Category: Security

Security Bulletin: WannaCry

WannaCry has infected over 230,000 computers in over 150 countries as of the date and time of this post.

What is WannaCry?
WannaCry, a ransomware program, encrypts files on the infected computer. Encrypting the files renders them inaccessible without the decryption key. In order the get the key, victims are required to transfer money to the criminals in the form of Bitcoins.

WannaCry exploits a vulnerability in the Microsoft Windows operating system. Microsoft released a patch for this vulnerability in March of this year. However, many computers were not updated before this attack and the patch only applied to newer Microsoft operating systems. Microsoft has since released a patch for older operating systems as well.

How is WannaCry spread?
The WannaCry virus is spread by phishing emails (emails that appear to be from a known person but contain links to malware). Once a computer is infected, the virus searches for vulnerable computers on the network and infects those computers.

How do I know if I have been infected?
If your computer has been infected, you will see a notice informing you that your computer is infected and instructing you to transfer payment in the form of Bitcoin to get the key to decrypt your files.

What can I do if I have been infected?
If you have a backup of your computer, you should take the computer off the network and restore the computer using a backup from before the infection date and time. Using another computer, you should download the patch from Microsoft (found here https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) and install the patch on your newly restored computer. The computer should now be free of the WannaCry infection and protected against being infected by the same virus again.

If you do not have a current backup, there is no easy solution. You can pay the ransomware fee. However, this encourages criminals to continue these types of attacks and there is no guarantee you will get the key to decrypt your files. If you do choose to pay the ransom you should pay quickly as the cost to decrypt your files goes up as time goes on. The alternative to paying the ransom is to format your hard drive and install a fresh copy of the operating system. You will need to ensure the new operating system is properly patched before accessing a network or the internet.

What is the long-term solution?
If your computers or servers are using an older, unsupported operating system, you need to upgrade to a supported operating system. You can lists of supported operating systems by type of product on Microsoft’s website. Also, both individuals and organizations need to install Microsoft updates as soon as they are available although organizations may need to perform testing before installing Microsoft patches.Greystone is committed to providing our customers with a secure computing experience. Technology tools like firewalls and antivirus software are the start of a good defense. But the human element is the most important piece. Training, company policies, and documented processes are the most effective ways to ensure your organization is secure. Please contact us if you would like us to review your security procedures and policies or to schedule security training for your staff.

Links included in this bulletin:
Microsoft patch for WannaCry vulnerability:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx



Scammers Targeting Businesses Using Website Forms

In a new twist on the traditional email spear-phishing attack, scammers are now using forms on company websites. The information submitted in the form appears to be accurate and can be tied back to a real person. When a company responds, the scammer tries to order products on credit or with a purchase order number. Unfortunately, this particular scam is hard to detect. Even if the information looks fake, some companies feel they cannot take the risk of offending a customer by asking if the request is real.

In the sample below, Kelly Loll is a real person who does have a purchasing related role at Florida International University. A quick internet search would seem to confirm the form comes from a legitimate customer. However, there are some subtle clues that the request is fraudulent. The domain used for the email address, fiu-uniedu.net, is not a legitimate FIU domain. Also, the phone number shows up as unsafe or a scam related phone number on several websites. We contacted Kelly to make sure, and she confirmed our suspicions were correct.

Education, awareness, and a healthy amount of skepticism are the best defense against any type of phishing attack. Employees should get in the habit of looking up names and email addresses that are submitted via forms and be alert for information that does not seem to match. If still in doubt, looking up the person’s information (do not use the information provided in the form) and contacting them to ask if the request is legitimate is better than taking a risk.

If you have questions, concerns, or think you may have been the victim of a phishing attack, contact us at 303.757.0779.

 

business form fraud

Scammers using business contact forms



The Hidden Dangers Lurking in the Internet Connected Home

Two weeks ago, there was a record-breaking DDoS (distributed denial of service) attack that utilized 145,000 compromised security cameras and DVR’s to take down the security news website http://krebsonsecurity.com. On Friday, October  21st, there was another DDoS attack targeting Dyn, a major DNS provider. This attack crippled many popular websites and services.  Details are still scarce, but the attack appears to have utilized a botnet of which a significant part was made up of comprised IoT devices. While DDoS attacks simply disrupt services and do not breach or compromise data, in theory, a compromised device could be used to allow an attacker direct access to your local network.  From there they could attempt to access any data or device residing on the same network.

The term “Internet of Things”, abbreviated IoT, was coined in 1999 by Kevin Ashton while working at Auto-ID Labs on RFID technology.  The Internet of Things is the integration of network and internet support into everyday items.  These are often referred to as “smart home” or “home automation devices.” You may already have one or more of these devices in your home, like a smartphone controlled thermostat, a security camera, or an internet connected refrigerator. IoT devices can offer energy savings and convenience that is enticing to consumers. They also present an enticing target for hackers.

IoT devices are vulnerable due to a lack of technical and security standards in the IoT field. IoT devices utilize at least 14 different communications technologies, some of which are proprietary, while others utilize existing communications platforms. In addition, there are no specific requirements to provide firmware or security updates for these devices. These lack of standards enables hackers to exploit individual devices, as well as control many devices to form a botnet that can be used to launch further attacks.

IoT devices like your TV, DVR or baby monitor typically do not offer much in the way of security. Unlike your PC, IoT devices typically will not have a firewall or any form of malware prevention. Nor do they typically have an easy way to detect if they have been compromised.  If these devices support firmware upgrades, it may be possible to patch the security holes that allowed them to be compromised. Unfortunately, not all IoT devices support firmware updates or have a vendor that continues to release firmware updates. To further complicate matters, devices that do support firmware updates often require manual installation.

Most of these devices are “set it and forget it” with minimal security options. The types of data collected and security of that platform will vary by vendor, but rarely can a user configure more than a username and password. Again, since there is a lack security standards, the risk will vary by vendor. Even in cases where a compromised device does not lead to data theft, it can be used as a proxy or in a botnet for other malicious purposes. The compromised device may use large amounts of bandwidth which will slow your internet speeds.

I don’t want to scare you away from IoT devices, but rather educate you on the potential risks. It’s difficult to measure how exposed we are to security risk via our IoT devices, and the convenience may outweigh the risk for some people. We suggest you research the security of IoT devices. Then, at a minimum, change the default device passwords. If you do not need the internet features, do not connect it to the network at all.  That said, we do not recommend installing everything you can find that is IoT capable. After all, do you really need a dishwasher that automatically orders detergent when you run low?

Important Note: Business networks require a higher level of security due to the volume and nature of financial and customer data businesses collect. Your company may also be subject to laws and regulations like PCI and HIPAA that have specific security requirements. We recommend speaking with your IT consultant before adding any network capable device to your infrastructure.

If you would like more information about Friday’s internet disruption, watch this short interview.

 

 



Outdated software on Healthcare IT Devices Introduce Increased Security Risk

Duo Security, a secure access platform provider, recently found a significant number of devices in the healthcare industry pose a security risk due to running outdated versions of Adobe Flash. Flash is a software programming platform for delivering web-based content and applications.

In a study of over 250,000 devices including desktop computers, laptops and mobile devices, Duo Security found that half were running outdated versions of Flash. Outdated versions of Flash expose the device to potential threats and data loss through hacks and malware.

It is critical that organizations have a defined process and schedule for applying updates and patches on all IT systems. You can find the latest Flash update at  https://helpx.adobe.com/flash-player.html.

If you require additional help, we provide a range of security auditing and remediation services as well as long-term security planning . Please contact us at 303.757.0779 or HHowerton@Greystonetech.com.



How to Protect Yourself from Fake Tech Support

faketechEven as security standards continue to improve, hackers are always coming up with new ways to exploit users.  Let’s talk about how to protect yourself from a common scam that uses social hacking to gain access to your technology.

Who are these people? In the same way a computer hacker will try many ways to gain access to a remote computer system, a social hacker gains your trust to access information you willingly provide.

We’ve talked about Spear Phishing before which is a perfect example of employing social hacking to infiltrate someone’s email. Another common scam that we have encountered are fake tech support calls.

The attacker will find your business or personal information on the internet and they will call you claiming to be tech support. The social hacker will then tell you that your computer is infected with a virus or malware and they need to connect remotely to remove it. They may state they are from the Windows Service Center, Microsoft Research and Development, the Windows Helpdesk, or any number of other official-sounding places. They will attempt to scare you and make you believe that your sensitive data is already exposed and it is immediately important that they resolve the problem.

Once the attacker has you on the phone, they may direct you to a common site used for remote support such as Teamviewer or Logmein, or they may try and send you to another site with a masked address that will install their malicious software. If you follow their instructions, they will likely install a backdoor application on your computer and then connect to your machine. Once this happens they may immediately demand a credit card payment to remove their software, or they could destroy all your information. Alternatively they may inform you that the infection has been taken care of and just hang up. Then they can capture information like banking passwords or other sensitive information while you are unaware.

Rest assured that unsolicited phone calls asking for remote access to your computer are not legitimate. Social hacking with fake tech support employs techniques to scare you into willingly allowing an attacker access to your computer. A few ways to safeguard yourself from these scams are:

  • Be vigilant with your computer security systems and software, keeping antivirus and anti malware definitions up to date to block threats. This allows you to be confident that your computer and information are secure.
  • Do not allow remote access to your machine unless you are already a customer of the company and you can verify their identity. Microsoft provides many ways to verify their identity and does not generally call users unless it is in response to an existing case, which has a case number, technician name, and verifiable call back number. Attackers do not have this kind of information.
  • Ask for detailed information when receiving a tech support call, make sure there are multiple ways to contact the support person on the other end of the phone.
  • Never give credit card or personal information over the phone from an unsolicited phone call.

This may sound like common sense, but we all have bad days when we are vulnerable to these kinds of attacks and social hackers target users who are off their guard.  Social hacking relies on emotional response, distraction, and our innate desire to protect ourselves. Having great technology and powerful security still requires end-users to be attentive and aware of different kinds of threats. When in doubt, hang up, and call your IT provider with any questions or concerns you may have. Be safe out there!



Spear Phishing Whales – Thar She Blows!

“Spear Phishing” or “Whaling” is the latest scam that is targeting small and medium sized businesses, and it has nothing to do with the sport. Attackers garner information on accountants and executives from public sources to determine corporate structure and then write personalized emails that look like they are from a trusted source. They research potential targets and connections using information gleaned from publicly available websites, such as:

  • The company website in the “About Us,” “Our History,” and “Meet the Team” sections
  • LinkedIn
  • Facebook
  • Twitter
  • Instagram

Spear Phishing is a targeted version of phishing emails that trick the recipient into divulging personal or confidential information.  Whaling is the application of an attack on staff with access to the purse strings, to bring in a “big whale.”

They accomplish this by “Domain Spoofing.” Domain spoofing started in 1982 with Simple Mail Transfer Protocol (SMTP) and was last updated in 2008.  Simply stated, spoofing makes an email appear to come from a valid and trusted source when it is not. A significant weakness in the SMTP protocol is the lack of authentication in email headers.  After doing their research on a company, attackers will create a fake email address that is similar to the company they are targeting.  This email address typically looks like one of the following:

ALastname@company.com

Firstname.Lastname@company.com

Firstname@company.com

When the target receives an email, there are two notable fields that can be spoofed (faked): MAIL FROM and RCPT TO.  These fields can be manipulated to fool the recipient into believing the email comes from a trusted associate.  The target will get a new email in their inbox that looks to be from someone trustworthy, with a recognizable email address.  Typically, this email is alarmist, offers excuses for replying only by email and not by phone or in person, and is purposefully vague.  The attacker wants the target to establish contact through a response email.

Here is one example where Jane is the CFO and John is the CEO of the company:

 

Hi Jane,

How are you doing today?, I have a financial task that I need you to process this morning. Kindly let me know when you’ll be available to do this. And what details are required?.

I await your quick response,

Thank you,

John

 

Indicators that the email is a spear phishing attack:

  • Unusual formality
  • Local vernacular is suspect
  • Use of poor, inaccurate grammar or punctuation

Look for these indicators and pay close attention to the domain the email was sent from.  Two methods that are used to combat phishing attacks from domain spoofing are Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Many email providers already support these methods for stepping up the security of your email, they just need to be configured by an experienced I.T. professional.

Also, with tax season upon us, attackers are increasing their efforts to gain financial information from more businesses.  People can be easily confused during tax time, as they are especially concerned with the financials of the business.  If you aren’t sure if you have received a spear phishing email or not, go talk to the person that the email claims to be from, and ask them if they need the information requested.  Chances are, it is a fake email.

If your gut tells you it is suspicious, it probably is – don’t reply and don’t click the link!



Time to Ditch Your Passwords!

Recently, Jimmy Kimmel’s team hit the streets to find out how secure people’s passwords really are… and the results are hilarious, and sort of disturbing!

Password security is a big deal in today’s IoT (internet of things) world we find ourselves in… The IoT simply means that the majority of business and critical infrastructures of our society are all being controlled through devices connected to the internet. The concept of IoT is a very present reality now and will continue to grow as more people adapt things like internet enabled devices, smart home locks and even connected thermostats!

It seems everything is connected to the internet, which inherently makes it vulnerable. Studies have shown that passwords are the single weakest link it the IT security chain. Their impact of poor passwords have come to light through recent events such as the data breaches at major companies like Sony and Apple and even more recently the IRS and White House. This leads to lots of individuals personal identifying information (PII), such as SSN’s, being leaked online. Fraudsters will use this info to open new bank accounts and make credit cards under victim’s identities.

Password_PicRegardless if you’re dealing with big corperation’s, small business, or even personal networks, security is important. So, how do we improve our security?

By using “passphrases” instead of passwords!

Passphrases are passwords that look something like: “ilovemylilkityandsheisS0nice!” rather than something like: “Fin@ncieS123!.” Although the second password is complex using upper and lower case, number, letters, and symbols, it’s still not as secure at the first. According to How Secure is My Password, it would take “40 undecillion” years to break “ilovemylilkityandsheisS0nice!

Passphrases are harder to crack than passwords, because the various bits of the phrase are more difficult for “brute force” attacks to decipher them.  In a “brute force” attack, theoretically a hacker could be trying 10,000 passwords per second, and which eventually can crack even very complex passwords. One month of cracking at 10,000 passwords per second, would be over 25 billion combinations of passwords to be tried.

How to come up with a Passphrase?
To begin with, a simple rule of thumb is that the longer the phrase, the more secure.  Passphrases should be made with what they are correlated with, to help you remember them.  For example, if you use PayPal to pay friends back, your passphrase could be “tnksforlettingmebarrow$$itismuchapperciated!”  You’ll also notice intentional misspelling of words, because using unique words, not in a dictionary, make them very hard to crack.  Additionally, when sites let you use spaces between words, that’s even more secure.  You don’t necessarily need a different passphrase for every single site, but it would be a good idea to have a separate one for work/business, finances, and personal data. If you use the same one for all sites, it would only take one site to be breached and then they would all be compromised.  A further benefit of passphrases is that they can also be easier to remember than one or two words with random symbols in them.

It’s highly recommend to start implementing Passphrases, versus passwords, and ditching those 5 year old passwords we all still use!

Wondering about your own security? You can find out how secure your password or passphrase is here on this handy site!

As always, let us know if you have any questions… we’re here to help!



Phone Zombies & Smartphone Security

zombiesAs I make my way around the city, visiting new and potential clients, I see it more and more… Phone Zombies. You’ve seen them, too; in fact maybe YOU are one of them: those wandering, listless and directionless living dead immersed in their phone, shuffling down a street, or across a courtyard, or through a foyer… Maybe bouncing off a wall or lamppost, or mindlessly clogging a supermarket aisle.

And yes, while it is infuriating to get caught behind one, (and, at least the YouTube videos of their foibles are hilarious) the reality is that such aimless meanderings are largely harmless.

But, there is a danger…

In a recent article on c|net, one of THE Internet hubs for all things tech, a former smartphone thief shares his story… And one of the most significant characteristics of victims was obliviousness. As the author of the story rides along with police in San Francisco, an officer points out a potential victim. “She’s not actually a victim but could easily become one as she walks past us. Eyes fixed on her screen, she’s numb to the buzz of the street around her. Ryan stops the squad car, a black and white Chevy SUV, and from his open window advises her to pay more attention to where she’s going.”

That oblivious, aimless wandering might cause you to conk your head on a street sign, but it also might lead to your being the victim of phone theft. In the aforementioned article, the former smartphone thief notes that his preferred technique was “quickly yanking the phone from a victim’s grasp.”

Newer phones, with remote locking and tracking capabilities, seem to be stemming the tide of smartphone theft, but it is still a significant problem because it is so fast and easy to turn a stolen phone into hard cash.

So, be careful and aware out there. It’s not just a matter of avoiding falling into fountains.

At least there aren’t any Phone Zombies driving cars… Wait… Dang it…

 



Safe Surfing on Public WiFi

Here at Greystone, we support a very wide client base, ranging across all sorts of industries: construction, professional services, non-profits, education, banking, accounting and C.P.A. firms, software and technology, oil/gas and energy, municipalities, and even a golf course.  And on and on it goes.

Free Wi-Fi ChalkBut there’s one thing that we all share in common these days: we’re all regularly accessing public Wi-Fi networks.

Public Wi-Fi access to the Internet has become ubiquitous.  At airports, hotels, coffee shops, department stores, restaurants and more, public Wi-Fi is so common it feels like a right. We expect it everywhere, and we expect it to work and to be fast.

And this is an absolutely amazing thing.

BUT! How safe is it to use these networks?  What are the risks?

The ubiquity of public Wi-Fi has lulled many of us into a false sense of security about the safety of using these networks, and so we’d like to help clarify the situation and offer a couple of tips for safer surfing.

First, it should be noted that there are several different kinds of public Wi-Fi networks: free and unsecured, free and password protected, paid and secured, etc., and a discussion of these different types of networks lies beyond the scope of this post.  And, in reality, if it’s a public Wi-Fi network, you should simply assume that what you’re doing is visible to someone/anyone.  Just because you have to ask the barista at the coffee shop for a password does NOT mean that they’re vetting every customer about whether or not they’re perpetrating cyber-crime.

Second, there are several ways for the bad guys to try and get at your info, with such nefarious names as “Man in the Middle Attacks” and “Packet Sniffers.”  Again, a full treatment of such bad guy tactics is beyond the scope of our conversation here.  And again, it doesn’t matter much what they’re trying to do; the reality is that if you’re on a public Wi-Fi network, you should assume that the bad guys are watching.

Third, there’s some measure of comfort in the remote likelihood of being the victim of cyber-crime, but “remote likelihood” is little comfort if it does actually happen to you.  The chances of someone sniffing out your email password on a public network are remote, but they are also very real.  And there’s a lot that someone could do with your email password.

So, what is one to do?  Here are a few suggestions:

Set Passcodes and Passwords
Take the time to set passcodes on your mobile devices and good passwords on your laptops.  The reason you NEED to do this NOW is that your biggest danger doesn’t come from “packet sniffing” or “men in the middle” or any such thing.  The biggest danger is shockingly low-tech: someone simply stealing your mobile device or your laptop, opening it up and getting your info because it wasn’t protected.  Just stop and think about all of the information that’s on your phone, or your laptop and imagine what a thief might be able to do with it.

Yes, it’s a pain to have to enter a passcode on your phone, especially when you let your kids play games on it.  BUT, it’s also a pain to put your seatbelt on every time you drive, too… and you do that, don’t you?

(And while you’re setting that passcode on your phone, go ahead and enable the “erase all data after 10 failed attempts” feature, too.)

Beware of “Shoulder Surfing”
Another danger of using your technology in public is amazingly low-tech… and that’s someone simply looking over your shoulder and watching what you do.  Yes, you need to set a passcode on a phone, but you also need to be careful about how visibly you enter that passcode in public.  Think about flying in a plane, and how close you are to others, and how easy it’d be to determine that 4 or 5 digit passcode. (Not that any of us have ever done it… just to, you know… see if we could…)

Use Your Security Tools
Your computer is equipped with some basic tools to make your computing safer.  Turn off “automatically join networks,” since many bad guys use familiar network names for their purposes. Turn off file sharing.  Turn on your firewall.  Make sure your antivirus is active.  Enabling these basic features go a long way towards making things better.

Surf Smart
Once you’re on a public network, just be smart and reasonable. Don’t do your online banking.  Don’t do your online shopping.  If you absolutely HAVE to get on a site and enter your credentials, make sure it’s an HTTPS site.  It’s okay to check sports scores or read online magazines, absolutely.  Just be careful of doing anything that’s super sensitive.

The chances of becoming a victim of some sort of cyber-crime are quite low, and it’s a big, bustling Internet out there… just be smart about how you navigate around it!

And as always, let us know if you have any questions.  We’re here to help!



Backup Solutions for Personal Use

By Daniel Ross, Technical Engineer

All too often, people don’t realize the importance of having a good backup plan for all of their digital files until after suffering a massive data loss. While most companies have a backup that is automated for the users, such as Greystone’s Total Rescue offering, you may not have something at home.  With more and more of our day lives becoming digital we need to have something to keep all our great content protected from viruses, device hardware failure, lighting strikes, directory issues, theft, fire, flood and the one I see the most Human Error – which I’ve experienced and caused for myself.

Personally, I have multiple backup options now after experiencing data loss a several years ago.  At that time, I was sure I had my backup in place, but I hadn’t realized I had excluded a folder that contained some images from my wedding, as they weren’t in my photo organization software program.  I was able to get back these files, but only after some hard work and significant out of pocket expense. From that moment on I knew I had to help myself from future data loss, along with spreading the good word to others about solid backup strategies and knowledge.

For the most part, computers now come with some sort of basic backup software and or option within the OS (Time Machine on Mac and Windows Backup on most versions of windows).  While this a great quick and easy backup some users may want to have more control and or options as to what type of backup they create.  Below are some types of backup options and products that can meet those needs.

Incremental Backup
Most computers offer this as a built in option through the OS like I have mentioned.  Other Third-Party products also offer this but allow for the user to fine tune the locations of the backup (i.e. Network Drive, USB Drive and even CD/DVD) as well as the options to schedule the backups to run when they want as well as opposed to say time machines automatic schedule. 

How I use it: I use this type of backup for data that changes often and is important for me to have a current backup of at all times and I’ll use this for my photo library and some of my financial documents as these are critical for me to have.

Clone Backup
This is a great option for disaster recovery or when even getting a new computer or moving to a bigger internal Hard Drive.  Clone backups are a 1 for 1 copy of your drive including all the behind the scenes bits that are hidden by the OS.  With this option you could backup your computer and upgrade to a bigger drive and then put this clone back in place on your computer and be right where you left off.

How I use it:  I’ll use this for my monthly backups as well as for disaster recovery in the even that my main computer dies as well as in case of Fire/Flood. I typically will keep a copy offsite or in a fire safe for emergency purposes.  Typically I’ll purchase a couple separate external drives that are dedicated to this and rotate them as to not additional wear to the drives.  Drive prices are dropping and you can now typically get a 1TB Drive for around $150 on many online sites.

Cloud Backup
This option allows you to access your files from any place and is pretty common to find as an add-on to some third party products. Services like BackBlaze, Mozy and Carbonite are great offsite cloud backups.  With this option you are typically going to get a copy of your data and possibly an incremental option.  Most of these services also offer you remote access to your files in case you’re not near your computer and also offer greater levels of protection including HIPAA standards for data storage.  Some services will also offer you unlimited storage and premium options such as mirrored backup to a local external drive and courier service to your home should something bad happen.

How I use it:  I’m personally using Carbonite on the basic yearly plan for all my offsite backups and have found it to be a good experience.  Down the road I can always upgrade to the higher end plans and back down as needed.

When selecting your backup options give yourself room to grow! In the future as media files from our phones, cameras and other sources start to increase in size you will want your backup to be able to hold that as well.  I always recommend getting a backup device that’s bigger than your internal drive, or even doubling it.  You can find a wide variety of Network Storage options online for multiple computers that allow you to add drives down the road and or swap out for bigger ones.  USB Thumb sticks are not always a sure bet for backup and should only be used to store stuff you wouldn’t mind losing. Also on a similar note take some time to take inventory of what you can move off your computer to CD/DVD or an “Archive drive” that you’re not using any longer file wise as this can free up a lot of space in general on your computer and make your backups even smaller and quicker.

In summary a good way to think about data backup is this:  What is the most important thing in your car?  Most people never think of this but it’s you and your family!  Things like your windows and doors and tires can be replaced but you can’t be.  I always tell people you will regret it when you don’t have it, so don’t end up regretting not setting some simple things up to ensure you don’t lose your data.