Author: Håkon Olsen

Infosec nerd who likes interesting things in IT, OT, but most of all people

Hijacking existing email threads: taking phishing to a new level

Håkon OlsenLeave a comment

Phishing e-mails is the most common way for a hacker to breach the initial attack surface. Filters and blacklisting technologies have been less than effective in stopping such threats, and it is up to the cybersecurity training and awareness of the user to ensure safe choices are made. Now phishermen have new ideas about making their bait more trustworthy; hijacking existing mail threads, piggybacking on existing interpersonal trust. A received an e-mail sent me from a contact who told me he realized he’d fallen for a scam the second he submitted his username and password to the phoney login site he was led to. Here’s (a somewhat edited) excerpt of the e-mail thread leading him into the phisherman’s trap.

From: Jim Salesman
To: Danny Customer

Subject: Re: confirm order details

Dear Danny,

thank you for your purchase. Please download and check these documents.

clickphish

With best regards,
Jim

From: Danny Customer
To: Jim Salesman

Subject: Re: confirm order deetails

Dear Danny,

I agree to the conditions as you have suggested. Make sure the part serial numbers are indicated correctly on the labels.

With best regards,
Danny

——- (after multiple e-mails back and forth)

Where does the link lead to?

The link does not lead to a Google page, despite claiming to be a Google Docs file. Also the lack of Google branding in the download section could be an indicator. The URL is “ehbd-dot-ml/hbdesigns/gibberish/” and is rendered over http – no security. It displays a selection of “login credentials” to choose from.

phishinglogin

OK, so here are several well-known brand names.

So, who owns the domain ehbd-ml? A whois search shows the domain is registered to Mali Divi. B.V. in the Netherlands.This firm has been active since 2012 and owns a number of free domains. It has a VAT number and one employee, according to this site: https://www.opencompanies.nl/elektrotechniek-mali-dili-bv-amsterdam-56155794.

Why submitting your info is dangerous

My friend realized the mistake the moment he hit “submit”. He then called his company’s IT department, and was told to change his passwords and run a virus scan. That was the right thing to do. But why is this dangerous?

Giving hackers access to your e-mail makes it easy for them to:

  • your e-mails and attachments
  • they can impersonate you by sending e-mails as you
  • they can hijack other accounts where your email is used to reset your password

Lessons learned

Phishing scammers are skilled at exploiting established trust between you and your contacts. Always be suspicous about links in e-mails, even from people you know. Before clicking, always check:

  • Does the URL look reasonable?
  • Does the branding (logos etc.) look right for the contents?
  • Is the site it leads to secured when you would expect it to be? All major service providers will only serve https – not http
  • Is the domain name strange? The .ml top domain is the national domain for Mali in Africa. Google Docs does not use that as the default login site domain.

 

 

Cybersecurity for boards – the short story

Håkon OlsenLeave a comment

A few days ago I wrote a post on the lack of cybersecurity skills in corporate boards, and how to fix that. This became one of the most popular posts on the blog. That’s why I created this short summary video – that you can easily share with your top management and board members.

The take-aways are:

  • Build an information security management system with the most important policies, guidelines, procedures, change mangement and monitoring processes in place
  • Select reporting metrics that make sense in terms of the company strategy. Relate impact to financial, customer, organnization and learning, and internal process perspectives.
  • Use compliance to drive board focus: regulatory compliance is already central in goverannce work.
  • Focus on people when communicating – build a positive security culture by combining bottom-up and top-down approaches.

Thanks to Kenneth Holley and eForensics Magazine for sharing the board post! Great accounts to follow on Twitter!

IEC 61511 Security – getting the right detail level

Håkon OlsenLeave a comment

When performing the risk and vulnerability assessment required by the new IEC 61511 standard, make sure the level of detail is just right for your application. Normally the system integrator is operating at the architectural level, meaning signal validation in software components should probably already have been dealt with. On the other hand, upgrading and maintaining the system during the entire lifecycle has to be looked into. Just enough detail can be hard to aim for but digging too deep is costly, and being too shallow doesn’t help your decision making. Therefore, planning the security assessment depth level already from the beginning should be a priority!

Starting with the context – having the end in mind

The purpose of including cybersecurity requirements in a safety instrumented system design is to make sure the reliability of the system is not threatened by security incidents. That reliability requires each safety instrumented function (SIF) to perform its intended task at the right moment; we are concerned with the availability and the integrity of the system.

 

072115_1313_Uncertainty1.png
The probability of failure on demand for a safety critical function usually depends on random error distributions and testing regimes. How can hacker threats be included in the thinking around reliability engineering? The goal is to remain confident in the reliability calculations, so that quantitative risk calculations are still meaningful.

 

In order to understand the threats to your system you need to start with the company and its place in the world, and in the supply chain. What does the company do? Consider an oil producer active in a global upstream market – producing offshore, onshore, as well as from unconventional sources such as tar-sands, arctic fields and shale oil. The company is also investing heavily in Iraq, including areas recently captured from ISIS. Furthermore, on the owner side of this company you find a Russian oligarch, who is known to be close to the Kremlin, as a majority stock holder. The firm is listed on the Hong Kong stock Market. Its key suppliers are Chinese engineering firms and steel producers, and its top customers are also Chinese government-backed companies. How does all of this affect the threat landscape as it applies to this firm?

The firm is interfering with causes that may trigger the interest of hacktivists:

  • Unconventional oil production
  • Arctic oil production

It also operates in an area that can make them a target for terrorist groups, in one of the most politically unstable regions in the world, where the world’s largest military powers also have to some degree opposing interests. This could potentially draw the interest of both terrorist groups and of nation state hackers. It is also worth noting that the company is on good terms with both the Russian and Chinese governments, two countries often accused of using state sponsored hackers to target companies in the west. The largest nation state threat to this oil company may thus be from western countries, including the one headed by Donald Trump. He has been quite silent on cybersecurity after taking office but issued statements during his campaign in 2016 hinting at more aggressive build-ups of offensive capacities. So, the company itself should at least expect the interest of script kiddies, hacktivists, cybercriminals, terrorists, nation states and insiders. These groups have quite varying capacities and the SIS is typically hard to get at due to multiple firewalls and network segregations. Our main focus should thus be of hacktivists, terrorists and nation states – with cybercriminals and insiders acting as proxies (knowingly or not).

The end in mind: keeping safety-critical systems reliable also under attack, or at least make it an insignificant contribution to unreliability.

Granularity of security assessment

Our goal of this discussion was to find the right depth level for risk and vulnerability assessments under IEC 61511. If we start with the threat actors and their capabilities, we observe some interesting issues:

  • Nation states: capable of injecting unknown features into firmware and application software at the production stage, including human infiltration of engineering teams. This can also be “features” sanctioned by the producer in some countries. Actual operations can include cyberphysical incursions with real asset destruction.
  • Terrorists: infiltration of vendors less likely. Typical capabilities are ATP’s using phishing to break the attack surface, and availability attacks through DDoS provided the SIS can be reached. Physical attack is also highly likely.
  • Cybercriminals: similar to terrorists, but may also have more advanced capabilities. Can also act out of own interest, e.g. through extortion schemes.
  • Hacktivists: unlikely to threaten firmware and software integrity. Not likely to desire asset damage as that can easily lead to pollution, which is in conflict with their likely motivations. DDoS attacks can be expected, SIS usually not exposed.

Some of these actors have serious capabilities, and it is possible that they will be used if the political climate warrants this. As we are most likely relying on procured systems form established vendors, using limited variability languages for the SIS, we have little influence over the low-level software engineering. Configurations, choice of blocks and any inclusion of custom-designed software blocks is another story. Regarding our assessment we should thus, at least, include the following aspects:

  • Procurement – setting security requirements and general information security requirements, and managing the follow-up process and cross-organizational competence management.
  • Software components – criticality assessment. Extra testing requirements to vendors. Risk assessment including configuration items.
  • Architectural security – network segregation, attack surface exposure, monitoring, security technologies, responsible organizations and network operations
  • Hardware – tampering risk, exposure to physical attacks, ports and access points, network access points including wireless (VSAT, microwave, GSM, WiFi)
  • Organizational security risks: project organization, operations organization. Review of roles and responsibilities, criticality of key personnel, workload aspects, contractual interfaces, third-party personnel.

Summary

This post does not give a general procedure for depth of analysis decisions but it does outline important factors. Always start with the context to judge both impact and expected actions from threat actors. Use this to determine capabilities of the main threat actors. This will help you decide the granularity level of your assessment. The things that are outside of your control should also not be neglected by considered an uncertainty point that may influence the necessary security controls you need to put in place.

 

granularity
A sketch of key factors to include when deciding on the granularity for a cybersecurity risk assessment under IEC 61511

 

 

 

How can you defend your assets against distributed reflective attacks via DNS?

Håkon OlsenLeave a comment

DNS servers are necessary for finding resources on the internet. They are also a source of vulnerabilities, and are often poorly defended. The DNS protocol listens on port 53, and this port is therefore open in most firewalls. This combination of an open listening service and little security focus makes the protocol interesting to hackers; especially if they want to perform denial-of-service attacks, because they can use some of the features of DNS to amplify their attack vectors.

How DNS works

DNS servers are used on the internet to translate between human friendly domain names and IP addresses. DNS stands for Domain Name System, and is a database of IP addresses. For an overview of how DNS works, see this Microsoft Technet article: https://technet.microsoft.com/en-us/library/cc958978.aspx.

DNS usually receive a recursive name query from a web browser. One specific DNS server can only hold a limited amount of information. When a query is recursive it will query other DNS servers on the internet for the correct address lookup before returning the IP address to the client. The way this works is that when the web browser queries the DNS and the DNS doesn’t have the right information it gives a referral back as the result; the address of a DNS server further down the namespace tree.

Illustration of a recursive DNS lookup. The resolver queries the DNS server with a request.The DNS server cannot find the infromation requested in its cache or zone, and queries the root server. It is then referred to the domain DNS server, which again points to the Example domain DNS server.

Attacking through Recursive Open DNS

Using recursive DNS servers to flood a target with traffic is effective for attackers because the request package sent to the DNS server is very small compared with the response (hence the term “amplified” attack). All the attacker has to do, is to spoof the sender address of the DNS request package, and submit the spoofed package to open recursive DNS servers from a large number of machines under his or her control, and voila – a DoS condition occurs for the target because the DNS server will direct all those responses to the spoofed IP. So what you need to perform this attack is:

  • A list of open recursive DNS servers
  • A spoofed UDP request package to the DNS server
  • A botnet under your control

The first point of the list is easy enough – go to https://duckduckgo.com and search for ‘public dns’ and it will give you a list as an instant answer.

Spoofing the IP can be done using any library that can write IP headers (or you can craft the header manually…). Here’s an example using scapy, a Python module for low level network operations:

from scapy.all import *

spoofed_packet = IP(src='spoofed_ip', dst='the dns you are trying to reach') \
	/ TCP(sport=sourceport, dport=53) / payload

So, then you only need a botnet. You can go ahead and create one by spreading malware to thousands of victims, or you can hire a botnet on the dark web – both are equally illegal and immoral, but the bad guys do this.

Defending against this mess

Using an old-fashioned IP tables firewall won’t do the job because you cannot drop traffic on port 53 (this is your DNS traffic). The DNS server can be configured to mitigate some of these attacks – but the open public ones are outside of your control. Some of them have rate control, limiting the frequency with which they can be queried for the same target, as well as per source IP.

So what can you do locally to protect against this type of attacks?

  1. Ensure you have sufficient capacity to take peak traffic loads. It is probably infeasible to build capacity for very large DDoS attacks (~ 300 Gbps) but many attacks are much smaller than this and can be absorbed by high bandwidth capacity
  2. Filter your traffic – especially unexpected traffic types. Filter out all DNS traffic for all equipment not dependent on sending DNS requests. Filter out IP’s from identified botnets and use a robust threat intelligence solution to obtain information on botnets.
  3. Use anomaly detection and use dynamic throttling of traffic from name servers. If there are sudden spikes in traffic from unusual resolvers, it may be a sign of a reflective amplification attack.
  4. For key resources, build in redundancy to redirect traffic when necessary and allowing the service to remain operational. Potentially contract with a very-high-bandwidth provider to act as a buffer to large DDoS floods.

How boards can prioritize cybersecurity in corporate governance

Håkon Olsen5 Comments

Boards are responsible for the health of the company and its ability to fulfill its mission on behalf of its owners. This is why most boards put a lot of effort into effective risk management with robust processes in place for compliance, financial risks and M&A activities. What they very often fail to do, is to incorporate robust controls for the cybersecurity of their company’s operations. In fact, a study surveying a large number of board directors show that risk and security is the area they feel is most challenging to cope with, yet is also an area where they feel strategic threat is lower than many other threats such as financial or compliance risks. This, in spite of the spikes in cyber attacks hitting businesses globally in 2016, and that the average cost of a data breach has been estimated to about 4 million USD (by IBM). The key to understand both the underestimation of the risk posed by cyber threats, and the lack of good processes to follow up cybersecurity risks as a corporate governance activity, are both linked to the cybersecurity skills gap – that reaches all the way to the senior leadership and board levels.

022217_1129_HowFileSilo1.jpg

Getting the cybersecurity processes in place

It is not easy to close the skills gap at any level but one should also not underestimate what can be achived through the use of good practices, eduacting the staff and integrating the approach to risk management into the operations of the company.

Where to find best practices?

Cybersecurity has come a long way, and several standards and practice documents exist, ranging from detailed technical requirements, to management processes. Building an information security management system is no easy undertaking, but using a risk based approach and following the same principles as for other governance structures help. Making ISO 27001 (an international standard) your basis for information security mangement will put you off to a good start. To get a practical how-to on building up such a system, see this post: How to build up your information security management system in accordance with ISO 27001

Metrics and Context: the link between operations and strategy

The board can not head into every aspect of security operations, nor does it (typically) have the expertise to dive into all details. That’s why it is important to develop a robust set of security metrics that can be reported ot the board, making sense of both the threat landscape, the context and the maturity of the company to deter, detect and deny cyberattacks, as well as to recover from those that inevitably will outsmart your defenses. Developing metrics should be done such that it fits with the greater strategic picture, recognizing that cybersecurity also ties into all of the firm’s operations. Viewing the metric game should thus include the financial perspective (most companies focus a lot on this), the customer perspective (tends to be forgotten in security), the learning and innovation perspective (often done only on the tactical level, not linked to strategy) and the internal process perspective (sometimes dominating, sometimes not existing at all).

In addition to developing metrics, boards should also be kept up to date on the risk context: what are our most valuable data assets and IT infrastructures? How is our standing with respect to hacker interest (scripters? hacktivitsts? nation states?). Do we have good people managment in place, and how does our internal corporate life affect the insider threat? It is the responsibility of the CISO to educate the board enough to make them able of both asking these questions and understanding why they are as important as understanding the strategic fit in a M&A transaction.

The compliance link

Compliance is already on the table, and cybersecurity regulation is taking shape in different jurisdictions. Mapping out regulatory compliance requirements to cybersecurity, as well as data privacy, is key to ensuring compliance in today’s operating environments. In the EU and EEC area a new regulation is coming into force in 2018 with strict requiremetns to most businesses dealing with customer data – yet few companies are ready to deal with this. Bringing the cybersecurity domain into the compliance picture is a necessary cornerstone of corporate governance, and for strengthening board focus. For an overview of new requirements to businesses from the General Data Protection Regulation (GDPR), see here: What does the GDPR (General Data Protection Regulation) mean for your company’s privacy protection and cybersecurity?

The people factor

Boards are no better than the people setting on it; this is why getting technical competence on boards should be a major priority for stockholders. We are living in the age of digitalization, of machine learning and of cyberthreats: believing that we can deal with this without technical competence also on the top of governance is simply superstition.

Also, for the processes to work, it is important that everyone has a feel for what secure behaviors are, and what consititues risky behaviors (without rewards). Driving security awareness in the corporate culture is also a key factor for directors, and overseeing this  as part of the risk goverannce should be a board priority. Almost every breach starts with a social engineering campaing – getting your people on the right side of the knowledge gap is probably the best investment you can make after turning on your firewalls, autopatching of computers and removing end-user’s admin rights.

To drive awareness in an effective manner, make sure it is suitable for its audience, and that it is noe a one-off e-learning module to click through. Building a security aware culture is a change process, not a simpel training event: When does cybersecurity awareness training actually work?

Take-away points

This are your talking points from this article – bring them to your next board meeting or coffee break at work:

    Insider Extraslide deck with implementation tips for your corporate governance processes. 

    Testing the cybersecurity maturity through self-reported practices

    Håkon OlsenLeave a comment

    Did you read the story about Johnny the Hunter and the publishing house, the one hit by the FileSilo hack? Well, since Johnny was tasked with ramping up their security, he decided to get some idea about their current practices, and how much the different department managers knew about how to manage their security risks. He wasn’t all that hopeful. The publishing house was a distributed operation and key decision makers were spread around the country, and some also overseas.

    Whenever he tried to talk to department managers about security, they told him it was all too technical, and one guy even got really hostile; accusing Johnny of being a paranoid security geek, proclaiming he’d rather be a dumpster diver than work with rats like him.

    Johnny the Hunter decided to create a simple web application and have the department managers click through it – basically asking them what practices they had implemented. Perhaps this was easier than talking directly to some of them – like the ones thinking he was a disease-carrying rat of some sort?

     

    johnny_app
    Screenshot of Johnny’s app for asking department managers about practices – starting with a few key processes Johnny felt should be in place.

    Johnny received a lot of answers, the managers were quite enthusiastic  about this. They had hired in a security expert from a big consulting house the year before, and he had only talked to them in technical terms (which they didn’t really understand), and left them with a large report which was too hard and too long to read. And the consulting house had charged an enormous amount per hour for doing so – and spending a lot of hours on it.

    After a few questions, Johnny’s app made some improvement suggestions for the managers. One manager, covering the publishing house’s online tech blog, where freelance writers contributed from all over the world, was thrilled with the suggestions he got.

    Here’s the suggestions the manager liked so much!

    johnnyresult

    The managers thought this was really helpful. Johnny was happy for the enthusiastic response; this could pave the way for investing in some really helpful assets – like centralized logging, better network segregation and a team to ensure they could hunt for the real threats.

    Why Johnny was dumbing it down

    If you work in IT, or in security, Johnny’s app may seem extremely simplistic and dumbed down. Johnny the Hunter, however, did not think so. Why? This is because he is not working with IT professionals, he is working with “getting my own stuff done professionals”, thinking of IT mostly as a necessary evil. Posing the questions like this, in a very simple format, allowed him to connect with the department managers without creating distance, and without forcing them to try to communicate in an unfamiliar language. Breaking down these barriers is necessary in order to get buy-in for the things that the publishing house needs to do – and Johnny the Hunter understands this.

    Test drive the cybersecurity maturity app!

    If you want to try Johnny’s app, it is available for Safecontrols Insiders – log in or sign up, and you can take it for a test drive. Comments are very welcome – either on this blog post, or in an e-mail as specified in the app’s results page.

     

     

     

    5 key success factors for dealing with ransomeware – free whitepaper

    Håkon OlsenLeave a comment

    Ransomeware is by far the fastest growing threat online. Losing your files can feel as so great a loss that paying criminals to give you your files back can seem like a reasonable thing to do. The problem with that is just that there is no guarantee they will give it back and end the blackmail against you, and you would be helping organized crime with the money you are forking over.

    cropped-20150512_122333851_ios.jpg

    Dealing with ransomeware requires preparations. Although there is no way to be 100% sure of avoiding problems – there are certain things you can do to reduce the risk of losing to the scammers. These include:

    • Keeping your software up to date
    • Denying unwanted network traffic by using a firewall
    • Knowing how to detect social engineering attempts
    • Avoiding the use of admin accounts for regular users
    • A solid backup policy using offsite and offline storage

    Register as a Safecontrols Insider today and download the free whitepaper that can help you set up the necessary defenses, and also to prepare for the actions you need to take if cybercriminals are able to get past those defenses and lock down your files anyway.

    Rita the Designer’s Ransomware Litigation Nightmare

    Håkon Olsen1 Comment

    As you are likely aware of, ransomware is the fastest growing breed of malware, and it is very profitable for the criminals who run these attacks. Rita the Designer, our fictional web designer and UX expert from the filesilo story, is running into ransomware trouble. But not of the obvious kind. 

    She’d been working long hours to finish a project for a demanding client. Still a bit shaky from the filesilo incident she was determined not to fall into any security traps. She was a great designer but not so great with contracts and liability, and she new this. It hasn’t been much on her mind previously but she was feeling more anxious lately. 

    Law firms can point fingers at you for things you never thought about. Rita the Designer was suddenly facing claims from the insurance company of her client. What the h*ll was going on?

    Monday morning a messenger was at her door with a personal delivery; she was being accused of failing to secure the app she’d made for the client, causing his users to become victims to ransomware scammers. 

    She contacted the client and asked what this was about? They met to discuss things and she learned that the infections had happened via malicious ad banners. She’d never placed any ad banners on the site. The client claimed she must have, because he’d not touched the code. 

    Rita thought to herself: – what if something was fishy with the filesilo templates she downloaded? They closed the meeting and she promised to respond to the claims within the week. 

    As she stepped out she texted Johnny the Hunter to ask him out for coffee. Johnny met with her right away – after all he was single and she was attractive enough – and heard her out. He promised to help her look into it. 

    Impact of security issues can be hard to estimate. Here a developer is being sued after a client’s end users got infected with malware. We don’t know the end of the story but we can think of some practices she could have changed to better protect her business. 

    • Never trust downloads. Particularly not from insecure sites like filesilo, with insecure authentication and no integrity checks
    • Include liability clauses in contract, to define and limit your business’ risk exposure
    • Always run security tests before deployment. Don’t allow injection vulnerabilities to live
    • Prioritize client relationship management; don’t let the first contact about trouble be a letter from your client’s lawyer delivered with your breakfast. 

    How FileSilo ruined Rita the Designer’s Weekend

    Håkon Olsen2 Comments

    Disclaimer: the story about Rita the Designer and Johnny the Hunter is fiction. The filesilo hack is not.

    Rita designer was working on a new project and was on a deadline. She was an avid reader of the magazine “Web Designer“, that has lots of great content on UX and design patterns. Usually Rita wouldn’t base her client designs on stuff from a magazine but this time she found some really nice UX effects described in the latest issue that she wanted to try out. She created an account on their fileshare “FileSilo“, and quickly found the free stuff she could download when she’d bought the latest Web Designer issue. When she signed up she used her e-mail address and the password she always used for her non-critical online accounts, which in her opinion was pretty much anything except for her banking portal and her insurance portal.

    Rita the Designer was hunting for design patterns on filesilo, and got caught in the net of hackers due to their shoddy security and her own lack of awareness and password hygiene. 

    Rita downloaded the content, opened the zip file and looked through the templates; all good. She then decided to have a latte at the nearest coffee shop while thinking about the exact transitions she wanted to build into the site. In the coffee shop, she stumbled across a friend from university, who was now a security researcher with a anti-malware company. They started talking about their latest gossip. The sec researcher, Johnny the Hunter, told her he had a new girlfriend he’d met on tinder, and that work was a bit slow now. He’d recently gotten a contract with a publishing house to help with securing their web infrastructure but he hadn’t yet started. Rita told him excitedly about the new UX transitions she’d found in Web Designer, and that she had downloaded the templates from filesilo, ready to implement. The customer was expecting the first conceptual design by end of the week, so she expected to spend a lot of time working this week.

    She got back to her studio office and started playing with the transitions; it looked very good, and she was impressed with the usability of the templates without much fudging around. On Friday, she met with the client and showed him 3 different implementations – and they were equally impressed with all, finally selecting her green design with a flip effect for their new landing page.

    Rita went back to the coffee shop to celebrate and get ready for the weekend after having worked like a maniac all week to get the design concepts done. She looked at her phone, and discovered she had two new emails. The first one was from the guy she’d met earler in the week, Johnny the hunter, urging her to check her online accounts and make sure she hadn’t reused any passwords in the filesilo site – because it had been hacked. So what, was her first thought, passwords are stored in encrypted form anyway? The other email was from the Future(!?). Stating that the passwords were stored in clear text at filesilo, that they were sorry and that she should go ahead and secure her online accounts.

    OK, at least it is good that they are telling people about the breach at once so I can secure my other accounts, she thought to herself. She should really stop using the same password everywhere. Then she got a text – somebody has logged into her Facebook account. From Kinshasa. Not good. Same password. Another text. From Microsoft: her onedrive is being accessed. From Taiwan. Worse. Ok, time to panic!

    How could this happen?

    Obviously filesilo had a very shoddy operation going, storing passwords in plain text. The Register has a story on this, with a very fitting photo to illustrate the case. And how could it happen? Complacency, lack of awareness, stupidity? It is very hard to get a grasp on, especially from a magazine in the IT sector! Obviously filesilo just did unfathomably stupid things in designing their downloads page but another question I’m sure Johnny the Hunter would have for Rita the Designer is “why didn’t you notice all the clues”? Like no https. Like accepting weak passwords.

    These things happen because knowing what to do isn’t enough – people need to make secure behaviors habits. If not it is going to slip whenever you are in a hurry. This is why one-off awareness programs aren’t that efficient. So, it looks like the publishing house learned some stuff from Johnny the Hunter. In an email sent out today, they say they’ve done the following since the hack:

    • The site now uses HTTPS meaning all user data is encrypted as it is sent to our servers
    • All site components have been updated to the latest most secure versions and functionality has been added to ensure that future security updates are applied immediately after release
    • All passwords are now fully encrypted using an updated secure algorithm
    • Minimum requirements for password strength has been added to reduce the risk of successful “brute force” attacks
    • ReCaptcha has been added to the registration process to reduce chances of automated hacker/spammer sign ups
    • All staff users with access to subscriber data require “two factor authentication” to log in. This further reduces the risk of hacks where user data could be compromised

    All good practices that should have been there for years. It probably would have been if they had installed an information security management system, as they are likely to need after the General Data Protection Regulation comes into force in 2018.

    Hackers try to trick you into paying ransome using simple javascript hijacking

    Håkon OlsenLeave a comment

    When people talk about ransomware they typically think about malware that encrypts all of your files using strong encryption, forcing you to fork over money to unlock your files again. Some of these species are quite elaborate, with reinfection routines and integrated botnets. But perhaps hackers can get higher return on investment (ROI) by using som simple browser hijacking scripts?

    ransom_fakebsod

    One of the most common and profitable scams in 2015-2016 was the FakeBsod.A malware. According to the Microsoft info page on this ransomware it accounted for 15% of ransomware infection in the period from Dec 2015 to May 2016. The way the malware works is that it hijacks your browser and displays a message that you have encountered “BLUE SCREEN ERROR 0x000000000CE” in your browser. Your browser becomes unusable, the adress bar does not work and you cannot close it unless you kill the application. The error message gives a phone number to “Microsoft” for help. If you call them, you are asked ot pay a certain amount by credit card to “fix the problem”. Of course, forcing the browser to close and then removing the js file FakeBsod.A from your system is a better choice of action. Most users don’t know this, and the js browser hijacking technique has earned cyber criminals enormous sums of money from user seeing no other option to get their browser back. Note that no files are harmed by the malware – this is an effective scareware tactic that has worked very well for the criminals, with very little upfront investment.

    This particular ransomware is not dangerous in contrast to cryptoviruses that can be in practice impossible to recover from without a good backup. It is like a robbery using a water pistol. Still – the criminals manage to steal a lot of money using this malware . It is like other phone scams – but instead of Microsoft scammers calling you they use ransomware as an inbound marketing tool – making you call their call center.

    A nice and somewhat more technical post on this time of “phonescamware” can be found here by Xavier Mertens: https://isc.sans.edu/diary.html?date=2015-10-13.