Adobe’s New VoCo Is PhotoShop For Audio – The Potential For Voice Phishing Is Horrendous


rdp-attacks-2017.png Picture Courtesy Trend MicroRemember the CRYSIS ransomware? The attacks started up again, mostly targeting US healthcare orgs. using brute force attacks via Remote Desktop Protocol (RDP).

The number of attacks has more than doubled in volume in January 2017 over that same timeframe in 2016. This most recent wave included a wide variety of sectors worldwide, but the U.S. healthcare sector was hit the hardest.

Security researchers at Trend Micro observed that the same cyber mafia that perpetrated the 2016 CRYSIS attacks are behind this recent wave of ransomware attacks, evidenced by the very same file names and malware placement as were used earlier.

The problem: User accounts with weak credentials, open RDP ports

The bad guys try to log in to the system using common username and password combos, and once the system is accessed they return multiple times to quickly compromise the machine. Trend Micro found that these repeated attempts were generally successful in a matter of minutes.

A typical infection goes through the following steps. An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.

Once he purchased or gained access to a computer by brute-forcing the RDP connection with basic username-password combos, the attacker downloads and then manually executes a version of the Crysis ransomware on each of the hacked computer.


In one case it was observed that CRYSIS was deployed six times, packed in different ways on a single endpoint within ten minutes. The attackers copied over several files and appeared to be experimenting with different payloads to find the best option.

Because there are no default restrictions on shared folders of clipboards, unless the network administrator applies controls, these features may be exposed to the internet and accessible by a malicious individual.

What To Do About It:

Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.

[contentblock id=73 img=gcb.png]

A Study by the World Bank stated that Russia boasts more than 1 million software specialists involved in research and development.

Russian illegal cyber warriors are among the most proficient in the world with around 40 large criminal cyber rings operating within the country’s borders.Russia_Keboard_Flag.jpg

The Russian government has long been known to source its technology, world-class hacking talent and even some intelligence information from local cyber crime rings.

Hacking activities include the penetration of national infrastructure systems, and money markets, and the stealing of state secrets and intellectual property. All of these destabilizing attacks can be considered as preparation for any future conflict. Russian hackers made repeated attempts during 2016 to stage cyber break-ins into major US institutions, including the White House and the State Department.

Read more about this in an article at The Conversation by Professor of Electrical and Electronic Engineering and Director of Electronic Warfare Research, City, University of London

Very often, Russian hacking starts with a phishing attack.  As one of his last actions in office, President Obama expelled 35 Russian diplomats spies in retaliation for Russia interfering with the U.S. election process, after intelligence agencies lined up their stories and all pointed at Putin.

Bloomberg wrote: “The attack against U.S. democracy began in the summer of 2015 with a simple trick: Hackers working for Russia’s civilian intelligence service sent e-mails with hidden malware to more than 1,000 people working for the American government and political groups. U.S. intelligence agencies say that was the modest start of  ‘Grizzly Steppe,’ their name for what they say developed into a far-reaching Russian operation to interfere with this year’s presidential election.”


[contentblock id=72 img=gcb.png]



[ALERT] The bad guys are starting their tax scams early this season! They are now combining two scams-in-one. First, they ask you to send them the W-2 forms of all employees, with the email looking like it comes from the CEO or a C-level executive. Next, they follow up with an urgent request to transfer a large sum of money to a bank account controlled by these cyber criminals.


Remember that when you receive sudden requests like this, they may be spoofed emails and that you should double check by picking up the phone and verify that this is a legit request coming from that executive. In these cases, it’s “OK to say NO to the CEO”.


This tax season, stay alert for scams like this, and Think Before You Click!


[contentblock id=75 img=gcb.png]

What can a powerful, all-seeing algorithm predict about you, based on your online footprint, publicly available information and Facebook Likes?

I, whom you can henceforth refer to as Human #1067494, have found out.

To do so, I’ve engaged with an online environment called Predictive World: an interface to process users’ data that was recently released by videogame publisher Ubisoft.

To partake, you either have to agree to let the program access your Facebook profile (for the most accurate profiling) or to hand over basic information on your own.

The game-maker developed Predictive World in collaboration with the Psychometrics Centre of the University of Cambridge.

Based on their research, the thinking goes, it can generate accurate predictions of who we are, how many pints we put away every week, how much we weigh, how tall we are, how much we smoke, and when we’re going to die, among many other variables.

The game-maker has delved into the dangers of big data and predictive algorithms as one of the themes of its action-adventure game Watch Dogs 2: a game in which hero Marcus Holloway is wrongly profiled as a main suspect for a crime he didn’t commit by a city-wide operating system that collects and analyzes data on all citizens.

Ubisoft assures us that this is where fiction meets reality. Predictive World is all about demonstrating how seemingly trivial data about us can be pulled together and processed into profiles and patterns:

Each day, we leave a trail of more than 5 billion gigabytes of data behind us. This information comes from billions of collection points: from online transactions of course, to GPS signals, social media likes, texts we exchange, or even parking tickets, soda dispensers, etc.

They are then sold, bought, and analysed through different touch points in order to create strong and accurate probabilities on who we are or what we’re most likely to do.

As we often write about on Naked Security, Big Data covers many categories.

It’s not necessarily the photos you snap of your cat, for example.

But the term most certainly includes a collection of a million different cats, organized by location as precise as street address, that you may have contributed to by making your photo APIs publicly available on sites like Flickr, Twitpic, Instagram or the like.

You can take that scenario and replicate it on all the sites where our data is amassed: Automatic Number Plate Recognition (ANPR) cameras are another good example of how we can be tracked, given that our plate numbers stay the same while our locations change.

In fact, the US Drug Enforcement Administration (DEA) has been building a national license plate reader (LPR) database over several years that it shares with federal and local authorities, with no clarity on whether the network is subject to court oversight.

Then too, there’s the giant database of Wi-Fi access points from Google’s StreetView cars that it was using to aid and abet its geolocation services.

Predictive World is far from the first online tool to crunch our online selves to show us how all those Big Data players come up with profiles. Those profiles can be used, for example, to pass us over for jobs, given that most recruiters nowadays pore over our social network profiles before they decide whether to call us in for an interview.

One example of the tools used to demonstrate the data trails we leave behind was a site called “We know what you’re doing”. It aggregated some of our choicer social media content for us, delivered courtesy of Facebook via its Graph API.

Another was Please Rob Me. When it launched in 2010, it was using check-in data from the location-based Foursquare social network that was subsequently posted to Twitter.

When the information becomes publicly available on Twitter, it makes it theoretically possible for a robber to know when you’re away from home.

Well, maybe it was theoretical when they launched the site, but it sure didn’t stay theoretical for long. One set of burglars put the theory to the test by breaking into the home of friends after reading their Facebook updates to find out when they’d be away.

But back to Predictive World. After you sign in (I allowed it access to my Facebook profile to see how well it would do when spoon-fed), it collects data such as your gender, age, and pages you’ve liked, and combines them with local demographics to generate a profile of who you are.

How did it do?

Wow, the details that can be gleaned about you from Facebook!

Wow, how wrong they can be!

Predictive World believes that I’m tall, fat, have a 12.8% chance of smoking pot, make about double the minimum wage, have a conscientiousness factor of something like 43%, and will die at the age of 84.9 years.

Wrong, wrong, wrong, wrong.

So let’s reframe the initial question: what can a powerful algorithm that corporations or police may well consider to be all-seeing but is in actuality peering through cracked glasses with severe myopia guess about you based on your online footprint?

In my case, it guessed that I’m 4″ taller than I am, that I weigh 49 lbs. more than I do, that I make 31% of what I actually earn, that I drink two pints of beer a week (are you kidding?! I’m gluten intolerant!), and that my “risk” of smoking marijuana is 12.8%

How much do those, and myriad other inaccuracies, affect predictive analytics?

A lot, if Predictive World is indicative: my life expectancy shot up from 84.9 years to 95.1 when I corrected those variables.

While it’s easy to see where big data can siphon concrete personal information such as our age or our location from Facebook (if we’ve made such data public and haven’t lied about it), it’s worth asking how it guesses at more subjective things, such as our level of satisfaction with life.

Predictive World is happy to tell you. You can click on each one of a series of rays that emanates from a throbbing circular graphic to get details on how a particular variable is derived.

For instance, people who like the same things as I do on Facebook tend to describe themselves as loving life. It can’t be all about the likes, though: my 94.13% satisfaction level shot up from 63% after I told the tool I wasn’t as poor as it initially assumed.


It isn’t, in fact, all about the likes. Predictive World is based on an algorithm developed by the Psychometrics Centre using a wide range of data sources, such as psychological and social media data from more than 6 million research participants, along with a bespoke infrastructure designed for the project that contains 6.3 billion data points.

That enables Predictive World to visualize the relationships between gender and salary, location and crime risk, personality and longevity, and much more.

Collecting and processing users’ digital footprints and combining predictions with open data, the system is able to make 70 data-driven predictions about an individual, from personality traits and intelligence to life expectancy and even financial risk propensity.

But does it really matter if it’s accurate or not?

What’s worth noting is that this kind of information can be, and is being, used to build up detailed profiles of us. Not necessarily accurate, mind you, but highly detailed nonetheless.

Earlier in the month, for example, before Facebook called off the plan, a UK car insurer was going to use young drivers’ data to analyze their personalities and offer quotes based on their profiles.

Predictive World posed this question: do I want my insurance company to have this type of information about me?

No, I can’t say that I do.

I don’t know which would be worse: having insurance companies think I’m going to die at 85 so they can offer me long-term care and not go broke; have them find out I’m diabetic (Predictive World doesn’t seem to know that; if it did, it would probably have guessed, based on average life expectancy of diabetics, that I had already kicked the bucket); or having insurers construct a more accurate profile of me so they can drop me like a hot potato when they find out that diabetes thing.

I don’t know whether I want to sharpen the accuracy of Predictive World’s, or insurance companies’ or banks’, vision of who I am. I’m leaning toward keeping my Facebook profile nice and fuzzy.

What’s your plan?


[contentblock id=92 img=gcb.png]


[contentblock id=74 img=gcb.png]

yahboohoo-580x314.pngThis is getting old. It’s all over the press… again. Here is a Reuters article where I am quoted, which covers the most recent billion-record Yahoo hack.

Some people asked me after our Flash announcement last week: “Stu, really, these hacks happened a few years ago, closing down my whole Yahoo account, or blocking Yahoo at the firewall… aren’t you going a bit overboard here?”

Good question. Here is my take:
Well, that whole 1B database was sold on the dark web by a group of professional blackhats from Eastern Europe for 300K, (and is still for sale at a much lower price right now) which means that a ton of bad guys now have these credentials, but worse, they have answers to security questions like “your mother’s maiden name” which do not change like passwords, and and backup email addresses that could help with resetting forgotten passwords.

Bloomberg reported that 150,000 U.S. government and military employees are among the victims in the latest breach.

My position is that all Yahoo accounts need to be considered compromised. They are sitting ducks for spam, phishing and malware attacks. If employees check their Yahoo account on their lunch break, do you want to expose your company network to that?

It looks like Yahoo has not learned their lessons, so new hacks can happen any time. There has been an exodus of qualified Yahoo staff and they seem to be unable to apply best security practices. They are now forcing all users (link to WSJ article) to change their password, but that’s too little, too late. I simply have lost trust.

So, I recommend you warn your users, friends and family… again. We have been here before on September 23rd when the 500 million record hack was first announced.

In September, Yahoo did not force people to change passwords, but now they are forcing a password change, and the bad guys are (again) all over this — the ones that own the Yahoo database but also the ones that do not, because news like this is a phishing paradise.

This is a phishing paradise with significant fallout

Phishing attacks likely will be the number one possible fallout, with Yahoo user accounts being used for social engineering attacks. However, since many people use the same username and passwords across multiple sites, the other thing that will continue to happen is called “credential-stuffing”, a brute-force attack where attackers inject stolen usernames, passwords and possibly the answers to security questions into a website until they find a match using the stolen Yahoo username and passwords.

The bad guys will continue to exploit this, so remind your users

Remind your users, friends and family. They will be likely be confronted with Yahoo-related scams in their inbox. The bad guys are going to leverage this in a variety of ways, starting with bogus password reset phishing attacks, but also with masked links so that if you click on it you wind up on a compromised site which could steal personal information and/or infect the computer. The variations are infinite, but the defense against it is relatively simple.

I suggest you send them the following reminder – feel free to copy/paste/edit:

“Yahoo announced that 1 billion of their accounts were hacked. These accounts are now sold by internet criminals to other bad guys which are going to use this information in a variety of ways. For instance, they will send phishing emails claiming you need to change your Yahoo account, looking just like the real ones. Here is what I suggest you do right away.

  • If you do not use your Yahoo account a lot. Close it down because it’s a risk. If you use it every day:
  • Open your browser and go to Yahoo. Do not use a link in any email. Reset your password and make it a strong, complex password or rather a pass-phrase.
  • If you were using that same password on multiple websites, you need to stop that right now. Using the same password all over the place is an invitation to get hacked. If you did use your Yahoo passwords on other sites, go to those sites and change the password there too. Also change the security questions and make the answer something non-obvious.
  • At the house, use a free password manager that can generate hard-to-hack passwords, keep and remember them for you.
  • Watch out for any phishing emails that relate to Yahoo in any way and ask for information.
  • Now would also be a good time to use Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether.

Yahoo Breach Phishing TemplateIf you are a KnowBe4 customer, we have a template in the Current Events Campaign which I suggest you send to all your users immediately as a reminder.

This is the largest hack ever, below is a graph fresh from an article in the Wall Street Journal that puts it in perspective. I suggest you send this to your management.

This is exactly the kind of thing that they want to prevent from happening and security awareness training is the number one thing that makes your organization more hack-resistant since your users are your weakest IT security link.




[contentblock id=74 img=gcb.png]

Intel Security’s McAfee Threat Predictions for 2017 (PDF) observes that advances in technology are essentially neutral and that developments like machine learning should be welcomed, but they will also become available to cybercriminals. Machine learning in particular is something that can be misused.

Intel Security’s Eric Peterson cites CEO Fraud (The FBI calls it Business Email Compromise) – where individuals in companies are targeted through social engineering, and manipulated to fraudulently transfer money to criminal-controlled bank accounts.

There have been instances where the attacks have coincided with business travel dates for executives to increase the chances of the attack’s success, Peterson says. Combine petabytes of publicly available data with open source analysis tools and it is entirely possible, the company warns, that criminals could build malicious machine learning algorithms to pick targets more precisely and with greater levels of success.

“Looking to 2017 and beyond, we might even see purveyors of data theft offering ‘Target Acquisition as a Service’ built on machine learning algorithms,” Peterson says. “We expect that the accessibility of machine learning will accelerate and sharpen social engineering attacks in 2017.”

Something to watch out for.

Fortunately, KnowBe4 is working on heading off the bad guys at the pass with our AIDA project.

Meet AIDA – your smart sidekick that trains your employees to make smarter security decisions.

AIDA_Logo.jpgAIDA stands for Artificial Intelligence Driven Agent and uses artificial intelligence to dynamically create integrated campaigns that send emails, text and voicemail to an employee, simulating a multi-vector social engineering attack.  It attempts to have the employee either click on a phishing link, tap on a link in a text message, or respond to a voice mail – any of which could compromise your network.  In short, AIDA uses Artificial Intelligence to inoculate your employees against social engineering.

Tired of always being in reactive mode?

AIDA is a dramatic step in the race to get ahead of the bad guys. AIDA’s interface is deceptively simple. You just name the campaign and choose the group of employees. That is all. AIDA does the rest, and you will see the reports of who clicked, tapped and/or responded to a voicemail.

We feel this is an incredibly exciting development and finally allows you to get proactive!

At the time of this writing (1/2/2017) AIDA is in Beta, but limited to existing KnowBe4 customers because you need a full account to enable AIDA. The AIDA Beta has been opened up to all users of the KnowBe4 console. You can enable participation in this beta program by going into the Account Settings portion of your console, scrolling down to the Phishing settings, checking the “Enable AIDA Beta” checkbox, and saving the settings.
[contentblock id=72 img=gcb.png]

Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.

Larry said: “DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim’s computer.dyna-crypt.png Image courtesy Bleepingcomputer

Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of NASTY that just makes a mess of a victim’s programs and data.

“The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.”

A DynA-Crypt Infection Means A Full-blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.  When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\, and email it to the developer.

The Ransomware Portion of DynA-Crypt can be Decrypted

The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim’s data. This script will scan a computer for files that match the following extensions and encrypt them.

When it encrypts a file it will append the .crypt extension to the encrypted file’s name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer’s Shadow Volume Copies so that you are unable to use it to recover files.

When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay $50 USD in bitcoins to an enclosed bitcoin address. Thankfully, at this time nobody has paid a ransom.



[contentblock id=75 img=gcb.png]

It’s Valentine’s Day and the scammers are out in full force… again. There are many ways these online criminals try to trick you, but the most common are phony florists, online dating scams, phony electronic greeting cards and delivery scams. So, here are the red flags you need to look out for.


Do not trust emails or advertising from online florists or other gift retailers until you are sure that they are valid. Otherwise, you might be turning over your credit card information to a scammer or infect your computer with malicious software.


Do not trust an online greeting card, particularly if it does not indicate who sent it to you. Be very wary of a card sent by “a secret admirer.” Even if you recognize the name, confirm that it was really sent from that person before you click on the link and open the card.


Do not trust special deliveries, there is no special charge for alcohol so if someone requires a credit card payment for such a delivery, just politely decline knowing you just dodged a bullet.


Do not trust anyone who indicates he or she is in love with you and then wants to communicate with you right away on an email account outside of the dating site, claiming to be working abroad, asking for your address and poor grammar which is often a sign of a foreign romance scammer. Many romance scams originate in Eastern Europe… The rule still applies: THINK before you click.

[contentblock id=71 img=gcb.png]

Huge Ransomware Infection!!!


The Police Department in Cockrell Hill, Texas admitted in a press release that they lost 8 years’ worth of evidence after the department’s server was infected with ransomware.

The lost evidence includes all body camera video, and sections of in-car video, in-house surveillance video, photographs, and all their Microsoft Office documents. OUCH 1.

Eight years’ worth of evidence lost

Some of the lost data goes back to 2009, there are some files from that era that are backed up on DVDs and CDs and remained available.

“It is […] unknown how many videos or photographs that could have assisted newer cases will not be available, although the number of affected prosecutions should remain relatively small,” the press release reads.

In an interview with WFAA, who broke the story, Stephen Barlag, Cockrell Hill’s police chief, said that none of the lost data was critical. The department also notified the Dallas County District Attorney’s office of the incident.

Backup procedure kicked in after Locky infection

The department says the infection was discovered on December 12, last year, and the crooks asked for a $4,000 ransom fee to unlock the files.

After consulting with the FBI’s cyber-crime unit, the department decided to wipe their data server and reinstall everything. Data could not be recovered from backups, as the backup procedure kicked in shortly after the ransomware took root, and backed up copies of the encrypted files. OUCH 2.

Infection Source: Phishing email with spoofed address

The press release says the infection took place after an officer opened a spam message from a spoofed email address imitating a department issued email address. New-school security awareness training would highly likely have prevented this.

The infection did not spread to other computers because the server was taken offline and disconnected from the local network as soon as staff discovered the ransom demand. The department also said there was no evidence of data exfiltration to a remote server.

So now, do *you* have a recent off-site backup?

Our friends at sent me some interesting news in their January newsletter: “Adobe recently announced Project VoCo at the November Adobe Max conference.Putting_Words_In_Mouth.jpg

It’s purported to have the ability to take recordings of someone’s voice, then create audio that sounds like it is from that person.  In a nutshell, it’s Photoshop for audio.” 

And they continued with: “According to Adobe, the software needs about twenty minutes of someone’s voice, and then it can recreate that voice exactly. 

The software doesn’t just find words and patch them together; the 7-minute demo shows it can actually mimic someone and create speech that the person never said. You should watch it!

Couple that with the fact that spear phishing of C-suite employees is becoming a bigger problem, and you’ve got a volatile mixture. It’s usually not hard at all to find twenty minutes of audio on most CEOs and other high-level employees. considering many of them participate in press conferences, speeches, podcasts, and interviews.” 

There are a multitude of ways this can be misused. For instance, you can now fully automate voice phishing with the simulated voice of someone you know, like your CEO. Hmmm.

Good job on the side of Chris Hadnagy & Michele Fincher and their gang to warn for this!

Let’s stay safe out there.


[contentblock id=71 img=gcb.png]

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!


Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282