Blog

The 1 Billion Yahoo Hack

The 1 Billion Yahoo Hack

yahboohoo-580x314.pngThis is getting old. It’s all over the press… again. Here is a Reuters article where I am quoted, which covers the most recent billion-record Yahoo hack.

Some people asked me after our Flash announcement last week: “Stu, really, these hacks happened a few years ago, closing down my whole Yahoo account, or blocking Yahoo at the firewall… aren’t you going a bit overboard here?”

Good question. Here is my take:
Well, that whole 1B database was sold on the dark web by a group of professional blackhats from Eastern Europe for 300K, (and is still for sale at a much lower price right now) which means that a ton of bad guys now have these credentials, but worse, they have answers to security questions like “your mother’s maiden name” which do not change like passwords, and and backup email addresses that could help with resetting forgotten passwords.

Bloomberg reported that 150,000 U.S. government and military employees are among the victims in the latest breach.

My position is that all Yahoo accounts need to be considered compromised. They are sitting ducks for spam, phishing and malware attacks. If employees check their Yahoo account on their lunch break, do you want to expose your company network to that?

It looks like Yahoo has not learned their lessons, so new hacks can happen any time. There has been an exodus of qualified Yahoo staff and they seem to be unable to apply best security practices. They are now forcing all users (link to WSJ article) to change their password, but that’s too little, too late. I simply have lost trust.

So, I recommend you warn your users, friends and family… again. We have been here before on September 23rd when the 500 million record hack was first announced.

In September, Yahoo did not force people to change passwords, but now they are forcing a password change, and the bad guys are (again) all over this — the ones that own the Yahoo database but also the ones that do not, because news like this is a phishing paradise.

This is a phishing paradise with significant fallout

Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will continue to happen is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames, passwords and possibly the answers to security questions into a website until they find a match using the stolen Yahoo username and passwords.

The bad guys will continue to exploit this, so remind your users

Remind your users, friends and family. They will be likely be confronted with Yahoo-related scams in their inbox. The bad guys are going to leverage this in a variety of ways, starting with bogus password reset phishing attacks, but also with masked links so that if you click on it you wind up on a compromised site which could steal personal information and/or infect the computer. The variations are infinite, but the defense against it is relatively simple.

I suggest you send them the following reminder – feel free to copy/paste/edit:

“Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.

  • If you do not use your Yahoo account a lot. Close it down because it’s a risk. If you use it every day:
  • Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
  • If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
  • At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
  • Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Yahoo Breach Phishing TemplateIf you are a KnowBe4 customer, we have a template in the Current Events Campaign which I suggest you send to all your users immediately as a reminder.

This is the largest hack ever, below is a graph fresh from an article in the Wall Street Journal that puts it in perspective. I suggest you send this to your management.

This is exactly the kind of thing that they want to prevent from happening and security awareness training is the number one thing that makes your organization more hack-resistant since your users are your weakest IT security link.

 

Yahoo1billion.jpg

 


Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Expect Malicious Machine Learning In 2017, making social engineering more effective

Intel Security’s McAfee Threat Predictions for 2017 (PDF) observes that advances in technology are essentially neutral and that developments like machine learning should be welcomed, but they will also become available to cybercriminals. Machine learning in particular is something that can be misused.

Intel Security’s Eric Peterson cites CEO Fraud (The FBI calls it Business Email Compromise) – where individuals in companies are targeted through social engineering, and manipulated to fraudulently transfer money to criminal-controlled bank accounts.

There have been instances where the attacks have coincided with business travel dates for executives to increase the chances of the attack’s success, Peterson says. Combine petabytes of publicly available data with open source analysis tools and it is entirely possible, the company warns, that criminals could build malicious machine learning algorithms to pick targets more precisely and with greater levels of success.

“Looking to 2017 and beyond, we might even see purveyors of data theft offering ‘Target Acquisition as a Service’ built on machine learning algorithms,” Peterson says. “We expect that the accessibility of machine learning will accelerate and sharpen social engineering attacks in 2017.”

Something to watch out for.

Fortunately, KnowBe4 is working on heading off the bad guys at the pass with our AIDA project.

Meet AIDA – your smart sidekick that trains your employees to make smarter security decisions.

AIDA_Logo.jpgAIDA stands for Artificial Intelligence Driven Agent and uses artificial intelligence to dynamically create integrated campaigns that send emails, text and voicemail to an employee, simulating a multi-vector social engineering attack.  It attempts to have the employee either click on a phishing link, tap on a link in a text message, or respond to a voice mail – any of which could compromise your network.  In short, AIDA uses Artificial Intelligence to inoculate your employees against social engineering.

Tired of always being in reactive mode?

AIDA is a dramatic step in the race to get ahead of the bad guys. AIDA’s interface is deceptively simple. You just name the campaign and choose the group of employees. That is all. AIDA does the rest, and you will see the reports of who clicked, tapped and/or responded to a voicemail.

We feel this is an incredibly exciting development and finally allows you to get proactive!

At the time of this writing (1/2/2017) AIDA is in Beta, but limited to existing KnowBe4 customers because you need a full account to enable AIDA. The AIDA Beta has been opened up to all users of the KnowBe4 console. You can enable participation in this beta program by going into the Account Settings portion of your console, scrolling down to the Phishing settings, checking the “Enable AIDA Beta” checkbox, and saving the settings.

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

L.A. County Phishing Attack: 750,000 record data breach

L.A. County Phishing Attack: 750,000 record data breach

County_of_Los_Angeles_Health_Services.jpg

 

Confidential health data or personal information of more than 750,000 people may have been accessed in a cyberattack on Los Angeles County employees in May that led to charges this week against a Nigerian national, officials have disclosed.

The May 13 attack targeted 1,000 county employees from several departments with a phishing email. The email tricked 108 employees into providing usernames and passwords to their accounts, some of which contained confidential patient or client information, officials said.

Most of the 756,000 people whose information may have been accessed had contact with the Department of Health Services, according to the county. A smaller amount of confidential information from more than a dozen other county departments also was compromised.
“These kinds of phishing attacks are on the rise throughout society — and the county has not been immune from that trend,” county spokesman Joel Sappell said in a statement.

Among the data potentially accessed were names, addresses, dates of birth, Social Security numbers, financial information and medical records — including diagnoses and treatment history — of clients, patients or others who received services from county departments.

In February, officials disclosed that the Department of Health Services had been targeted in ransomware attack, a type of malware that cuts off users’ access to files or threatens to destroy them unless a ransom is paid.

The county is offering a year of free credit and identity-theft monitoring for people affected by the May phishing attack and has set up a website and call center for those seeking information: (855) 330-6368.

Ransomware attacks very often succeed through a phishing attack with a spoofed ‘From’ address. These types of attacks are hard to spot and employees tend to fall for them.

Is your Network REALLY Secure, why not know for sure, Get your FREE Vulnerability Assessment Today!!!


Get Your FREE Assessment Today!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training

Leave a Comment (0) →

Healthcare Records Unavailable For Months After Ransomware Infection

Healthcare records of an Arizona clinic have not been available for months after a ransomware infection. The Desert Care clinic got infected in August, and they were not able to recover the files. They sent a letter (PDF) to their clients who got the advice to monitor their credit records and account statements, benefits and credit card bills.

The server contained 500 records of the patient’s name, DOB, address, medical details, treatment details and apparently credit card information. Desert Care reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights December 20th. You should check this database, the amount of reported data breaches in Health Care is horrendous.

The clinic mentions that they do not know if the encrypted data was also stolen, and has alerted local law enforcement and the FBI. The server was inspected by serveral IT specialists, but they could not decrypt the files. Clearly no backups available, and no intention to pay ransom either. I cannot repeat often enough that now is the time to religiously backup all files and also regularly test if your restore function works!

And oh, train those users to not open phishing email attachments and enable macros…

Share

Posted in: Security Awareness Training

Leave a Comment (0) →

[ALERT] DynA-Crypt Ransomware Steals And Deletes Your Data

Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

Larry said: “DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim’s computer.dyna-crypt.png Image courtesy Bleepingcomputer

Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of NASTY that just makes a mess of a victim’s programs and data.

“The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.”

A DynA-Crypt Infection Means A Full-blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.  When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\loot.zip, and email it to the developer.

The Ransomware Portion of DynA-Crypt can be Decrypted

The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim’s data. This script will scan a computer for files that match the following extensions and encrypt them.

When it encrypts a file it will append the .crypt extension to the encrypted file’s name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer’s Shadow Volume Copies so that you are unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay $50 USD in bitcoins to an enclosed bitcoin address. Thankfully, at this time nobody has paid a ransom.

 

 

Is your Home Internet Connection Secure???

Are you worried about what your child is seeing or doing on the Internet? Well look no further the MDS Personal Internet Security device, from Sentree Systems, Corp., is what you need.


Secure Your Home Internet Today!!!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

Scam Of The Week: Valentine’s Day Phishing Attacks

It’s Valentine’s Day and the scammers are out in full force… again. There are many ways these online criminals try to trick you, but the most common are phony florists, online dating scams, phony electronic greeting cards and delivery scams. So, here are the red flags you need to look out for.

 

Do not trust emails or advertising from online florists or other gift retailers until you are sure that they are valid. Otherwise, you might be turning over your credit card information to a scammer or infect your computer with malicious software.

 

Do not trust an online greeting card, particularly if it does not indicate who sent it to you. Be very wary of a card sent by “a secret admirer.” Even if you recognize the name, confirm that it was really sent from that person before you click on the link and open the card.

 

Do not trust special deliveries, there is no special charge for alcohol so if someone requires a credit card payment for such a delivery, just politely decline knowing you just dodged a bullet.

 

Do not trust anyone who indicates he or she is in love with you and then wants to communicate with you right away on an email account outside of the dating site, claiming to be working abroad, asking for your address and poor grammar which is often a sign of a foreign romance scammer. Many romance scams originate in Eastern Europe… The rule still applies: THINK before you click.

Are you at RISK of a security breach?

Did you know that the average breach goes undetected for more than 200 days? Find out in 60 seconds if you are VULNERABLE to a Cyber Breach!  


Test your Internet Connection!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Ransomware Infection Causes Loss of 8 Years of Police Department Evidence

Huge Ransomware Infection!!!

 

The Police Department in Cockrell Hill, Texas admitted in a press release that they lost 8 years’ worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH 1.

Eight years’ worth of evidence lost

Some of the lost data goes back to 2009, there are some files from that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup procedure kicked in after Locky infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH 2.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a spoofed email address imitating a department issued email address. New-school security awareness training would highly likely have prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand. The department also said there was no evidence of data exfiltration to a remote server.

So now, do *you* have a recent off-site backup?

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Adobe’s New VoCo Is PhotoShop For Audio – The Potential For Voice Phishing Is Horrendous

Our friends at www.Social-Engineer.org sent me some interesting news in their January newsletter: “Adobe recently announced Project VoCo at the November Adobe Max conference.Putting_Words_In_Mouth.jpg

It’s purported to have the ability to take recordings of someone’s voice, then create audio that sounds like it is from that person.  In a nutshell, it’s Photoshop for audio.” 

And they continued with: “According to Adobe, the software needs about twenty minutes of someone’s voice, and then it can recreate that voice exactly. 

The software doesn’t just find words and patch them together; the 7-minute demo shows it can actually mimic someone and create speech that the person never said. You should watch it!

Couple that with the fact that spear phishing of C-suite employees is becoming a bigger problem, and you’ve got a volatile mixture. It’s usually not hard at all to find twenty minutes of audio on most CEOs and other high-level employees. considering many of them participate in press conferences, speeches, podcasts, and interviews.” 

There are a multitude of ways this can be misused. For instance, you can now fully automate voice phishing with the simulated voice of someone you know, like your CEO. Hmmm.

Good job on the side of Chris Hadnagy & Michele Fincher and their gang to warn for this!

Let’s stay safe out there.

 

Are you at RISK of a security breach?

Did you know that the average breach goes undetected for more than 200 days? Find out in 60 seconds if you are VULNERABLE to a Cyber Breach!  


Test your Internet Connection!

Share

Posted in: Newsletter Topics, Tech News

Leave a Comment (0) →

IBM study: 70% of Businesses Attacked Pay Ransomware

A rather mind-blowing 70% of businesses hit by ransomware paid the hackers to regain access to hijacked systems and files, according to a new IBM X-Force Ransomware report. Of the attacked IBM-Security-Ransomware-Infographic_12-13-2016.jpg
businesses, 20 percent paid over $40,000 to decrypt their files, while more than half paid more than $10,000.

The IBM study [registration required], “Ransomware: How Consumers and Businesses Value Their Data” surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value placed on different types of data. 

Around 66% of the report’s respondents are generally worried about hackers compromising data, and almost 60 percent of business leaders said they would be willing to pay the ransom to regain access to financial records, intellectual property, business plans and consumer data, the report found. And depending on the datatype, they’re willing to pay between $20,000 and $50,000 to get their data back.

FBI: “Not A Good Idea To Pay Up”

Law enforcement agencies like the FBI say that it’s not a good idea to pay the ransom. But unlocking patient records in a healthcare site is crucial to keeping patients safe – so hospitals pay up big time.

IBM researchers determined financial returns on ransomware are expected to grow to over $1 billion for cybercriminals in the next year, which means these types of extortion attempts will continue to expand. Almost 40 percent of spam emails sent in 2016 contained ransomware, we expect that number to grow.

Small to medium businesses are less prepared for a ransomware attack than larger businesses. And medium to large organizations are more likely to have taken action in the last three months to protect data.

Further, 74 percent of large organizations require employees to regularly change passwords, versus 56 percent of small companies. And only 30 percent of small organizations offer IT security awareness training. OUCH.

“Cybercriminals have no boundaries when it comes to their targets,” Limor Kessem, executive security advisor for IBM Security, said in a statement. “The digitization of memories, financial information and trade secrets require a renewed vigilance to protect it from extortion schemes like ransomware.”

Ransomware attacks very often succeed through a phishing attack with a spoofed ‘From’ address. These types of attacks are hard to spot and employees tend to fall for them.

Can Your Domain Be Spoofed?

Can hackers spoof an email address of your own domain and get away with millions??

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit “CEO Fraud”, penetrating your network is like taking candy from a baby.

Would you like to know if hackers can spoof your domain? Sentree Systems, Corp. can help you find out if this is the case with our free Domain Spoof Test. It’s quick, easy, and often a shocking discovery.

Share

Posted in: Monthly Security Brief, Security Awareness Training, Tech News

Leave a Comment (0) →

Would you hand over your social media account details for a new job?

As the makers of recruiting platforms are happy to remind us, your social media self is extremely likely to be perused by recruiters who’ll either snap you up when they see the results or turn up their noses at, say, your posts about OMG how much you HATE your boss and hope he DIES!

According to one such vendor, as of 2013, 93% of recruiters were likely to look at a candidate’s social profile, and 42% had been moved to give the thumbs-up or -down based on what they turned up.

There have been various tools put forth that make it easier for employers to get at your “true” self.

(And before you protest that our social media selves are not, in fact, our “true” selves, I need to point out that researchers say otherwise. “Disagreeable” or “non-conscientious” people are, in fact, more likely to emit the unpleasant aroma of, say, bad-mouthing peers and employers on social media.)

Now, there’s another such tool to go beyond just plain old running a search on a candidate.

Called The Social Index, the online service promises to rifle through the digital footprints of short-listed job candidates and present employers or recruiters with a report.

That report is an infographic that, the company claims, maps out a candidate’s “personal brand.”

It crunches data from Facebook, Twitter and LinkedIn. According to a report from Mashable, The Job Index focuses on those three social platforms partly because they’re common, but also because, typically, they’re the ones most relevant to a company’s client activities or reputation.

It takes about 30 seconds for the candidate to be analyzed before their “social footprint” is ready. Within 24 hours the report will be delivered to both the client and the job seeker.

It’s a lot faster than slogging through Google searches for a name. Plus, as the founder of the Australian company, Fiona McLean, points out, when you rely on search engine results, you can’t even be sure the profile you’re looking at is for the right person.

As far as privacy goes, McLean points out that the system only looks at public information, and it doesn’t share people’s posts with companies.

If it’s not online, then a client can’t see it in the report.

The system maps out when, where, and how often people are posting. It also gives a timeline for your career, highlighting both the good – say, when you got promoted, or your average tenure – and the bad – say, unaccounted chunks of time that don’t reflect your being employed, or a brief average tenure that could point to a pattern of getting shown the curb after a few months.

Like Klout, it also shows how much of an influencer you are: How many connections you have on any given platform, for example. The system also does some sentiment analysis to show how positive your digital self is.

Employers will be able to tweak it to fit a given role. McLean gave the example of a job that requires a lot of social media interaction: if your profile shows that you don’t post much, that’s bad.

I worked with someone early on who was hiring for a social media role, and they were getting a lot of people who were saying ‘well I know social media, I do a lot of it,’ but the reality was they knew the theory of it but couldn’t demonstrate it.

…on the other hand, if you’re spending all day posting when social media interaction isn’t part of your gig, that’s pretty bad too, McLean said:

If the role is a back office accountant and they are equally on social media between 10 and 4, the chances are, they are not doing the core part of the role as well as they could.

But wait, isn’t it illegal to ask employees for their account logins? Illegal, as in, it’s against user policies to share your account passwords?

Back in June, we got wind of a service that offered to scour potential tenants’ social media profiles for landlords.

The service, called Tenant Assured, still hasn’t launched, but its plan is to provide detailed reports assessing rental applicants’ personality traits, creditworthiness and financial risk by directly accessing their Facebook, Twitter, LinkedIn and Instagram profiles, with the applicant’s consent.

Consent needs to be given for either of these social media-mining apps.

That still doesn’t answer the question, though: isn’t it illegal to demand workers’ passwords?

No, it’s not, at least in the US. As it is, a number of US states have tried to make it so, but the US House has declined to ban the practice.

At any rate, job candidates and tenants alike can decline to hand over access to their accounts.

But if apps like Tenant Assured and The Social Index become widely used, will we even have a choice? My way or the highway or, in this case, pry way or the highway!

Hand over access, or some day you could well find yourself being disregarded for an apartment or a job.

When it comes to The Social Index, the small mercy is that they’re only going after publicly posted data.

It’s yet another very good reason to clean up your past posts and to lock down your privacy.

To maintain privacy, use privacy controls. Millions of Facebook users are oblivious to, or just don’t use, privacy controls.

Don’t be one of them, and while you’re at it, don’t let your friends or family fall into that category.

To see who can find the things you’ve shared, you can use privacy shortcuts and Activity Log to review your personal trail of glory and misdeeds.

Go to Facebook’s Activity Log page for a list of your posts and activity, from today back to the dawn of your Facebook life.

There, you can find stories and photos you’ve been tagged in, Pages you’ve liked, friends you’ve added, your photos, and photos you’re tagged in that are shared with Public.

Besides photos we’re tagged in without our permission, most of the stuff that’s in our Graphs is up because we put it there.

To further clean up our Facebook personae, we can always remove a tag from a photo or post we’re tagged in.

As Facebook outlines here, you do that by hovering over the story, then clicking and selecting Report/Remove Tag from the drop-down menu. Then, remove the tag or ask the person who posted it to take it down.

Also, to further lock down your profile, take a gander at these three ways to better secure your Facebook account.

 

Article by:
sophos_logo_PA4_rgb

 

 

 

 

See How Sentree Systems, Corp. can Help!!


Learn More!

Share

Posted in: Monthly Security Brief, Newsletter Topics, Tech News

Leave a Comment (0) →
Page 4 of 26 «...23456...»
Real Time Web Analytics