Skip to content

Security News

Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

Just maybe, I am not saying for sure, but just maybe, that reason for such stupidity is the companies like Marriot are hiring too many newbies to save money and ignoring the more senior members of the IT community. Or maybe that there is no real hard financial penalties for breaches. Maybe both.

But the real story here is not only Marriot, but the continued onslaught from China. No surprise.

Quote

WASHINGTON — Marriott International said on Friday that the biggest hacking of personal information in history was not quite as big as first feared, but for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. Those passport numbers were lost in an attack that many outside experts believe was carried out by Chinese intelligence agencies.

What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.

Taken together, the attack appeared to be part of a broader effort by China’s Ministry of State Security to compile a huge database of Americans and others with sensitive government or industry positions — including where they worked, the names of their colleagues, foreign contacts and friends, and where they travel.

“Big data is the new wave for counterintelligence,” James A. Lewis, a cybersecurity expert who runs the technology policy program at the Center for Strategic and International Studies in Washington, said last month.

One top official of the Chinese Ministry of State Security was arrested in Belgium late last year and extradited to the United States on charges of playing a central role in the hacking of American defense-related firms, and others were identified in a Justice Department indictment in December. But those cases were unrelated to the Marriott attack, which the F.B.I. is still investigating.

China has denied any knowledge of the Marriott attack. In December, Geng Shuang, a spokesman for its Ministry of Foreign Affairs, said, “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”

Do make me laugh

The Marriott investigation has revealed a new vulnerability in hotel systems: What happens to passport data when a customer makes a reservation or checks into a hotel, usually abroad, and hands over a passport to the desk clerk. Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. It is unclear how many of those involved American passports, and how many come from other countries.

Yes you read that correctly. Morons asleep at the switch

Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system.

It was not immediately clear why some numbers were encrypted and others were not — other than that hotels in each country, and sometimes each property, had different protocols for handling the passport information. Intelligence experts note that American intelligence agencies often seek the passport numbers of foreigners they are tracking outside the United States, which may explain why the United States government has not insisted on stronger encryption of passport data worldwide.

Asked how Marriott was handling the information now that it has merged Starwood’s data into the Marriott reservations system — a merger that was just completed at the end of 2018 — Connie Kim, a company spokeswoman, said: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”


“We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”

 

Which means 1) they are still NOT encrypted and 2) They need to fire the person(s) managing the vendors and the vendors themselves (assuming vendors haven’t been screaming at Marriot to do something which may indeed be plausible.)

The State Department issued a statement last month telling passport holders not to panic, because the number alone would not enable someone to create a fake passport. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud. But that was something of a corporate sleight of hand, since it provided no coverage for guests who wanted a new passport simply because their data had been taken by foreign spies.

So far the company has ducked addressing that issue by saying it has no evidence about who the attackers were, and the United States has not formally accused China in the case. But private cyberintelligence groups that have looked at the breach have seen strong parallels with the other, Chinese-related attacks underway at the time. The company’s president and chief executive, Arne Sorenson, has not answered questions about the hacking in public, and Marriott said he was traveling and declined a request from The Times to talk about hacking.

The company also said that about 8.6 million credit and debit cards were “involved” in the incident, but those are all encrypted — and all but 354,000 cards had expired by September 2018, when the hacking, which went on for years, was discovered.

So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals. The agencies would want to use the data for their own purposes — building databases and tracking government or industrial surveillance targets — rather than exploiting the data for economic profit.

Idiots, And the U.S. and State Governments are just as culpable. We need very strong laws that mandate extremely stiff penalties for breaches.

Microsoft Issues Emergency Fix for IE Zero Day

Quote

Microsoft today released an emergency software patch to plug a critical security hole in its Internet Explorer (IE) Web browser that attackers are already using to break into Windows computers.

The software giant said it learned about the weakness (CVE-2018-8653) after receiving a report from Google about a new vulnerability being used in targeted attacks.

Satnam Narang, senior research engineer at Tenable, said the vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

“As the flaw is being actively exploited in the wild, users are urged to update their systems as soon as possible to reduce the risk of compromise,” Narang said.

According to a somewhat sparse advisory about the patch, malware or attackers could use the flaw to break into Windows computers simply by getting a user to visit a hacked or booby-trapped Web site. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft says users who have Windows Update enabled and have applied the latest security updates are protected automatically. Windows 10 users can manually check for updates this way; instructions on how to do this for earlier versions of Windows are here.

ZipRecruiter has been flying low: User email addresses exposed to unauthorised accounts

Quote

Looking for work? Spammers could well be looking for you

Lesson: use throw away emails if you must, but better, just say no to job search aggregators. Of course that may be impossible as many clueless employers use them to aggregate CV/Resumes, do initial screen, etc.

Tinder for job-seekers ZipRecruiter has copped to a data breach after the names and email addresses of job-seekers were flung to the wind in a permissions screw-up.

The company – which claims over seven million active job-seekers each month and 40 million job alert email subscribers – has been running since 2010 with operations in the US and UK. In 2012 it had helped 10,000 employers fill positions. By 2017 that number had exceeded one million.

But with impressive growth comes impressive growing pains, and a permissions cock-up at ZipRecruiter has meant that hopeful job-seekers, having uploaded their CV, have had their personal details shared in a way they might not have expected.

In the email, sent to those lucky users and seen by The Register, the company says:

On October 5th, we discovered that certain employer user accounts that were not intended to have access to the CV Database were able to obtain access to information including the first name, last name and email addresses of some job seekers who had submitted their CVs to our CV database.

Whoops!

The problem is with the part of ZipRecruiter’s site that allows an employer with permission to access the database of CVs to contact a candidate. Obviously, having admired the sheen of a turd buffed to a high gloss CV of a candidate, an employer will want to get in touch. To that end, ZipRecruiter provides a contact form, helpfully populated with the name and email address of the hopeful individual.

It appears that the Email Candidate form can also be accessed by users who have not ponied up the cash for access to the CV library. Those users can still search for job-seekers, but only see limited information depending on what a candidate has volunteered. This could be the candidate’s first name, last three employers and city and country.

But thanks to the permissions whoopsie, that unauthorised user could also potentially get to the candidate’s full name and email address.

ZipRecruiter professed itself “not certain of the purpose of the unauthorised access” but speculated with breathtaking insight that the information “could be utilised to send you spam or phishing emails”.

The company was quick to point out that the information accessed does not include any login credentials or financial information, and that its security team stomped on the bug 90 minutes after it was found. The ICO was notified on 9 October and the company has been picking through its records ever since, working out which users have had the spotlight of spammers shone on their details.

As for what to do, well, the company has told affected users:

The goal of this communication is not to alarm you or deter you from responding to potential employers; rather, we want you to be a little more vigilant when considering whether or not to respond to a potential communication, in light of the unauthorised access to your full name and email address.

So that’s alright then.

We contacted ZipRecruiter to find out how many users had been affected, but other than a slightly nasal recording telling us our call may be recorded before abruptly hanging up, the company has remained incommunicado. We can but hope ZipRecruiter is a tad more helpful when it comes to paying customers.

As for the UK’s Information Commissioner’s Office (ICO), a spokesperson told us: “ZipRecruiter, Inc has made us aware of an incident and we will consider the facts.”

Register reader Steve, who was one of the lucky job hunters to receive an “oopsie” email, observed: “It’s always so f*cking special to get pwned when you’re looking for work.”

It is indeed, Steve. It is indeed. ®

Bomb threat’ scammers linked to earlier sextortion campaign

Scare tactic efforts may be the work of a single group

Yesterday’s ‘bomb scare’ spam campaign may have been a follow-up to another infamous email extortion effort.

Researchers with Cisco’s Talos say that the rash of emails floated yesterday demanding that recipients pay a Bitcoin ransom or face the possibility of a bomb attack on their offices are simply an evolution of the scare-tactic extortion scam that surfaced in October of this year.

In that scam, the sender copied passwords from a for-sale list of stolen credentials then sent them to a target claiming to have installed malware on their computer. The victim was told to send money or have compromising videos leaked. Of course, those videos did not exist and there was no malware.

We analyzed a few of these and saw that the credentials were not correct in our sample

This week, the scammers pivoted to a new type of threat, spaffing out emails that claimed the recipients building would blow up unless they sent $20,000 in Bitcoin.
bomb

The composition of the emails, as well as the demand for Bitcoin payoffs, was remarkably similar, and Talos researcher Jaeson Schultz thinks he knows why.

“Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign,” Schultz explained.

Fortunately, Schultz says, the latest technique is not paying off for the hapless extortionists.

“Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed,” he said.

“However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers.”

With that sort of success rate, it is no surprise that, as of yesterday, the crew decided to try another threat to scare people out of their cryptocoins. This time, it is with the threat of an acid attack.

It should go without saying: Don’t pay any ransom demanded by an unsolicited email, and report all threats to an admin and/or the police. ®

Scumbag hackers lift $1m from children’s charity

Quote

A group of criminal asswipes have managed to steal $1m from the Save the Children Foundation.

The global children’s health charity said in its 2017 fiscal report (PDF) to the IRS that, back in April of last year, some total sleezebag was able to get control of an employee’s email account and then convince the organization to make a transfer of $997,400 to a bank account in Japan.

According to Save The Children, the dickhead(s) who pulled off the scam disguised the illicit transfer as a purchase of solar panels for health centers in Pakistan. It was only a month later that the crime was discovered.

While the feckless rectal warts were able to make off with the charity’s money, insurance covered much of the damage.

“By the time that the fraud was discovered in May 2017, the transferred funds could not be recalled, but Save the Children was subsequently able to recover $885,784 from its insurance carriers to mitigate the financial loss,” the filing explains.

“In addition, Save The Children coordinated with the FBI, and through them, the Japanese Law Enforcement to assist in criminal investigations related to this incident, and we have taken steps internally to strengthen cybersecurity and other processes to prevent cyberfraud.”

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify

No word was given on whether the arseholes who committed the fraud have been caught, but hopefully they get what is coming to them in the most painful way imaginable.

The attack was one of two incidents that occurred at the charity in 2017. A separate attempt by another utter bastard to steal funds (through a hacked vendor) tried to get the company to wire $9,210 to a bank account in Benin. That fraud was caught and all but $120 were recovered.

Lamar Bailey, director of security research and development at Tripwire, noted that Save the Children was hardly alone in falling victim to these sort of attacks.

“Social engineering is one of the easiest and most effective ways for attackers to reach their goals,” Bailey noted. “Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”

Administrators and managers would be well served to remind end users to always keep an eye out for suspicious requests, and when they spot one check with the sender (either in person or over the phone) to verify

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

QUOTE

It’s 2018 and UPnP is still opening up networks – this time to leaked SMB cyber-weapons

Earlier this year, Akamai warned that vulnerabilities in Universal Plug’N’Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.

Having revisited its April probing, the web cache biz has come to the conclusion that the security nightmare it dubbed “UPnProxy” is still “alive and well.”

Yep, no surprise here. No one cares. And the home routers that the likes of Verizon gives are pure crap that a wet boy-scout could hack. But hell, just hook all your IoT devices to it and your safe, right? Grrhhh.

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade.

The problem is basically this: it’s possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it’s possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here [PDF], have not been comprehensively patched.

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family of NSA cyber-weapons.

Patches are available for Windows to thwart attacks by EternalBlue et al: your ‘doze machines should not fall for these SMB-based infections if you’ve been keeping up to date, though your router may been snared if you haven’t disabled UPnP or patched it.
Details

Akamai’s security team explained in this blog post that a sign of infection is the appearance of “telltale routes” in the gateways’ port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:

Network scanning – the attackers either mass-scanned the internet looking for machines presenting the Simple Service Discovery Protocol (SSDP) to the world that would reveal the UPnP service, and/or they targeted devices that use a static port (TCP/2048) and path (/etc/linuxigd/gatedesc.xml) for the UPnP daemons.
When a vulnerable device is found, the attackers set up SMB port forwarding from the LAN to the public internet, using the router’s built-in configuration web portal, so that the miscreants can reach stuff on the LAN from outside.

Here is one example of the kind of Network Address Translation (NAT) forwarding rule the attackers could inject into a vulnerable router:

{“NewProtocol”: “TCP”, “NewInternalPort”: “445”, “NewInternalClient”: “192.168.10.212”, “NewPortMappingDescription”: “galleta silenciosa”, “NewExternalPort”: “47669”}

Once the miscreants have compromised a target, they then try to run the NSA-authored, Shadow Brokers-released EternalBlue (CVE-2017-0144), or the Linux variant EternalRed (CVE-2017-7494) against PCs behind the gateway to potentially hijack them.

EternalBlue has been used to infect machines since its release in April 2017, most famously in the WannaCry attacks that began in May 2017; EternalRed pwns *nix systems with a one-line Samba exploit.

Finally, the 45,000-ish hijacked routers have exposed a total of 1.7 million hosts on local networks to the public ‘net via UPnProxy. So that’s up to nearly two million computers the attackers may have compromised and roped into malware-controlled botnets, Akamai claimed. ®

Oh, I know the solution, let’s get a “suit” to do a 3 year study!

Marriott’s Starwood hotels had mega-hack exposing half a BILLION guests details

In case you missed it, Marriott’s Starwood hotels had mega-hack where half a BILLION guests’ details exposed over 4 years. Yes, that is right, it took them four year to discover and act.

I have prattled on about how I see little seriousness in IT security, and this hack is simply more proof about the abysmal state of affairs. But what the hell, when companies and governments practice rampant age discrimination against senior IT personnel that could really help in favor of cheaply paid newbies or book learned “management” types (we called them “suits”) that have never configured anything more than their coffee pot, what do expect?

Quote

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Having identified the breach, on 19 November Marriott and its investigators found an encrypted database online in an unspecified location. After decrypting it, they discovered a full copy of the entire Starwood guest reservation database.

Affected hotel brands include:

W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Méridien Hotels & Resorts
Four Points by Sheraton
Design Hotels that participate in the Starwood Preferred Guest (SPG) program
Starwood branded timeshare properties

Arne Sorenson, Marriott’s prez and chief exec, said in a canned statement he “deeply regrets” this incident took place, adding that the company has set up a “dedicated website and call centre”.

Law enforcement in the US has been notified. The hotel chain is emailing customers now to inform them.

That customer information website is here (its info.starwoodhotels.com URL resolves to the domain of security firm Kroll) and it includes an offer to enrol affected customers into the Webwatcher personal info breach monitoring system. Those emails, said the firm, will come from the address starwoodhotels@email-marriott.com and “will not contain any attachments or request any information from you, and any links will only bring you back to this webpage”.

Affected or potentially affected customers are being warned to change their passwords and not use easily guessed ones.

Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers. ®

Anyone who knows me will hear me whine that no one takes IT Security seriously enough. The main reason is that there is no teeth in laws that cover breaches. That leads to organizations pinching pennies. Here is an article by Bruce Schneier that lays out the case. Will I stop whining — not yet.

Quote

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses. Infosec’s cool uncle says to hell with the carrot

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

That isn’t to say that this is simply a matter of manufacturers being careless. Even if vendors want to do right by data security, a number of logistical hurdles will arise both short and long term.

Allison and Schneier agreed that simply trying to port over the data security policies and practices from the IT sector won’t work, thanks to the dramatically different time scales that both industrial and consumer IoT appliances tend to have.

“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”

Support will also be an issue for IoT appliances, many of which go decades between replacement.

“The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle,” Schneier said.

“We have no way of maintaining consumer software for 40 years.”

Ultimately, addressing the IoT security question may need to be spearheaded by the government, but, as the panelists noted, any long-term solution will require a shift in culture and perception from manufacturers, retailers and consumers.

Cyber-crooks think small biz is easy prey… – They are!

In our experience many small businesses do not take cyber security seriously. Too bad. They are an open book to most crooks.

Quote

Here’s a simple checklist to avoid becoming an easy victim
Make sure you’re spending your hard-earned cash on the ‘right’ IT security

…Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.

Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.

As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?

Here’s a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.

Targeted extortion, email weakness

The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.

Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook’s bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.

This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emails in the first half of 2018, a rise of 55 per cent on the previous half year.

The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.

We see many small businesses outsourcing their mail to gmail, yahoo, or worse, their ISP. What a disaster. Our mail server reject logs are full “reject events” from their servers. Setting up a secure mail server is not that difficult and does *NOT* have to be done on the same server as the Website Server. And it need not be expensive. There are many good options from Microsoft Cloud to spinning up a small cloud based Linux system running postfix. We are experts in setting this up. We setup DKIM, DMARC, all DNS records, and configure server to check real time online blacklists. We also provide secure mail server appliances which should always be used by companies dealing with sensitive data like medical, financial records, etc. Contact us for more info.

All backed up

An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.

Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.

It never ceases to amaze me how many companies simply think since they have a hardware firewall, they are protected. Not true. You also need solid end point protection on all devices – workstations, servers, mobile devices, etc. ESET is one the best in our opinion. We also have several affordable back-up solutions.  Contact us for more info.

Office applications

Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office’s protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.

User training is very important in this regard. Also, as previously stated, Endpoint Security helps greatly in controlling and scanning these objects.

Backdoor RDP and authentication

Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.

The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.

But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.

Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.

Anyone not using two factor authentication for remote access along with strong password management is simply being foolish. It is not expensive and there are several options including Microsoft, ESET and others. Contact us for more info.

Data theft

IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigations analysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.

While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.

You shouldn’t read too much from CVE-labeled bug totals – more flaws found may well mean we’re getting better at finding and fixing them – although it does mean there’s more patching to do before exploits are developed and used in the wild.

SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
Data security

The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It’s too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.

Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.

ESET offers an excellent, easily managed whole disk encryption. Contact us for more info.

Watch the cloud

SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.

The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.

Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.

Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.

In conclusion, it is long past the time for SMBs to get serious about security. It does not need to be expensive. We can help on all these items and more. Contact us for more info.

Chinese Super Micro ‘spy chip’ story …

QUOTE

Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down
Bloomberg puts out related story while security experts cast doubt on research and quotes

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a “major US telecommunications company” discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.

That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.

The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.

With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.

Another expert, another report

In its most recent story, Bloomberg claims to have seen “documents, analysis and other evidence” of Chinese interference: in this case “manipulated hardware” stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.

The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered “unusual communications” coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.

Physical inspection of that board revealed “an implant built into the server’s Ethernet connector,” Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.

While Bloomberg notes that the Ethernet implant “is different from the one described in the Bloomberg Businessweek report last week,” it argues that it shares “key characteristics” including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.

The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that “he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China.”

Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.
You know nothing, DHS

Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had “no reason to doubt” denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization’s “cyber and counterintelligence teams, and that DHS may not have been involved.”

In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.

….

All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings.