Monthly Archives: March 2016

FBI investigating attack against computer networks at U.S. law firms

thinkstockphotos450270251sma_763723The Federal Bureau of Investigation (FBI) and the Manhattan U.S. attorney’s office are investigating an attack in which hackers accessed the computer networks at U.S. law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, according to a Wall Street Journal report.

An individual familiar with the investigation told the Journal that investigators are looking into whether the hackers accessed the networks for insider trading or other purposes.

It is also likely that employee and client records were accessed in order to facilitate spearphishing and social engineering attacks, said Adam Levin, chairman and founder of IDT911 and author of “Swiped” in comments emailed to “The bad guys gained privileged access by way of stolen credentials, infected computers with malware, monitor activity, collect information and then use it for their financial gain,” he noted.

The attackers have reportedly posted threats of similar attacks against other laws firms.

Darren Hayes, director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems, noted that law firms have been a target for hackers because they possess large quantities of intellectual property. “The recent slew of attacks on Wall Street law firms is a new phenomenon, but makes sense given their access to sensitive information.”

Seclore Technology CEO Vishal Gupta said in an email to that financial institutions and Fortune 500 companies have improved their security preparedness, but he noted that “hackers are finding loopholes – and in this case, it’s through the top US law firms.”

Hayes also acts as a consultant on legal cases involving digital evidence. He said law firms “are not known to generally possess the best network security defenses.”

Forget the hospitals, it now appears that the world’s cyber hyenas have found an endless source of fat and slow moving wildebeests to prey on the digital savanna. Cash “cows” as it were for ransomware attacks.

Can you think of a slower, less well-defended beast with more cash that would be so highly motivated to pay the ransom to protect their reputation?

The ransomware challenge simply cannot be solved by playing defense alone. We need to de-monetize this exploit by either holding the perpetrators at risk of arrest — or disrupting their ability collect the ransom.

No matter what the security-industrial complex technologists try to sell you to allay your fears and let you play a losing rope-a-dope defense a bit longer — the only successful solution is to pursue and challenge these ransomware teams directly.

Do Not Respond To This Kind Of Email. It’s A Scam!

Criminals are tricking corporate employees into giving them payroll information. Here is how the scam works – and how you can prevent yourself from falling prey to it.


IMAGE: Getty Images

Over the past couple months there have multiple well-publicized cases of criminals tricking corporate employees into giving them payroll information that the crooks then use to commit various crimes: commonly, employees’ identities are stolen and phony tax returns are filed in order to obtain illegal “refunds” of “overpayments,” but thieves continue to find other ways to monetize the data including filing fraudulent unemployment claims.

Here is how the scam works – and how you can prevent yourself (and your business) from falling prey to it.

In the first stage of the attack criminals perform reconnaissance – often checking social media for information that employees have “overshared.” Criminals love it when employees post nonpublic information about some work-related endeavor, for example, because anyone who later claims to be an employee of the company and refers to this information when contacting a real employee will be far more likely to be believed than someone who simply claims to work for the firm but does not know any “insider” information. Criminals also search social media and the Internet in general to find the right “target” employees within the firm whose data they are trying to steal.

After performing reconnaissance, criminals contact their targets – often via a “spear phishing” type email message, but sometimes through other media such as via social media, texting, or telephone. Spear phishing refers to communications targeting a specific intended victim and which impersonates a party whom the receiver is expected to trust. Several recent attacks have involved communications in which the “CEO” or other high level executive of a firm asks an employee with access to payroll information to send him or her the W2s for all employees of the firm; others forms of the attack ask an employee with authorization to make wire transfers to pay some particular party, others may ask the employee to visit some website for some purpose, when, in fact, the site actually installs malware.

Snapchat, Mercy Housing, and Sprouts Farmers Market have all fallen prey to the W2 scam within the last couple months, thereby exposing their employees to all sorts of risks. Other firms have been duped by similar attacks and sent out spreadsheets with personnel information, and the Federal Reserve Bank of New York is believed to have recently issued about $100-Million in fraudulent wire transfer payments as a result of receiving instructions fraudulent to do so.

Here are some ways to help prevent this problem from harming you and your business:

1.       Train employees not to overshare on social media and provide them with technology that warns them if they are doing so.

2.       Train employees not to respond to email requests for sensitive data without picking up the phone and speaking with the person requesting the data to be sent.

3.       Understand — and make sure your employees understand — how phishing works, and why it is a serious problem that is not getting better with time.

4.       Train employees to think about the risk level of requests. As Jonathan Sander, Vice President at Lieberman Software, noted, “If a payroll employee wants one W2, then maybe you just let them have it. If that same employee wants all of them all at once, then there should be something that triggers to say this is a different sort of request that deserves more scrutiny.”

5.       Utilize encryption – if a sensitive document is sent encrypted, an unauthorized party receiving it will have difficulty opening it. As Brad Bussie, Director of Product Management at STEALTHbits Technologies, phrased it: “As a best practice, personal identifiable information should never be transmitted in an un-encrypted format.” I agree.

6.       Use secure email – If a firm has the resources to do so, email security technology can help – but, do not rely on such technology to prevent problems since social engineering can come in through other channels (texting, social media messages, phone calls, etc.), and, sometimes problematic emails can still make it through. Nonetheless, reducing the threat via email can be useful; as Craig Young, Computer Security Researcher at Tripwire, noted “The use of cryptographically signed emails and securely configured mail services with advanced spam filters, sender policy framework (SPF), and DomainKeys Identified Mail (DKIM) configurations can also greatly reduce the likelihood of a successful e-mail scam.” Keep in mind that by reducing the number of problematic emails that reach users, email security technology can cause people to become less vigilant – so make sure to reinforce the need for vigilance via training.

7.       Utilize Data Loss Prevention systems – these types of systems can block certain types of files and attachments from going out to external email addresses.

These are just a few ideas to think about, there are several others !!!

The end of the iPhone encryption case and the questions we must ask


It is official. The FBI has accessed the San Bernardino iPhone, and they didn’t need Apple’s help. To quote the court document, found at:

“Applicant United States of America, by and through its counsel of record, the United States Attorney for the Central District of California, hereby files this status report called for by the Court’s order issued on March 21, 2016. (CR 199.) The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016. Accordingly, the government hereby requests that
the Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016 be vacated. ”

More questions than I can put down here come to mind, but here are a few:

Was the FBI genuine when it filed initially, claiming they had no way to access the San Bernardino iPhone without Apple’s help?

If they were not genuine, and that seems to be the prevailing view in the technical field, was this behaviour becoming, or acceptable, from law enforcement? The simplified timeline of this case was that the FBI sought their court order, Apple said they would fight it, public opinion turned on the FBI, it appeared the legal argument may not stand up to challenge, the FBI sought a stay in the case while they tested a new way to get into the phone themselves, they then came out with the above statement claiming they have accessed the phone and requested the order be vacated. At face value the fact that the stay was sought when it was seems very convenient.

Since the net result of this exercise has been nothing and worked out as if the FBI never went to court at all, Apple did not render assistance, the FBI got into the phone anyway, no legal precedent was set, was this a good use of taxpayer funds?

Will the FBI tell Apple how they got into the phone? If they won’t on national security grounds, is it acceptable that Apple customers are vulnerable to attacks that can happen in the wild due to some intangible threat that cannot be measured?

Did the FBI find anything of value?

What do dormant cyber pathogens look like?

It’s important we ask these questions, because if we don’t we run the risk of setting our own precedent, normalising dishonesty, vexatious use of the court system, wasting of taxpayer funds, leaving of the general public unsafe, and the utterance of wild claims, all in the name of national security.

National security should not be doing this to us.

Mobile Forensics Firm to Help FBI Hack Shooter’s iPhone


Israel-based mobile forensics firm Cellebrite is believed to be the mysterious “outside party” that might be able to help the FBI hack the iPhone belonging to the San Bernardino shooter.

Israeli newspaper Yedioth Ahronoth broke the news, which appears to be confirmed by a $15,000 contract signed by the FBI with Cellebrite on March 21, the day when the agency announced that it may have found a way to crack Islamic Terrorist Syed Rizwan Farook’s iPhone without Apple’s help.

The FBI convinced a judge in mid-February to order Apple to create special software that would allow the law enforcement agency to brute-force the PIN on Farook’s iPhone 5C without the risk of destroying the data stored on it.

Apple, backed by several other technology giants, has been preparing to fight the order, which it believes would set a dangerous precedent.

Just as the US government and Apple were about to face each other in court, the FBI announced on Monday that it may no longer need Apple’s help in cracking the phone. Federal prosecutors later cancelled the hearing set for Tuesday, stating that the FBI will be aided by an unidentified “outside party.”

That “outside party” appears to be Cellebrite, which has been working with the FBI since 2013. The company’s website shows that it has assisted law enforcement investigations in several countries over the past period.

“Cellebrite mobile forensics solutions give access to and unlock the intelligence of mobile data sources to extend investigative capabilities, accelerate investigations, unify investigative teams and produce solid evidence,” the company writes on its official site.

Experts have suggested several methods that could be used to gain access to the data on the San Bernardino shooter’s iPhone, including ones involving acid and lasers, but they didn’t appear to be very practical.

After the FBI announced that it might have found a practical alternative, iOS forensics expert Jonathan Zdziarski published a blog post describing some of the likely methods that might be used to accomplish the task.

The expert believes the technique that will be used has likely already been developed, as the FBI says it only needs two weeks to test the proposed method.

Zdziarski believes the company that will aid the FBI will either use a software exploit or a hardware technique known as NAND mirroring.

“This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip,” the researcher explained. “It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”

“My gut still tells me this is likely a NAND hardware technique. A software exploit doesn’t scale well. I know this because my older forensics tools used them, and it required slightly different bundles for every hardware and firmware combination. Some also work against certain versions, but not against others,” he noted.

Zdziarski believes that if the technique already exists, it has likely been sold privately for well over $1 million.

Ransomware – Practical view, mitigation and prevention tips

You've been Hacked

Ransomware is a kind of malware that encrypts everything on your system with a Cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomwares. In first, ransomware encrypts all data on the system and it is nearly impossible to decrypt it without the key. In second, it simply locks the system and demands to enter the key for data decryption but it does not encrypt data.

One of the very well-known ransomware is Cryptolocker. It uses RSA to encrypt data. Command and control server of malware stores the private key for decryption of data. It typically propagates as a Trojan and it relies mainly on social engineering for propagation.

Working of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide its working in following steps.

  1. Approaching system of the victim and installing it as a covert/silent installation. It places its keys in system registry.
  2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts communication by performing handshake with the server and exchange keys.
  3. Now it actually starts working, with the key provided by the server it starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.
  4. This is where it gets scary. After encrypting the data, it shows a message on screen that it has locked data on your computer and you have to pay within a period if you want to see your data again.

How it propagates:

Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also a likely reason of infection. Ransomware also spreads through mediums like USB, portable hard drives etc.

Ransomware installation:

Its installation is a covert operation. It uses Windows default behavior to hide the extensions from name of the file, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in the Appdata folder, User Temp and Localappdata folders. Later, it adds a registry key in the windows registry to start the malware every time windows restart. 

Main working:

The main purpose of ransomware is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg etc. and other files whose extension are in the malware code. It uses AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with asymmetric private key using RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.

The malware communicates with its command and control center to obtain the public key. It uses Domain generation algorithm (DGA) with common name as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and failed to do so will delete the key.


The compromise system can have the symptoms like high rate of Peer to Peer communication, increased network communication (Communication with Command & Control center server) and high use of system resources.

Mitigation and Prevention:

So far, there is no way that can break the Cryptolocker encryption and provide you the key to decrypt data. Paying seems to be the only way to get data back unless you have a backup. Some of the incidents in past showed that paying did not pay back. As some people paid but did not get the key and in other cases the given key did not work. So the best way is to keep yourself save proactively. Now we are going to discuss some proactive approaches to keep yourself safe from these types of attacks, in case you are affected what steps to take.

  1. The first and the foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and all stakeholders is the most important thing. As in this case, we are in a war against malware. In addition, users cannot win this fight unless they are aware of the threats. SOC/Security management team can organize seminar, awareness campaigns etc., to guide the employees. Periodic briefing is also important. Explaining the cases with examples to the non-technical as well as technical employees can make it better for them to understand and remember the scenarios they are likely to face in everyday life.
  2. Along with user awareness, implementation of security policies is inside the domain via GPO and email transport rules to block such potential type of emails and Exes to execute silently. One recommends it highly to use Security Group policies in your organization for safeguarding against malware. Let us walk through the process of implementing the same.

Certain application and programs apply software restriction policies for their execution. This uses Group policy. What we can do is to block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In small business environment, home or organizations with no domains apply local security policies.

  • Open Group Policy management console on your primary DC to implement a Software restriction policy.

  • Create a New GPO. Name it as “Software Restriction Policy”.

Well the folder structure for users in Windows XP and prior is a bit different so what we can do is, to create 2 different policies; one for XP systems in domain and other for Vista and higher version of OSs. What I would do is, I will add both types of folders for XP and later in one GPO.

  • Now edit the newly made GPO and add user space folders in which we don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click Additional Rule and click ‘Add new Path rule’. Here we will create a new rule and enforce software restriction.

  • We will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.

The paths for XP user space are as follows:

  • %AppData%\*.exe
  • %AppData%\*\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %UserProfile%\Local Settings\Temp\Rar*\*.exe

The paths for other higher version of OS are:

  • %LocalAppData%\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe

  • Now allow sometime to let the GP sync to all the systems or you can go to every system and open cmd as Administrator write ‘gpupdate /force’ to force update the group policy to the system and now you are done.

There can be a disadvantage of applying the software restriction policy i.e. all the other legitimate exes will not run in those spaces as well. However, we can whitelist the legitimate software in Software Restriction policies.

For Whitelisting apps in Software Restriction policy, exceptions have to be set for those apps. We can manually instruct windows to allow those apps while block all the others. For doing so just add same rule for particular apps as explained before and set security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps and their execution takes place in user space.

  1. If you have on-premises email server or exchange, Transport rules are something very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so User may have warned by the content of the email.
  • Open Exchange Management Console on your exchange server.
  • Go to Organization Configuration > Hub Transport.
  • Open Transport Rules.

  • Add new rule by right clicking the main screen. Enter the Name of the rule along with the description of rule.

  • Select the condition for the rule from next window. Select option “When any attachment file name matches text patterns”.

  • Select as much extensions as you want. Here we are adding exe, html, doc, docx, jpg, jpeg, zip, rar etc.
  • Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Now add “Possible Spam” as the text that will be added in the subject line.

  • If there are any exceptions, add them on the next screen else left it as it is. Complete the process by click Next and then Finish. The transport rule is added and its enable with priority set to 0.

Now when the user will receive the email with those specific extensions that we added in rule, he will observer Possible Spam in the subject of those emails.

3. User permissions: It is something minor but very important when we are dealing with the threats like ransomware. Review the NTFS permissions carefully for every time we deal with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permission and the user system gets infected, you are in trouble. Try to give the as minimum permissions as possible to users to lessen the damage.

4. By this time, many antivirus softwares are able to detect and remove this virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.

5. Keep your systems up-to-date and patched up with latest security patches that the manufacturer releases.

6. Do not allow Peer to Peer communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep save.

7. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.

8. Avoid using such type of unknown anti-virus on your system even if it claims to remove the malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key so if any unknown anti-virus claims that it can break encryption in no time don’t get tricked. It is some other type of malicious virus.

9. Last but not the least: Rather it is the most useful solution I know so far, is to BACKUP all your data regularly. I have seen clients affected with ransomwares and the only thing that saved them was Successful backup. Backup all your critical data to the external drive or NAS or SAN that is isolated from your system is very useful. If you are a big organization, then develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can or will take for your organization. There are many backup solutions available in the market that can help you backing up your data to an external storage or remote location i.e. cloud storage.

Thank you Tal for the great Post:
Operational Security Specialist | OSCP, CREST, ISO 27001, 22301 & 22035 Certified Lead Auditor and 27005 Risk Manager

Cyber fraud stops Kiss from rocking and rolling all night long


Kiss was due to head the Moonstone festival.

The organizers of a huge music festival featuring more than 50 acts and slated to start April 30 was totally derailed by a cyberattack forcing the promoters to reschedule the event for later this summer.

The Orlando Music Festival Moonstone organizers have given out few details regarding exactly what happened, but in a press release the they said the postponement was due to a cyber incident.

“The date change is based on the company suffering from a major cyber fraud crime. An ongoing investigation in now in process — by local law enforcement and the FBI — of cyber fraud involving a major Tampa, Florida bank and other local businesses,” the organizers said on the festival’s Facebook page late last week.

Attempts by SCMagazine to reach the festival’s promoter via email and social media went unanswered. The show’s social media pages have not been updated since the decision was made to hold off on the show. An inquiry to the FBI office in Tampa, Fla., has also not yet been returned.

“Because of this situation, we know our attention to the inaugural Moonstone might suffer and we want to ensure an amazing experience for everyone who attends the festival in September,” said MOONSTONE Founder Paul Lovett, in a press release.

The show was to run from April 30 to May 1 at the Central Florida Fairgrounds & Exposition Park, but now will be held Sept. 25-26. The show was to be headlined by the likes of Kiss, Def Leppard and Queensryche, but the organizers said the postponed version will likely have a different line up.

Multiple Hospitals Hit In Ransomware Attack Wave

mcafee-video-image_1102_65x70In the past week alone, three hospitals have reported being victimized by cyber-extortionists.

A flurry of ransomware attacks against hospitals in recent weeks suggests that online criminals may have found a new favorite target for cyber-extortion.

The latest to get hit are Methodist Hospital in Henderson, Kentucky, and Southern California’s Chino Valley Medical Center and Desert Valley Hospital, both of which belong to the Prime Healthcare Service chain.

The incident at Methodist Hospital forced it to declare a state of internal emergency earlier this week while administrators tried to restore access to encrypted files and email.

Security blog Krebs on Security, which was the first to report on the attack, quoted the hospital’s information system director Jamie Reid as describing the malware used in the attack as “Locky,” a particularly virulent ransomware sample that surfaced earlier this year.

According to Reid, after initially infecting a system, the ransomware spread to the entire internal network and compromised multiple systems. This prompted the hospital to turn off all desktop computers and bring them back up one and a time after ensuring they were infection-free.

Reid did not respond immediately to a Dark Reading request for comment, so it is unclear if the hospital ended up paying the $1,600 ransom demanded by the attackers to unlock the encrypted files. An attorney for Methodist Hospital interviewed by Krebs on Security had said the hospital had not ruled out paying the ransom.

Meanwhile, Fred Ortega, a spokesman for the two California hospitals that were also similarly hit, today claimed the malware did not impact patient safety or compromise health records, staff data, or patient care.

Ortega described the attacks as disrupting servers at both hospitals. But measures were quickly implemented that allowed a majority of operations to continue unhindered, he said in comments to Dark Reading.“The malware was ransomware,” Ortega says. “I can confirm that no ransom has been paid.”

According to Ortega, in-house IT teams were able to quickly implement certain protocols and procedures to contain and mitigate the disruptions. But he did not elaborate on what those measures were. “The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised or leaked. As of today, most systems have been brought online,” Ortega says.

The attacks on the three hospitals continue a trend that first grabbed attention in February when Hollywood Presbyterian Hospital said it had paid $17,000 in ransom money to regain access to files that had been locked in a ransomware attack. Since then there have been reports of similar attacks on two hospitals in Germany, one at the Los Angeles County health department, and now the three over this past week.

Expect such attacks to increase, says James Scott, senior fellow at the Institute for Critical Infrastructure Security (ICIT), which recently released a report on the ransomware threat to organizations in critical infrastructure sectors.

“Hospitals are an easy target for many reasons,” Scott says. “Employees typically lack cyber hygiene training and their technology landscape, in most cases, is eerily absent of layered security centric protocols.”

Scott predicts that adversaries are going to start using ransomware as a diversionary tactic while they steal electronic health records and other sensitive data from healthcare networks. “The ransom will be secondary to the primary revenue generated by the sale of the data,” Scott says.

Another reason hospitals are being targeted is because threat actors know they simply cannot afford a prolonged disruption adds, Israel Levy, CEO of security vendor BufferZone. “The first attacks on hospitals, which may have been opportunistic rather than targeted, were successful for the attackers, so copycat attacks are now inevitable,” he said.

Regulatory pressures and public concerns have forced the healthcare sector to be more diligent about protecting private medical data in recent years, Levy says. But the same is not always true when it has come to protecting daily operations and common issues like email and Web use.

“Ransomware threat actors seem to be going after that weakness,” Levy said. “They aren’t going after personal medical data specifically, but are holding the hospital’s operational infrastructure hostage.”

Ron Zalkind, CTO and co-founder at CloudLock, says healthcare organizations are often viewed as soft targets by threat actors. A recent study that CloudLock conducted found that only five percent healthcare organizations on average are concerned with password protection, only 38% are concerned with personally identifiable information, and 30% are concerned with PCI, says Zalkind, who will talk cloud security issues at the upcoming Interop conference. “Similar vulnerabilities exist in other high-risk verticals, such as computer-controlled oil refineries and electrical grids,” he says.  “[The] consequences of such attacks to these sectors are just as significant.”

Six Things Your Business Has That Cybercriminals Want


The following article is excerpted from Under Attack: How To Protect Your Business and Your Bank Account From Fast-Growing, Ultra-Motivated and Highly Dangerous Cybercrime Rings, which was published by CelebrityPress on January 14th, 2016.


Belief and opinion are the biggest hurdles in implementing effective security that can help prevent an attack by cybercriminals.

I remember growing up and hearing people say, “One man’s junk is another man’s treasure.” For businesses, what they perceive as something of “no value” can be extremely valuable to a criminal. They will maximize it and expose it, giving themselves a pretty sweet deal while the business and its customers suffer. This likely disturbs you to your very core, but it doesn’t disturb the perpetrator at all.

There are six specific areas of data that are considered the jackpot for cybercriminals. If you know what the gold is, you’ll know how to protect it better.

1. Banking credentials

Think about your payroll accounts and the abundance of information that is in them. A thief will not hesitate to figure out your banking credentials and piece them together, which will give them the ability to impersonate an authorized user on the account. Then—in a matter of a minute—the payroll account is drained. What would you do if your payroll account was suddenly emptied the night before payroll processing?

2. Sensitive data from customers, vendors, and staff

Credit card numbers, Social Security numbers, and other data that help a thief take over someone else’s identity are valuable pieces of information. In the cyber underground, they can go for anywhere from $10 to $300 per record, depending on its value. Does your business have any of this type of information stored on technology of any sort?

Related article — Cybersecurity Fails: 5 Times Businesses Put Their Customers at Risk

3. Trade secrets

Entrepreneurs and innovators work hard, many creating products and services that become a part of all our futures. Along with these exciting innovations come valuable information and data such as: secret formulas, design specs, and well-defined processes. There is a market out there for this information, because some people want to shortcut the path to success by copying those who paved the way. Are your ideas and processes safeguarded from thieves?

4. Email

under attack cybersecurity book cover kris fentonIt’s hard to imagine that an email account could be of real value, but there is information on there that cybercriminals love. Here are some numbers that a prominent credential seller in the cyber underground can get:
1. $8 for an iTunes account
2. $6 for accounts from,, and
3. $5 for a account
4. $4 for hacked credentials to hosting provider, as well as the wireless providers,,, and
5. $2.50 for active Facebook and Twitter accounts

If your inbox was held for ransom, would you pay to get it back? If your Webmail account got hacked and was used as the backup account to receive password reset emails for another Webmail account, do you know what would happen? The result would be that an attacker could now seize both your accounts!

And here’s a startling fact: If you have corresponded with your financial institution via email, the chances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account. Have you ever conducted any personal business on your email that you don’t want criminals to have access to?

5. Virtual hiding places

Using your unprotected network to launch attacks against others—perhaps one of your top clients or vendors—is a favorite technique for cyber attackers. They will expose the weakest link to their end target and literally “work their way up.”

They start with a smaller company that does business with a larger firm and may have access to some of its passwords and accounts due to the type of working relationship. Then the cybercriminal finds their way into that system and starts to extract the data that they desire. They may also infect the small business’ site with malware.

When larger corporate clients and vendors visit the infected site, the malware secretly attacks that person’s computer and infects the organization. This is known as a watering hole attack. If you were attacked and it impacted your clients, would they understand?

6. Your reputation

The higher up the scale of success you go compared to your peers, the more likely it is that some of them may desire to see you come back down a bit and “make room for someone else.” There are unscrupulous competitors out there, and also disgruntled employees.

Today, targeted reputation damage is a serious concern for small to mid-size businesses. In fact, damaging attacks, whether it be data theft or destruction by rogue employees, has moved up to the third leading cause of loss according to NetDiligence® 2013 Cyber Liability & Data Breach Insurance Claims — A Study of Actual Claim Payouts. Do you rely on your reputation to help drive your business?

Most everything that a business has access to using technology, whether it is to either retrieve or store information, is of value to someone who has made a career out of attacking businesses for their own malicious gain. It may be hard to accept this, because most of us do not think like a cybercriminal—we think about our futures, our reputations, and conducting the best business we can. However, in order to know what you’re up against, you really need to start understanding what criminals may see in your business through an honest and thoughtful perspective. It’s a conversation best had with someone who understands the full scope of cybersecurity.


Buy Under Attack at Amazon right here.

5 things you need to know about ransomware, the scary malware that locks away data


Over the past few years millions of PCs from around the world have been locked or had their files encrypted by malicious programs designed to extort money from users. Collectively known as ransomware, these malicious applications have become a real scourge for consumers, businesses and even government institutions. Unfortunately, there’s no end in sight, so here’s what you should know.

It’s not just your PC that’s at risk

Most ransomware programs target computers running Windows, as it’s the most popular operating system. However, ransomware applications for Android have also been around for a while and recently, several variants that infect Linux servers have been discovered.

Security researchers have also shown that ransomware programs can be easily created for Mac OS X and even for smart TVs, so these and others devices are likely to be targeted in the future, especially as the competition for victims increases among ransomware creators.

Law enforcement actions are few and far between

There have been some successful collaborations between law enforcement and private security companies to disrupt ransomware campaigns in the past. The most prominent case was Operation Tovar, which took over the Gameover ZeuS botnet in 2014 and recovered the encryption keys for CryptoLocker, a notorious ransomware program distributed by the botnet.

In most cases, however, law enforcement agencies are powerless in the face of ransomware, especially the variants that hide their command-and-control servers on the Tor anonymity network. This is reflected in the multiple cases of government agencies, police departments and hospitals that were affected by ransomware and decided to pay criminals to recover their files. An FBI official admitted at an event in October that in many cases the agency advises victims to pay the ransom if they don’t have backups and there are no other alternatives.

Back up, back up, back up

Many users back up their sensitive data, but do it to an external hard drive that’s always connected to their computer or to a network share. That’s a mistake, because when a ransomware program infects a computer, it enumerates all accessible drives and network shares, so it will encrypt the files hosted in those locations too.

The best practice is to use what some people call the 3-2-1 rule: at least three copies of the data, stored in two different formats, with at least one of the copies stored off-site or offline.

You might get lucky, but don’t count on it

Sometimes ransomware creators make mistakes in implementing their encryption algorithms, resulting in vulnerabilities that allow the recovery of the files without paying the ransom. There have been several cases where security companies were able to create free decryption tools for particular versions of ransomware programs. These are temporary solutions though, as most ransomware developers will quickly fix their errors and push out new versions.

There are other situations where security researchers take control of command-and-control servers used by the ransomware authors and make the decryption keys available to users for free. Unfortunately these cases are even rarer than vulnerabilities in the ransomware programs themselves.

Most security vendors discourage paying the ransom, because there’s no guarantee that the attackers will provide the decryption key and because it ultimately encourages them.

If you decide to hold your ground, keep a copy of the affected files as you never know what might happen in the future. However, if those files are critical to your business and their recovery is time sensitive, there’s little you can do other than pay up and hope that the criminals keep their word.

Prevention is best

Ransomware programs get distributed in a variety of ways, most commonly through malicious email attachments, Word documents with macro code and Web-based exploits launched from compromised websites or malicious advertisements. Many are also installed by other malware programs.

As such, following the most common security best practices is critical. Always keep the software on your computer up to date, especially the OS, browser and browser plug-ins like Flash Player, Adobe Reader, Java and Silverlight. Never enable the execution of macros in documents, unless you have verified their senders and have confirmed with them that the documents should contain such code. Carefully scrutinize emails, especially those that contain attachments, regardless of who appears to have sent them. Finally, perform your day-to day activities from a limited user account, not from an administrative one, and run an up-to-date antivirus program.

5 Ways to Keep your Domain Name Safe from Being Hacked


The proliferation in the number of people using the internet had led to a significant number of new websites and blogs popping up every day. The huge platform for sharing views and personal opinion about anything or host content that one deems suitable to share, casual users today have understood how good a business owning a website or even a personal blog can be.

However, although many people easily set up their own website or blog, there are hardly any who are knowledgeable enough in protecting their domains from hackers once they become the legal registrants of domains. Today, we discuss this issue to help owners of personal blogs and small websites.

How to protect your domain from hackers

The following methods can be used to protect your domain from the attacks of hackers:

1. Activity alerts

This is similar to receiving notifications about your Facebook activity. Whenever an activity is performed using your domain account, you can get a notification. Many good domain registrars provide this feature free of cost. This is a good way to keep track of any unauthorized activity on your domain account.

2. Make sure writeable and executable files and directories are not in web root

Not doing so basically means that any unauthorized user can access readable and/or writeable directories or archives. This is as easy as it can get for hackers to exploit non-secured scripts to run or place data on your web hosting account.

3. Keep your domain locked

Enabling your domain registrar’s lock is a simple yet effective way to prevent illicit third-party domain transfer request. Such domain transfer requests are frequently used to steal domains. Simply enabling domain registrar lock can prevent your domain from falling prey to this malicious practice.

4. Do away with unwanted Directories, Scripts, and Subdomains

It is a common mistake by website owners to leave old and less used directories and scripts on their website. The gravity of this mistake cannot be emphasized on enough. This is because hackers can use this information for the purpose of hacking into your website. Therefore, it is important that you routinely chunk out files and directories that you no longer need or use.

5. Use strong and complex passwords

All accounts that require security are secured by passwords, but users can be so naïve as to use passwords that can be guessed easily to protect their sensitive information. This is a textbook mistake, one which hackers never get tired of exploiting. Always, ALWAYS, use passwords that are a combination of letters and numbers and are not short in length. Also, make it a practice not to use common English words as your passwords, for there are a lot of password cracking tools that crack passwords quickly because the password includes common words.


A lot of people are victimized by hackers by stealing or hacking their domain names. It is most important to pay close attention to your domain’s security, especially when your blog or website becomes really popular. With the help of this article and perhaps a little more research on the matter, you will be much more secure than you previously were (if not using these methods already) against hackers.