In my previous post, I wrote about ransomware and prevention. In this post, I’d like to highlight some good practices that can help you out with the prevention of Ransomware being executed against your clients and servers.
I came across the most effective solution is in using FSRM (File Server Resource Manager) and creating file Screening and reporting and blocking of files being renamed by known file extensions of ransomware. This solution was covered extensively by Tim Buntrock on TechNet. Please see the link below.
This provides the starting point of configuring an effective file blocking and email notification system which will prevent the files being changed and also notify both us and the user who executed the ransomware.
You can modify the options from just blocking and reporting to shutting off shares immediately or rebooting the affected server depending on the specific requirements.
The File extensions list will need to be updated manually as new variants are released but I have seen some people are writing scripts to automate this so that also worth keeping an eye out for.
At the end of the day the most important points are these:
- Backup every day!
- Monitor the backups daily – know if a backup hasn’t run and then take action!
- Offsite Backups! – I had seen a ransomware actively attack an onsite backup repository and destroy it!
- Do not depend on Volume Shadow Copies as they generally become worthless in the event of an attack.
Credit: Tim Buntrock/ TechNet, mysticman2k/CybraryIT
Users are receiving increasing numbers of phishing emails containing ransomware, both at home and at work. Some users can accidentally activate the virus and as a consequence, their colleagues at work might be seriously impacted. This short post will teach you what ransomware is and how to defend yourself.
Ransomware is a type of computer virus, generally delivered as an email attachment or downloaded from malicious and/or social websites. It could be masked as a document (e.g. a late invoice) or as a useful program. Once it is executed, ransomware encrypts all user documents, both on the computer and on network drives. A ransom is then asked in exchange for decrypting the files, otherwise if the user does not have a recent backup the files are lost forever.
To defend against ransomware, IT support should setup a wide array of technical measures and procedures, including regular backups (and you may also want to backup your files at home). Unfortunately these measures are not enough when done alone. The most effective defense against ransomware is safe user behaviour and awareness.
Don’t be the weakest link! Follow these simple rules to protect yourself and your colleagues from ransomware:
- Be suspicious with any email received from outside the commission
- DO NOT click links or download attachments in suspicious emails
- DO NOT download attachments from your personal mailbox (e.g. Gmail) on computers at work
- Carefully examine emails before taking any action. Were you waiting for that email? Were you already discussing that topic with your contact? Ask the person it came from if they actually sent it.
- Carefully examine URLs and file extensions before opening them
Credit: Prezzio, CybraryIT
Wherever the Internet goes, there goes Gmail. A phone, a relative’s desktop computer, a stranger’s laptop: with but your user name and password, you can access your Inbox.
Now, about that stranger’s laptop on the train. Did I sign out of my Gmail account when I handed it back? I think I did, but what about aunt Amalia’s desktop (and her nephews)?
Fortunately, Gmail lets me and you sign out remotely — making sure any attempt to open or send an email in on one of the leftover sessions is met with but a log-in page and the need for a password.
Sign Out of Gmail Remotely
To make Gmail sign you out of all sessions that may be open on other computers and devices:
- ClickDetails under Last account activity at the bottom of Gmail.
- Now clickSign out all other sessions.
This will disable any future action in all other Gmail sessions. Note that the open sessions may still display your Inbox or a message that will only disappear when some action, say opening a conversation, is performed; and that other users may be able to log back into Gmail if your user name and password are stored in the browser. If you suspect that, make sure you change your password.
Cyber security breaches can happen to anyone at anytime. You, your family, your doctor’s office, your college, the stores you shop in, the websites you visit, and even the agencies that meet basic needs like water and electricity. The infographic below depicts some of the most infamous occurrences over the last decade and how they’ve affected the global cyber landscape.
Credit: SRC Cyber
Very Strong message for security practitioners and companies.
You opened an e-mail attachment that you probably shouldn’t have and now your computer has slowed to a crawl and other strange things are happening. Your bank called you saying there has been some strange activity on your account and your ISP has just “null routed” all traffic from your computer because they claim it is now part of a zombie botnet. All this and it’s only Monday.
If your computer has been compromised and infected with a virus or other malware you need to take action to keep your files from being destroyed and also to prevent your computer from being used to attack other computers. Here are the basic steps you need to perform to get back to normal after you’ve been hacked.
1. Isolate Your Computer
In order to cut the connection that the hacker is using to “pull the strings” on your computer, you need to isolate it so that it can’t communicate on a network. Isolation will prevent it from being used to attack other computers as well as preventing the hacker from continuing to be able to obtain files and other information. Pull the network cable out of your PC and turn off the Wi-Fi connection. If you have a laptop, there is often a switch to turn the Wi-Fi off. Don’t rely on doing this through software, as the hacker’s malware may tell you something is turned off when it is really still connected.
2. Shutdown and remove the hard drive and connect it to another computer as a non-bootable drive
If your computer is compromised you need to shut it down to prevent further damage to your files. After you have powered it down, you will need to pull the hard drive out and connect it to another computer as a secondary non-bootable drive. Make sure the other computer has up-to-date anti-virus and anti-spyware. You should probably also download a free rootkit detection scanner from a reputable source like Sophos.
To make things a little easier, consider purchasing a USB drive caddy to put your hard drive in to make it easier to connect to another PC. If you don’t use a USB caddy and opt to connect the drive internally instead, make sure the dip switches on the back of your drive are set as a secondary “slave” drive. If it is set to “master” it may try to boot the other PC to your operating system and all hell could break loose again.
If you don’t feel comfortable removing a hard drive yourself or you don’t have a spare computer then you may want to take your computer to a reputable local PC repair shop.
3. Scan your drive for infection and malware
Use the other host PC’s anti-virus ,anti-spyware, and anti-rootkit scanners to ensure detection and removal of any infection from the file system on your hard drive.
4. Backup your important files from the previously infected drive
You’ll want to get all your personal data off of the previously infected drive. Copy your photos, documents, media, and other personal files to DVD, CD, or another clean hard drive.
5. Move your drive back to your PC
Once you have verified that your file backup has succeeded, you can move the drive back to your old PC and prepare for the next part of the recovery process. Set your drive’s dip switches back to “Master” as well.
6. Completely wipe your old hard drive (repartition, and format)
Even if virus and spyware scanning reveals that the threat is gone, you should still not trust that your PC is malware free. The only way to ensure that the drive is completely clean is to use a hard drive wipe utility to completely blank the drive and then reload your operating system from trusted media.
After your have backed up all your data and put the hard drive back in your computer, use a secure disk erase utility to completely wipe the drive. There are many free and commercial disk erase utilities available. The disk wipe utilities may take several hours to completely wipe a drive because they overwrite every sector of the hard drive, even the empty ones, and they often make several passes to ensure they didn’t miss anything. It may seem time-consuming but it ensures that no stone is left unturned and it’s the only way to be sure that you have eliminated the threat.
7. Reload the operating system from trusted media and install updates
Use your original OS disks that you purchased or that came with your computer, do not use any that were copied from somewhere else or are of unknown origin. Using trusted media helps to ensure that a virus present on tainted operating system disks doesn’t reinfect your PC.
Make sure to download all updates and patches for your operating system before installing anything else.
8. Reinstall anti-virus, anti-spyware, and other security software prior to any other programs.
Before loading any other applications, you should load and patch all your security related software. You need to ensure your anti-virus software is up-to-date prior to loading other applications in case those apps are harboring malware that might go undetected if your virus signatures aren’t current
9. Scan your data backup disks for viruses before your copy them back to your computer
Even though you are fairly certain that everything is clean, always scan your data files prior to reintroducing them back into your system.
10. Make a complete backup of your system
Once everything is in pristine condition you should do a complete backup so that if this ever happens again you won’t spend as much time reloading your system. Using a backup tool that creates a bootable hard drive image as a backup will help speed up future recoveries immensely.
Credit: Andy O’Donnell
In today’s threatscape, antivirus software provides little peace of mind. In fact, antimalware scanners on the whole are terrifically inaccurate, especially with exploits less than 24 hours old. After all, malicious hackers and malware can change their tactics at will. Swap a few bytes around, and a previously recognized malware program becomes unrecognizable. To combat this, many antimalware programs monitor program behaviors, often called heuristics, to catch previously unrecognized malware. Other programs use virtualized environments, system monitoring, network traffic detection, and all of the above at once in order to be more accurate. And still they fail us on a regular basis.
Here are some sure signs you’ve been hacked;
1. Fake antivirus messages
Fake antivirus warning messages are among the surest signs that your system has been compromised. What most people don’t realize is that by the time they see the fake antivirus warning, the damage has been done. Clicking No or Cancel to stop the fake virus scan is too little, too late. Sometimes you know that you’re using say for example kaspesky antivirus but you find a Norton antivirus warning. The malicious software has already made use of unpatched software, often the Java Runtime Environment or an Adobe product, to completely exploit your system.
What to do: Power down your computer. Boot up the computer system in Safe Mode, No Networking, and try to uninstall the newly installed software. Try to restore your system to a state previous to the exploitation. If successful, test the computer in regular mode and make sure that the fake antivirus warnings are gone. Then follow up with a complete antivirus scan. Oftentimes, the scanner will find other sneak remnants left behind.
2. Unwanted browser toolbars
This is probably the second most common sign of exploitation: Your browser has multiple new toolbars with names that seem to indicate the toolbar is supposed to help you. Unless you recognize the toolbar as coming from a very well-known vendor, it’s time to dump the bogus toolbar.
What to do: Most browsers allow you to review installed and active toolbars. Remove any you didn’t absolutely want to install. When in doubt, remove it. If the bogus toolbar isn’t listed there or you can’t easily remove it, see if your browser has an option to reset the browser back to its default settings. If this doesn’t work, follow the instructions listed above for fake antivirus messages.
3. Redirected Internet searches
Many hackers make their living by redirecting your browser somewhere other than you want to go. The hacker gets paid by getting your clicks to appear on someone else’s website, often those who don’t know that the clicks to their site are from malicious redirection.
What to do: Follow the same instructions as above. Usually removing the bogus toolbars and programs is enough to get rid of malicious redirection.
4. Frequent random popups
This popular sign that you’ve been hacked is also one of the more annoying ones. When you’re getting random browser pop-ups from websites that don’t normally generate them, your system has been compromised. I’m constantly amazed about which websites, legitimate and otherwise, can bypass your browser’s anti-pop-up mechanisms. It’s like battling email spam, but worse.
What to do: Get rid of bogus toolbars and other programs if you even hope to get rid of the pop-ups.
5. Your default browser changed to anything else
You have been used to having Google as your default browser, then suddenly its changed to some rogue website you have never used before. its popular especially with unwanted toolbars and redirected searches.
What to do: Changing the default browser to Google may not last long, its advisable to restore computer to previous good settings.
6. Your friends receive fake emails from your email account
These days it’s more common for malicious emails to be sent to some of your friends, but not everyone in your email address book. If it’s just a few friends and not everyone in your email list, then more than likely your computer hasn’t been compromised (at least with an email address-hunting malware program). These days malware programs and hackers often pull email addresses and contact lists from social media sites, but doing so means obtaining a very incomplete list of your contacts’ email addresses. Although not always the case, the bogus emails they send to your friends often don’t have your email address as the sender. It may have your name, but not your correct email address. If this is the case, then usually your computer is safe.
What to do: If one or more friends reports receiving bogus emails claiming to be from you, do your due diligence and run a complete antivirus scan on your computer, followed by looking for unwanted installed programs and toolbars. Often it’s nothing to worry about, but it can’t hurt to do a little health check when this happens.
7. Your online passwords suddenly change
If one or more of your online passwords suddenly change, you’ve more than likely been hacked — or at least that online service has been hacked. In this particular scenario, usually what has happened is that the victim responded to an authentic-looking phish email that purportedly claimed to be from the service that ends up with the changed password. The bad guy collects the logon information, logs on, changes the password (and other information to complicate recovery), and uses the service to steal money from the victim or the victim’s acquaintances (while pretending to be the victim).
What to do: If the scam is widespread and many acquaintances you know are being reached out to, immediately notify all your contacts about your compromised account. Do this to minimize the damage being done to others by your mistake. Second, contact your email provider for assistance to recover the account. If the compromised logon information is used on other websites, immediately change those passwords. And be more careful next time. Websites rarely send emails asking you to provide your logon information. When in doubt, go to the website directly (don’t use the links sent to you in email) and see if the same information is being requested when you log on using the legitimate method. You can also call the service via their phone line or email them to report the received phishing email or to confirm its validity. Lastly, consider enabling two-factor authentication. Read here for more information.
8. Unexpected software installs
Unwanted and unexpected software installs are a big sign that your computer system has likely been hacked.
For whatever reason, most malware programs these days are Trojans and worms, and they typically install themselves like legitimate programs. This may be because their creators are trying to walk a very thin line when the courts catch up to them. They can attempt to say something like, “But we are a legitimate software company.” Oftentimes the unwanted software is legally installed by other programs.
What to do: Restore the computer to previous settings and always download free software from legitimate sources.
9. Your mouse moves between programs and makes correct selections
If your mouse pointer moves itself while making selections that work, you’ve definitely been hacked. Mouse pointers often move randomly, usually due to hardware problems. But if the movements involve making the correct choices to run particular programs, malicious humans are somewhere involved.
Not as common as some of the other attacks, many hackers will break into a computer, wait for it to be idle for a long time (like after midnight), then try to steal your money. Hackers will break into bank accounts and transfer money, trade your stocks, and do all sorts of rogue actions, all designed to lighten your cash load.
What to do: If your computer “comes alive” one night, take a minute before turning it off to determine what the intruders are interested in. Don’t let them rob you, but it will be useful to see what things they are looking at and trying to compromise. If you have a cellphone handy, take a few pictures to document their tasks. When it makes sense, power off the computer. Unhook it from the network (or disable the wireless router) and call in the professionals. This is the one time that you’re going to need expert help.
Using another known good computer, immediately change all your other logon names and passwords. Check your bank account transaction histories, stock accounts, and so on. Consider paying for a credit-monitoring service. Complete restore of the computer is the only option you should choose for recovery. But if you’ve lost any money, make sure to let the forensics team make a copy first.
10. Your antimalware software, Task Manager, or Registry Editor is disabled and can’t be restarted
This is a huge sign of malicious compromise. If you notice that your antimalware software is disabled and you didn’t do it, you’re probably exploited — especially if you try to start Task Manager or Registry Editor and they won’t start, start and disappear, or start in a reduced state. This is very common for malware to do.
What to do: You should really perform a complete restore because there is no telling what has happened
11. Your bank account is missing money
I mean lots of money. Online bad guys don’t usually steal a little money. They like to transfer everything or nearly everything, often to a foreign exchange or bank. Usually it begins by your computer being compromised or from you responding to a fake phish from your bank. In any case, the bad guys log on to your bank, change your contact information, and transfer large sums of money to themselves.
What to do: In most cases you are in luck because most financial institutions will replace the stolen funds (especially if they can stop the transaction before the damage is truly done). However, there have been many cases where the courts have ruled it was the customer’s responsibility to not be hacked, and it’s up to the financial institution to decide whether they will make restitution to you.
If you’re trying to prevent this from happening in the first place, turn on transaction alerts that send text alerts to you when something unusual is happening. Many financial institutions allow you to set thresholds on transaction amounts, and if the threshold is exceeded or it goes to a foreign country, you’ll be warned. Unfortunately, many times the bad guys reset the alerts or your contact information before they steal your money. So make sure your financial institution sends you alerts anytime your contact information or alerting choices are changed.
12. You get calls from stores about nonpayment of shipped goods
In this case, hackers have compromised one of your accounts, made a purchase, and had it shipped to someplace other than your house. Oftentimes, the bad guys will order tons of merchandise at the same time, making each business entity think you have enough funds at the beginning, but as each transaction finally pushes through you end up with insufficient funds.
What to do: This is a bad one. First try to think of how your account was compromised. If it was one of the methods above, follow those recommendations. Either way, change all your logon names and passwords (not just the one related to the single compromised account), call law enforcement, get a case going, and start monitoring your credit. You’ll probably spend months trying to clear up all the bogus transactions committed in your name, but you should be able to undo most, if not all, of the damage.
The hope of an antimalware program that can perfectly detect malware and malicious hacking is pure folly. Keep an eye out for the common signs and symptoms of your computer being hacked as outlined above. And if you are risk-adverse, as I am, always perform a complete computer restore with the event of a breach. Because once your computer has been compromised, the bad guys can do anything and hide anywhere. It’s best to just start from scratch.
Most malicious hacking originates from one of three vectors: unpatched software, running Trojan horse programs, and responding to fake phishing emails. Do better at preventing these three things, and you’ll be less likely to have to rely on your antimalware software’s accuracy and luck.
Credit: Roger A. Grimes/InfoWorld
For many people, the first sign that their email has been hacked comes when a friend sends them a text or an email saying, “Hey there. I think your email was hacked… unless you meant to send me that link to the Viagra store.” Or you might figure it out because you can no longer log in to your account, or your smartphone can’t retrieve your messages. Or maybe you can log in to your email, but find that your inbox is suddenly empty and all of your contacts have been deleted. No matter what tips you off, when your email is hacked (notice I say when, not if, here), the impact can be disastrous.
The fact is, despite Twitter, Facebook and texting, we still rely on email for most business and personal interactions. So it can be pretty disquieting when inexplicable things start to happen to our email accounts, or our access to email is blocked. When these things happen, we can’t just will them away or delude ourselves into thinking that our computer is simply having a bad day. They could well be manifestations of email hijacking, which often is the prelude to identity theft. Your computer was most likely compromised in one of four ways. 1) You do not have up-to-date security software installed. 2) Your passwords are weak and easily hacked. 3) You clicked on a malicious link in an email, IM conversation, or on a social networking site, or webpage.4) you downloaded a game, video, song, or attachment.When your email account is hacked, here are several steps you need to take:
- Change your password
If the wizards who hacked into your account forgot to change your password and you can still log in – do it immediately and change that password and make it stronger, stranger and less “you.” That means no birthdays, addresses, kids’ names, dogs’ names, maiden names, favorite movie names, favorite band names, or anything else that you might otherwise feature on your Facebook page. Make the password at least 17 characters to be safe. This change should be done from another computer as your computer may be infected with malware that captures keystrokes.
If the password was changed, you will need to contact your email providers for help. The process may take some time so you need to act fast.
- Activate 2-factor authentication
Increase security by adding another security feature to access your account. Most of the email providers are providing this feature. This was covered extensively in my previous blog post.
- Recapture your account.
You need to change your security questions and the answers because the hacker could have nailed them to access your email. Make sure the answers are no anywhere your other social accounts like Facebook, twitter.
- Send an email to your contacts saying you were hacked.
When an email comes from someone you know you are more likely to open it and click on links within it – even if the subject is weird. Help stop the spread of the malware by warning those in your contact list to be cautious of any email sent by you that doesn’t seem right, and to not click on the links.
- Check your computer’s security.
Most hackers collect passwords using malware that has been installed on your computer (or mobile phone if you have a Smartphone). No matter which operating system you use, be sure your anti-virus and anti-malware programs are up to date. Choose the setting that will automatically update your computer when new security fixes are available. If you cannot afford security software, choose one of the free security suites available. To find these, type ’best free security software reviews’ into your search engine.
Look to see that all operating system updates are also installed. To find these, type ’(the name of your operating system) and updates’ into your search engine. Set your computer to update automatically so that you get protection from new attacks as soon as possible.
- Review your personal email settings.
Make sure the hackers haven’t created forwarding email addresses and if you find any delete them immediately. Also, look carefully at the signature block and make sure it’s really yours. The hackers may have included some malicious links there too.
- Change passwords or security questions for other sites.
In the event you shared your email passwords or security questions with any other site, change them, too. Too often consumers opt for convenience (or simplicity) over security and use a single password for multiple websites — including financial services, social media, retail or secondary email sites. Not a good idea. In fact it’s a very bad idea. Change all of them and use different passwords for each.
- Check your email folders.
Folks have a tendency to send financial or personally identifiable information to others via email and then archive the offending email in a file in their system. If so, immediately go to whatever account is identified and change the user ID and password.
Assuming that the hacker in question was able to find valuable pieces of personally identifiable information, it will become important for you to monitor your credit and various financial/ bank accounts for suspicious activity.
10. Be Cautious
Your email is an important component of your identity portfolio. You must manage it like an investment. That means you minimize your risk of exposure by being smart, discrete and sophisticated in your security approach. Keep a watchful eye for things that seem a bit “off,” and know what your damage control options are before you need to control the damage. You need to change your password periodically, need to update your antivirus/anti malware software and avoid using shared computers for email or social media.
Hope this is helpful.
Have you been following the technology headlines lately? Target breached, Niemen Marcus breached, and along with them were Sears, the states of Utah and South Carolina, credit unions, credit bureaus, the Pentagon, Lockheed-Martin, RSA, other US government agencies, and the list goes on and on. So, if you think your security is good enough to keep your company from being breached, well, you must be dreaming. Wake up!
During his speech at the RSA conference in 2012, Robert Mueller, former Director of the FBI, said “There are two types of companies, those that have been breached and those that will be breached.” I consider this the best advice.
You could possibly fall into the category of about 73% of companies who believe their security is good. But, as a recent Wired magazine article entitled “Cyber Security Risk: Perception vs. Reality in Corporate America,” reveals, much of this is lack of knowledge and what is called “optimism bias.” For Africa, the perception and reality is worse.
Trust me, there is no single piece of software, hardware, security standard, or procedure that will protect your company, and if anyone tries to tell you differently, run away quickly. There is NO silver bullet for security!
Now, before you get depressed and decide to do something rash, there is a light at the end of the tunnel. There are three things you can do to lower the risk of a breach, reduce and even possibly eliminate your potential liability, and protect your company’s reputation when a breach does occur: assess risk, implement policies, and train the workforce. And, most importantly, make sure you can articulate what you did to secure your organization.
You must understand the risks to your company and the information you collect, process, and store. The only way to do this is to understand the flow of data across your organization and how it is secured, whether being collected, in transit, in storage, or being pushed out the door.
Implement the policy.
Write and implement the policies necessary to explain how information is secured and how that security is implemented. Address compliance requirements and inform employees of their responsibilities.
Train the workforce.
Train your employees on cyber security awareness annually, and implement a program that reminds employees at least once or twice a month of the importance of protecting information.
Cyber security, which has become a risk management function, is no longer an IT function or exercise. Instead, it’s one for the company leadership. Yes, you, the CEO, and other senior officers.
If your company suffers a breach and you cannot explain what you did to secure information, your liability goes through the roof. The response, “I don’t know, ask our IT guys or ask the IT company we hired,” won’t help your reputation.
The leadership in the company must have the responsibility to protect the company financially. Hackers are looking for money and information they can sell. Your shareholders, employees, and customers are all expecting you to do the best you can to protect their personal information. When you fail at this, YOU look bad — not the IT department or the IT company you have hired. So instead of transferring blame to the IT guys (which normally happens), be the lead and make security of the information you hold a priority.
When a breach occurs, and trust me it will, you want to sound like this:
“As a company, we did X, Y, and Z to ensure all sensitive information was secured. We have policies that we have implemented. All employees have read and signed and are intimately aware of those policies. Additionally, we conduct monthly training to keep employees abreast of the latest threats, changes to policies, and how to keep information secure.”
In this statement, you sound like you are in control, understand the security of your company, and are taking control of the situation. Now, take action and implement. Not sure what to do? Then hire someone who does — not someone who wants to sell you software, hardware, or managed services, but someone who can walk you through the process.