Tag: security

Curse of the Bad Rabbit – Ransomware

BadRabbit Ransomware

A new Ransomware threat has infected PC’s in Russia and multiple other countries stretching to the other side of the globe. Corporate systems at Interfax as well as two other Russian media companies seem to be first affected. But has been seen in Poland and South Korea.

In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also infected. It is the usual sign of a ransom for encrypted files.

The team at ESET. Antivirus have said this is a strain of the Diskcoder.

Screen shot of the BadRabbit ransomware (Source: Group-IB)

The software will pose as a false adobe flash update to seduce victims to installing the malware, the software would be installed by people visiting these websites according to IB-Group. There may be other websites that are infected.

https://twitter.com/GroupIB_GIB/status/922972032098291718

Once installed on a Windows PC, the malware will actually use a legit open-source tool: Mimikatz to seek out file server login details from the memory on the computer. The software will then spread via SMB shares on the same network.

There is some news to show that it has used a leaked CIA hacking tool as WannaCry did a few months back.

The Master Boot Record will be changed and this will display a start-up screen and not allow progress via this screen. The BadRabbit ransomware will also have a countdown till the price actually goes up. This will force companies and individuals to make a quick decision and possibly more likely to pay. Remember if you pay you are more likely to get attacked more often as the attackers know who pays.

The payment required is 0.05BTC which is just a little over £200.

Signs of infiltration

If you’ve had network connections to caforssztxqzf2nm.onion, or downloads from the following sites:

hxxp://1dnscontrol.com/flash_install.php

hxxp://1dnscontrol.com/install_flash_player.exe

are obvious signs of infiltration.

But the software might pop-up with a sign asking you to disable or stop current AV or malware protection. Some AV packages have spotted it already.

According to Kaspersky Lab, if you prevent these files from executing you should be able to disable BadRabbit from starting to run.

C:\Windows\infpub.dat

C:\Windows\cscc.dat

But you should check the Flash update you’re installing is legit even if you have Flash enabled.

Backing up and having a system image backed up regularly is one way to have a small amount of post-malware protection. But anti-malware software is one of the best remedies to protect yourselves. But checking updates are legit is the best way and not clicking on dodgy links!

iPad, iPhone, Mac Book and Apple Watch devices are locked for ransom!

It has come to light from middle of September that there has been attacks on apple devices.

The attack manifests itself as a malicious person getting through the security of users’ icloud account using the “Find My Device” feature.

The malicious person will set a specific device to “lock”, this will enable the iPad, Apple Watch, Mac Book or iPhone to be locked, in theory so a thief can’t access the data and make the device unusable and once you have the device back in the correct persons hand you’ll then input the code to make it all work again.
Except in this circumstance people are seeing a message along the lines for “pay me X.XBTC to address XYZ and I’ll send you a code to unlock”.

The hacked accounts are often users who use the same passwords for different sites, where those sites might have been compromised. It is advisable to change your icloud login details to something else if you are a person who uses the same logins for different sites.

 

Some people and sites are advising to disable the “find my” device service, but that rather defeats the object of the service. However as some have also pointed out Mat Honan (Journalist) was hacked after a successful attack after someone called the Apple support to change his password with his billing address and his last 4 digits of his credit card. You can read about that below.

How Apple and Amazon Security Flaws Led to My Epic Hacking

Bad emails. Spotting and dealing with them

Bad emails / Malware emails / Scam email

Emails fly about between servers and computers all day, thousands every second around the world are sent. Most of the emails are legitimate. But the email system is open to abuse. There are holes in it.

I categorise bad emails in 2 sections, those with attachments and those who try and get you to download attachments. The 2 examples below are the latter.

Bad emails

How do you know a legitimate email?

Above is an image of what I call a bad email. It’s an email that looks perfectly good, from Dropbox, it even has a no reply email from dropbox. But clicking on the “view file” link will take you off to a website that is unknown. It might be a site that looks like Dropbox, but even by clicking that link the sender of the email will know they have a live email address. This could be the start of a series of targeted emails to gain personal information / money / trust etc.

 

So how do you tell this is a bad email?

First, think who is this person, Nathaniel Walsh? If you know him, great, but DO NOT assume the file is safe.
Are you expecting an email from him with a statement? If you’re not, give him a call and ask him, it takes 2 minutes! If he has not sent you an email then it could be a scam, his computer or email system could have been breached and you and other people from his address book might have been targets by scammers/hackers.

Also check the links in emails, don’t click on them! But hover your mouse over the link and see where it will take you. If it is a place that isn’t that of the email that has been sent, then it is likely a fraudulent email.

Another example

Bad emails efax

Take a look at this image of an email. You think someone has tried to use 20th century technology in a 21st Century way. You might wonder what it is. But first, do you recognise the caller ID? It is 0151, a quick google shows it is from Liverpool. Are you expecting anything from a company in Liverpool? Do you do business with a company in Liverpool? If you look at what is sent via fax, really only legal documents are faxed these days. There will be the odd occasion when faxes are used, but it is rare and it has been felled by email and pdf documents.

You will also notice the domain the link sends you to is about truck hire Australia, have you hired a truck in Australia from a company in Liverpool?! This is obvious that it is spam or a scam as those 2 situations for myself are untrue.

Again, if you have hired a truck in Australia from a company in Liverpool, give them a call and ask, “have you sent me an efax message?” If they say no, it’s a scam! Maybe it is a coincidence or maybe it’s a specific attack.
If you suspect it is a specific attack attempt then you engage with our security consultation service and we can advise. Contact sales@thecomputersaint.com to consult with us.

 

If you find yourself with an email and an attachment from either a known person or unknown person then follow the rule of call that person up. Ask them if they’ve sent you an email with an attachment. If they haven’t tell them you have received something from them, they should investigate this and you might need to send the email to their IT team. It’s unlikely to do any damage sitting in your inbox. If you click links or download the file then that is when the damage is done.

Even with files that attached and from a trusted source, that you are expecting you should download the file to a directory (or folder) on your computer and then with modern antivirus software you can run a scan on the file and tell if it is safe. Don’t run the file, even if it is a .docx (document) file or something you’ve trusted in the past.

 

Emails with attachments

Emails often come to us with an attachment; most modern antivirus software will allow us to scan as the attachment is downloaded. This method is good if you’re using a laptop to download an email. I’ve sometimes been emailed by family members, colleagues or customers who have had some malware infect their computer, only to find I get an email from them with a strange attachment that I was not expecting.

If you have an email like this, the advice is the same as above: call the person and ask them if they’ve actually sent you an email as they might not know they have a problem. If they have then it should be OK, but you should download the email and scan it first with Antivirus anyway!

 

To summarise:

Identify emails.

Call the person you’ve got the email from.

If you get a bad email:

Don’t click the links, see where the link goes.
Tell the company in question, some of the larger companies especially have teams of people (IT team normally) who deal with SPAM & Bad emails. The company might ask for the email to be forwarded to them.

Scan any downloads with a virus program. I like Avast or AVG (free versions are good)

 

Security warning over data.gov.uk – time to change your password!

Have a data.uk.gov account? You should probably change your password.

The site that people can search for data published by the government has discovered, after a data security review, that some usernames and passwords were placed on a publicly accessible resource.

Following quote is taken from the BBC site: (http://www.bbc.co.uk/news/technology-40443601)

A GDS spokeswoman told the BBC that the breach had affected only data.gov.uk accounts, and people with separate accounts for other government websites were not affected.

She said only email addresses, usernames and hashed passwords were implicated, rather than personal information such as names and addresses.

Hashed passwords are not massively secure, but certainly more secure than clear text passwords. It all depends on the algorithm that is used. But the BBC site also reports that users will need to change their passwords next time they login.

The Computer Saint would also advise changing your password, if the same, on any other services. So if you login with the same details to Yahoo, Google, Hotmail, etc then you should change your password.

You should also keep an eye for fraudulent emails, if you suspect an email is fraudulent then you should contact the website in question and not via the email you’ve just got. Go to the actual website via a browser.

System builders must look at security

What is a system builder?

A person or a group of people who are building a computer program, website, server or a network for either their own company or a customer.

What type of security problems could there be?

Access is the major security problem that could be taken advantage of. Access to files, access to directories, access like this, must be locked down to specific users. Depending on the system, for example, a website can have folder security enabled to stop anyone going to thecomputersaint.com/blahfolderthatdoesntexist if there were secure documents in there then it’d be a first step to ensure they were not able to be stolen / downloaded.

The obvious security problem is when people access your data, files, pictures, memoirs or any file that could be sensitive.  The data they pull from that file could be used in a negative way. Especially if it matches up with some information they gleaned from social media accounts.

Who could take advantage?

Someone who is looking to attack you electronically, maybe they are looking for a password to an email account. Maybe they’re looking for information to gain a better understanding of what you do. Perhaps you work for a company where their data is commercially sensitive. If the competitor got their hands on the data, it could spell disaster for your company if the competitor got your information and could get to market before your company.

Maybe your company has an old server no-one looks after. You might have 30 old employees with active accounts after years. 29 might not use them but the 30th might want to log on and take data that they’re not allowed access to.

 

How to stop them?

Access must be controlled with a username and password. That is the first step in securing data. That password must not be written down and must not be shared. Change the password every so often, your own password policies should be every 30 days – 6 months. Use a secure password, check out our other blog posts for how to choose a secure password.

Keep track of old user accounts to files and change passwords to VPN’s or old user accounts when someone leaves the company. Make it policy, don’t let staff get complacent.

Do you need that old file in that location? Why not move it once it’s not needed or delete it. If you have a lot of files that only 1 person or a group of people need access to then maybe have it on small NAS box or its own LUN on the SAN, this is so Finance can’t see Design’s files and Design can’t see the Finance files.

Passwords: Strong and weak. How to choose a strong password?

What is a weak password?

It seems obvious, but a weak password can be 1 word, or even 2 words. It could be a password that is your mother’s maiden name or something equally personal to you. For example, in the film War Games the password for a massive government machine was “Joshua” who was the son of the inventor of said machine. In the film, it’s fair to the inventor that he didn’t know the machine had been plugged into the Internet or was even being used.

If you used your wife’s name as a password, this is information anyone could ask you and just try to login any account. Email account, online storage, bank account, they don’t need to be at your computer. They can simply be at their own computer.

Don’t choose a password that is obviously personal to you and don’t use 1 word from the dictionary!

What is a strong password? And Methods for choosing a strong password

For this you need to understand there are 2 main ways to get around password security that are easy: Guess the password if this is someone you specifically know or targeting to get into their email account or some other account.

The other method for getting into a system is a brute force attack, this is where a system will have a list of words (from a dictionary) and then it will try each word in turn, so if your password is “Zoo” then it’ll take a while but you will lose your account security.

There are more advanced tools that hackers and crackers can use to break account security, so even by using 2 words like “ZooApocolypse” is better, still bad practice.

A strong password is something that can’t be guessed as it might look like a word, but it might not be a word. For example: “pa55word” looks like password (don’t use this as it’s a common password) but maybe take your wife name: Sophie and replace the letters with numbers, so “5oph13”

But it’s still just numbers and letters. To be sure no-one will guess your password you want to make it longer and adding some symbols. Maybe add another word onto the password, maybe your favourite kitchen appliance so “5oph!3Bl3nd3r”

I’ve added in an exclamation mark; this is to throw off any of the more advanced password creation and guess tools hackers have access to. With the more complex password, the more time it would take for an attacker to gain access to your system and if it is a secure enough password they’ll probably give up.

It’s best to add in a few symbols if your password allows it as well as numbers. If your passwords require to be changed every 30 days, 6 months etc, you could suffix or prefix your password with a number and increment or decrement that number in the password each time you need to change it, although this can be bad security practice only to do this. Maybe add an additional 16 to the number each time. This way you know the increment and it isn’t just a 1. It’s still best to change your password entirely however.

You should always change your passwords to each system you log into on a periodic basis, whether it be social media, email or an important company server with sensitive details, at the least every 6 months is a good plan.

Security questions

A lot of websites require security questions, such as “what town were you born in?” or “what was the name of your first pet?” These are good second stage security, after the password login, as they give that little extra security. This 2nd stage of security is good; however, you need to be aware of people that do and don’t know the information who are trying to access your system. A while ago there was stories of people who had their Hotmail accounts broken into as they had met some random person on the internet chat room. They then gave out information that Hotmail asks as a “recover account” option and this way the attacker could break into the account, with this they could send spam to your entire contact list and it appears the attacker was being a new friend, asking questions that made him or her seem interested in you.

The lesson here is you need to be careful of new friends especially and don’t give them too much information.

 

Disclaimer: This document isn’t a solution to password security. This advice is about how to better understand the risks and how to mitigate them. There will always be people / organisations who want to steal your data and break into certain systems. You must think of the possible security risks and mitigate these. From this series of security blog notices you’ll learn that there are more.

If you require security services, please contact us at sales@thecomputersaint.com

DNS Disaster after DDoS on Dyn!

Since Friday a lot of websites have either been slow or unreachable. This is because of a DDoS attack on Dyn (A DNS provider)

 

What is DNS?

All websites have atleast 1 IP address. If you wanted to go to eBay.com (without DNS) you’d need to remember the IP address of the site, along with all your favorite sites. Basically like remembering each phone number in your phones address book. The DNS server is exactly that, a phone book that looks up ebay.com and translates it into an IP. The IP is sent back to your computer and your website is then downloaded.

What is a DDoS attack?

A Distributed Denial of Service attack is when lots of coordinated nodes, bots, machines will attack a certain IP (or range of IPs) they do this by flooding the service with requests for information normally. They are bogus requests but enough of them from enough “attackers” will be enough to bring a service to its knees and slow the internet for the rest of us, or effectively take the site down as our DNS requests wont work.

As the attacks can come from anywhere on the internet it can be difficult to manage the attacks or mitigate the attacks as there are so many of them.

I’ve put attackers in quotes a the attackers could be computers of devices that don’t even know about being an attacker, they probably are not actual people.

Now that we’ve covered the basics quickly, So what has been happening?

Dyn, a DNS provider have been attacked by a massive DDoS attack perpertrated by a botnet and this has been suspected to be coming from IoT (Internet of Things) devices, such as CCTV cameras that connect to the internet.

Normally it’s a DDoS attack against a certain company, for various reasons, ie a specific website. This is against a service and gives a good example that DNS is not secure and is more vulnerable to attack than most think.

A good quote I have seen is:

Richard Meeus, VP of technology at NSFOCUS, which specializes in handling DDoS attacks noted: “DNS has often been neglected in terms of its security and availability from an enterprise perspective – it is treated as if it will always be there in the same way that water comes out of the tap and electricity is there when you switch it on.

Are you having problems?

…connecting to websites, you should use OpenDNS’s resolvers at 208.67.222.222 and 208.67.220.220