’s Firefox run just fine on Windows XP.   While there may be some compatibility issues with internal applications, it is safe to allow the use of the older Internet Explorer browser within the network, and use Firefox or Chrome for all Internet based web browsing.

2. Install Microsoft’s EMET application

EMET

The Enhanced Mitigation Experience Toolkit from Microsoft provides a great deal of protection against vulnerabilities such as this one.  EMET installs like a regular application, and comes with a default profile to get you going.  The great thing about EMET is that you can apply this protection to any program on your computer, regardless of who wrote them.  A highly recommended install that will reduce your exposure to this and future vulnerabilities.

Microsoft’s EMET 4.1: http://support.microsoft.com/kb/2458544

3. Your normal account should not be an administrator level account.

user_account_8b

While we do not know if this particular vulnerability requires administrative rights on the target computer to be successful, we do know that the vast majority of attacks rely on the facts that almost everyone uses their computer with an account that has full administrative privileges.  In newer versions of Windows there are protection schemes in place like User Access Control to enable elevated rights when needed, and otherwise run at a normal user level.  But Windows XP does not have this feature, and for convenience most accounts are set up as administrators, and stay that way.  EI highly recommends that you modify your normal account to run as a regular user, and keep a separate admin account handy for installing and updating software.

4. Don’t click on links in email messages

300px-PhishingTrustedBank

In order for this attack to be successful, the attacker has to convince you to visit a page that he or she has embedded the exploit code on.  One of the most common ways to do this is through a “phishing” attack, where an email purporting to be from a friend, co-worker, or familiar company arrives asking you to visit a web page.  You should never click on a link, since the true destination is often hidden and difficult to detect at first glance.  If you get a notice from your bank that they have an important message for you, open your browser and navigate there directly, do not use the link in the email.  And if you do receive a suspicious email message, please forward that on to your security team for further review.

Microsoft’s security advisory: https://technet.microsoft.com/en-us/library/security/2963983

FireEye’s technical write-up of the vulnerability and attack methods: http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

[Update]: Microsft has clarified some of their guidance that was issued earlier, focusing on the EMET tool and other workarounds in great detail:

http://blogs.technet.com/b/srd/archive/2014/04/30/protection-strategies-for-the-security-advisory-2963983-ie-0day.aspx

Social Media security – Safeguard your social reputation

Safety-Instruction-Signs-c24150-lg

I would like to start off by saying that nobody’s Twitter account gets “hacked”.  Well, almost nobody.  The vast majority or cases where an account is “hijacked”, it’s because the password was either guessed, or obtained through a phishing type attack.

Not true.  Let's see if we can prevent this from happening to you.
Not true. Let’s see if we can prevent this from happening to you.

But the end result is still awful: Your carefully managed corporate LinkedIn account is now posting all kinds of horrific things that you’ll have to go apologize for later.  It hardly seems fair.  After all, you’ve spent so much time and energy building defenses around all the IT assets in your organization, only to have this hijacked account on a website outside of your control get all the publicity. <heavy sigh>

But fortunately some security awareness training will go a long way towards reducing the likelihood of something like.  After all, sites like Facebook and Twitter go to great lengths to secure their own platforms, so if you use the controls they have in place along with some good security practices, you can reduce a lot of the risk.

A quick caveat here: social media security is a monster topic, and all we’re going to talk about here today is keeping your organization’s account under your control.  There’s lots more to discuss for sure, but those topics are for other posts.  Back to the business at hand…..

In most organizations the marketing or corporate communications groups handle the social media accounts, so they’ll be our intended audience.  Depending on the platform, several people may have access to the account, either directly with the log-in credentials, or delegated to their own account.  Which reminds me,  you have social media accounts on your out-processing paperwork for when these employees leave the organization, right?  Just checking.

The Basics:

  1. Change the password regularly.
  2. Don’t use the same password on multiple sites
  3. Keep the password in a password safe.
  4. Password reset options should be secured just like your password.
  5. Know what a phishing attack is, and be careful clicking on links in email.

Change the password regularly.

This is good advice for pretty much everything, but especially here.  Changing the password on a regular basis ensures that only active participants will be able to use the account.  So even if Bill writes down the password on a sticky note under his keyboard, in 30 days it will be different anyways.  Which leads to my next point…

Use different passwords on different sites

It’s one of those ironic things about a password: In most cases it’s the only way a website really knows it’s you, so they tell you to keep it secret.  Then the website goes and does silly things like store the password in cleartext, making it possible for attackers to recover your password.  I can promise you, if your user account for a given site is an email address, they are going to try and log into your email account with your password.  Next they’ll go to Facebook, Twitter, LinkedIn, etc.  Don’t make it that easy for them.  There are lots of good password manager tools out there, and they all have the ability to generate really good passwords for you to use.

Hint: "baseball" is not a good password.
Hint: “baseball” is not a good password.

Keep the password in a password safe

OK, so you’ve already made it a habit to regularly change your passwords, and you are making some really good passwords (like Kz8fWKh8Mrsq&@H – great password!).  Of course now you find yourself stuck having to keep these super complex and ever-changing bits of nonsense in a word file on your desktop.  That’s no good either.  Time to use a password manager.  The password manager provides a secure place to store all of these credentials, and provides the appropriate access controls to limit access to only those who need it, and log when they retrieve it.  Your organization may already have this capability around for IT systems, why not leverage it here?

Password Reset:

What do you do when you forget your password?  It’s the exact same thing an attacker would do: see if the password reset feature will help.  Some sites offer a few different options, from security questions to receiving a link or code via email.  Twitter, for example, let’s you select either an email of text message option once you input your username:

twitter-password-reset

This is a great option, since it makes the process that much more difficult for the attacker: they would have to either be in control of your phone or your email account.  It’s probably worth checking now what those settings are for your organization’s account.

In fact, just documenting what sites your organization uses and who has access to it is a good idea.

Know what a phishing attack is, and be careful on clicking links in email.

Phishing is such a pain point for security teams these days, because they’re hard to identity ahead of time, and they are just so successful.  It’s important that you provide some kind of awareness training for individuals who have privileged access to sensitive systems, and given the high profile of social media mishaps, we’re going to include those folks in this group too.

It’s important to know what a phishing attack is, and how they work.  Phishing comes in lots of flavors, but essentially it is sending a message designed to prompt and action from a target.  Sometimes the attacker hopes you’ll visit their malicious website so that they can take over the computer, sometimes they are hoping you’ll provide them the credentials to a specific system.

A good rule of thumb is to never click on links in emails like that.  If you get a message that Paypal needs your attention on some activity with your account, open a browser and go to paypal directly, don’t click on the link.  And if the “help desk” needs to verify your credentials, report the email right away.  You do have a mechanism for reporting this type of activity, right?  That everyone in the company knows how to use, right?  Good.

As a quick side note, no one from Enterprise Integration will ever ask for your username and password.  Ever.  If that happens, it’s not someone from EI,  Do us a favor and report that activity immediately.

Thanks for reading.  Stay safe!