Tag Archive for Malware

| April 18, 2016
Comments Off on Schools Face RansomWare Risk

Schools Face RansomWare Risk

More than 2,000 machines at K12 schools are infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam. TargetTech defines ransomware as malware designed for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment in Bitcoins for the decryption key.

JBossRansomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

PCWorld reports that the Cisco (CSCO) Talos threat-intelligence organization, announced that roughly 3.2 million machines worldwide are at risk. The article says that many of those already infected run Follett’s Destiny library-management software, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,” Follett identified the issue and immediately took actions to address and close the vulnerability”.

BitcoinIn a presser, Follett offers patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT detection rules on the presser page.

Snort is a highly regarded open-source, freeware network monitoring tool that detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to Syslog, a separate ‘alerts’ file, or to a pop-up window.

JBoss the vulnerable underlying system is described as an open-source Red Hat product that serves as an application server written in Java that can host business components developed in Java. Essentially, JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality.

PCWorld reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to check the contents of a server’s jobs status page. “This implies that many of these systems have been compromised several times by different actors,” the company said.

BackupWeb shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit is listed in Talos’s blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.

rb-

I have worked with a number of customers on their library automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records, especially for books that are out of print and kiddie books. If these files get locked up by ransomware, the system is useless and expensive to replace.

K12 schools are notoriously cheap, but the advice is the same as always,

  1. Keep your software UP TO DATE
  2. Use a real virus scanner on your servers and administrative stations
  3. Back-Up – Back-Up – Back-Up – With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| April 7, 2016
Comments Off on 9 Emails You Should Never Open

9 Emails You Should Never Open

9 Emails You Should Never OpenThe increasing pace of life coupled with mobile computing which bombards us with emails and messages, from more sources, and across more devices than ever before has created what Proofpoint calls a generation of trigger-happy clickers.

fake emails from cyber criminals.Trigger-happy clickers are falling more and more for fake emails from cybercriminals. These fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link according to the article. To put that into context a legitimate marketing department typically expects <2% click rate on their advertising campaigns.

So, despite the best efforts of security professionals, too many people are still falling prey to email scams at home and work. Whether it’s a get-rich-quick scheme or a sophisticated spearphishing attack, here are some emails to steer clear of:

1. The government scam

These emails look as if they come from government agencies, such as the IRS, FBI, or CIA. If these TLA’s want to get a hold of you, it won’t be through email.

2. The “long-lost friend”

tries to make you think you know themThis scammer tries to make you think you know them, but it might also be a contact of yours that was hacked.

3. The billing issue

These emails typically come in the form of legitimate-looking communications. If you catch one of these, log into your member account on the website or call the call center.

4. The expiration date

A company claims your account is about to expire, and you must sign in to keep your data. Again, sign in directly to the member website instead of clicking a link in the email.

5. You’re infected

you’re infected with a virusA message claims you’re infected with a virus. Simple fix: Just run your antivirus and check. In a recent twist, scammers claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

Scammers have been peddling bogus security software for years. They set up fake websites, offer free “security” scans, and send alarming messages to try to convince you that your computer is infected with malware. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.

But wait it gets worse – If you paid for their “tech support” you could later get a call about a refund. The refund scam works like this: Several months after the purchase, someone might call to ask if you were happy with the service. When you say you weren’t, the scammer offers a refund.

Or the caller may say that the company is going out of business and providing refunds for “warranties” and other services.

The scammers eventually ask for a bank or credit card account number. Or they ask you to create a Western Union account. They might even ask for remote access to your computer to help you fill out the necessary forms. But instead of putting money in your account, the scammers withdraw money from your account.

6. You’ve won

you won a contest you never enteredClaims you won a contest you never entered. You’re not that lucky; delete it. It’s illegal to play a foreign lottery. Any letter or email from a lottery or sweepstakes that ask you to pay taxes, fees, shipping, or insurance to claim your prize is a scam.

Some scammers ask you to send the money through a wire transfer. That’s because wire transfers are efficient: your money is transferred and available for pick up very quickly. Once it’s transferred, it’s gone. Others ask you to send a check or pay for your supposed winnings with a credit card. The reason: they use your bank account numbers to withdraw funds without your approval, or your credit card numbers to run up charges.

7. The bank notification

An email claiming some type of deposit or withdrawal. Give the bank a call to be safe.

8. Playing the victim

emails make you out to be the bad guyThese emails make you out to be the bad guy and claim you hurt them in some way. Ignore.

9. The security check

A very common phishing scam where a company just wants you to “verify your account.” Companies almost never ask you to do this via email.

What To Do Instead of Clicking Links

In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.

In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled.

Proofpoint’s bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| November 20, 2015
Comments Off on Shadiest Neighborhoods on the Web

Shadiest Neighborhoods on the Web

The Internet is organized into domains. Readers of Bach Seat are familiar with the .net domain since you got here. You are also probably familiar with other web neighborhoods like .com where Facebook and Google live. The folks in charge of the Intertubes have added more neighborhoods or technically Top Level Domains (TLD), and now we have over 1,000 TLDs, many of which have only been around for the past two years.

This rapid growth raises questions about how well those in charge of these new TLD’s secure their neighborhood against malware and other threats. CSO Online explains that just like any city, the Web has neighborhoods where dubious activities often take place: spam, scams, the distribution of potentially unwanted software (PUS), malware, botnets, phishing, and other suspicious activity.

Web security and WAN optimization firm Blue Coat Systems (BCSI) regularly analyzes hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to track “shady activity” on the Web. In September, it released Do Not Enter: Blue Coat Research Maps the Web’s Shadiest Neighborhoods (PDF), with a list of the 10 top-level domains (TLDs) on the Web that are home to shady sites.

Blocking traffic to the riskiest TLDsBlue Coat recommends that organizations take steps to protect themselves, including blocking traffic to the riskiest TLDs and cautioning users to be careful clicking on any links that contain these TLDs. It further suggests that users who are unsure of a source hover their mouse over a link to help verify that it leads to the address displayed in the text of the link, or “press and hold” links on a mobile device to do the same verification

Blue Coat’s list of TLDs most associated with shady sites is constantly in flux but here is their September list.

  • .review – The .review TLD is shady mostly due to scam sites, Blue Coat’s Larsen says. “Just looking at the list of domain names, I would say all of the top 15 are scam sites,” he adds, “.review does not seem to be making any effort whatsoever to keep the bad guys out.”

How to read a URL

  • .country – The security firm says the .country TLD appears to have been colonized by scam networks that like to use a game/survey “reward” or “prize” as bait. Blue Coat’s Larsen told CSO there is a strong connection between some of the supporting ad networks on and known PUS networks (adware and spyware). Mr. Larson says, “So if you’d like to block that entire TLD on your Web gateway, I wouldn’t blame you.
  • Faux-lebrity.kim – The .kim TLD hosts some legitimate domains, most notably a Korean tech blog and several Turkish sites. According to Blue Coat, the TLD earned its shady online reputation due to the presence of scam networks linked to PUS, malware, and at least one domain that hosts a domain generation algorithm (DGA) used to pump out domain names that can be used with malware according to the blog.
  • .cricket – Named for the world’s second-most popular sport, the .cricket TLD is another shady neighborhood on the Web. The author notes that while home to some legitimate sites, researcher Larsen points to many instances of search engine poisoning. For instance, StarWarsMovie.cricket pulls lots of random Star Wars items into one place to get traffic — including images clearly lifted from other places.
  • .science – The .science TLD may be a victim of its own marketing. In trying to raise the TLD’s profile, the registry gave away free .science domains and became one of the shadiest TLD’s on the web. Blue Coat’s Larsen described their downfall in the CSO article. “Generally they tend to run into trouble when they run promotions for bulk registrations for really low prices … If you can register a domain for a buck, generally there will be bad guys there registering domains.” He says the .science domains seem to be largely associated with spam, and scam sites. The shady activity included a sizable network of ebook sites, which led to a download network that’s been associated with PUS activity in the past.
  • .work – The .work TLD seems to be more about spam and scams than malware, though Larsen’s team did find a few tentative connections to PUS networks. There were some legitimate sites, though Larsen notes that they might be worth blocking as well. Examples include a Turkish porn site. 
  • .Party domainparty – Mr, Larson told CSO that a number of the sites on the .party TLD may seem legitimate. However, he warns, “There are some yellow flags.” of search engine poisoning. The TLD also hosts a number of MP3 sites — probably piracy or something malicious. There’s also a site that hosts what appears to be a shady tracker.
  • .gq – The .gq TLD is the country code for Equatorial Guinea which Blue Coat’s Larson notes is in many ways a lifetime achievement award winner. He says, “If we look at all of the .gq sites … nearly 99 percent are shady”. Most of the abuse of .gq noted by Blue Coat has been in the form of search engine poisoning and many cookie-cutter “shady video” sites associated with PUS. It also features some “shocking video” spam/scam sites that spread via social media and a smattering of malware, phishing, and porn sites.
  • Barrel full of monkeys.link – The .link TLD is rife with porn content delivery networks and piracy sites, neither of which is counted as “shady” by Blue Coat. There are apparently a handful of legit sites in .link but beyond these legitimate domains are a host of survey scam sites. “Historically, it’s been a place for spammers to live,” Larsen says.

Of course, there are well-run TLD’s. The best according to Blue Coat are:

Safe web neighborhoods

rb-

These TLD’s are why companies like BluseCoat, Websense, and OpenDNS are in business. (OK- Websense and OpenDNS are no longer stand-alone companies anymore. Websense was gobbled by defense contractor Raytheon and then spit out as ForcePoint and OpenDNS has been assimilated into Cisco (CSCO).

You can use these tools to just block almost anybody from going to these shady parts of the web for the reasons explained above.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| October 6, 2015
Comments Off on Online Dangerous Celebrities 2015

Online Dangerous Celebrities 2015

Online Dangerous Celebrities 2015It that time of year again! McAfee Intel Security has named the most dangerous celebrities on the Intertubes. And I have no idea who Electronic Dance Music (EDM) DJ Armin van Buuren is. Despite that, he is Intel’s most dangerous web celeb. To regain my street creds – I have been gone to DEMF –YO PEACE OUT. The EDM DJ replaces talk show host Jimmy Kimmel as Intel Security’s most dangerous celebrity to search for online.

For the ninth year in a row, The Intel Security Most Dangerous Celebrities™ study revealed that searches for certain musicians and comedians tend to expose Internet searchers to more possible viruses and malware.

The presser from Intel (INTC) Security warns that cybercriminals are always looking for ways to take advantage of consumer interest around popular culture events including award shows, TV shows, and movie premieres, album releases, celebrity breakups, and more. They capitalize on this interest by enticing unsuspecting consumers to sites laden with malware, which enables them to steal passwords and personal information.

Stacey Conner, online safety expert at Intel Security says that trying to download or listen to free music can be especially risky.

Celebrity names combined with the terms ‘free MP4, ‘HD downloads,’ or ‘torrent’ are some of the most searched terms on the Web … When consumers search for music that is not made available through legitimate channels, they put both their digital lives and devices at risk.

Top 10 risky celebrities

The top 10 celebrities from the 9th annual Intel Security Most Dangerous Celebrities™ study with the highest risk percentages are:

  1. Armin van BuurenBetty White one 2015s most dangerous celebs online
  2. Luke Bryan
  3. Usher
  4. Britney Spears
  5. Jay Z
  6. Katy Perry
  7. Amy Schumer
  8. Betty White
  9. Lorde
  10. Nina Dobrev

Musicians are 7 of the top 10 riskiest online celebrities (and good click-bait). Other risky artists in the top 20 are:
Justin Bieber (No. 11),
Rihanna (No. 12),
Jennifer Lopez and Kenny Chesney (tied at No. 13),
Selena Gomez (No. 14),
Zendaya (No. 15),
Kanye West (No. 16),
Afrojack and Miley Cyrus (tied at No. 19), and
Nick Jonas (No. 20).

Other celebrities who round out the 20
Sandar Bullock one 2015s most dangerous celebs onlineriskiest online celebrities.
Antonio Banderas (No. 14),
Nicole Kidman (No. 15),
Zac Efron (No. 17),
Natalie Portman (No. 18),
Paul Wesley (No. 18)
Sandra Bullock (No. 19),
Jennifer Lawrence (No. 20),

Riskiest celebrities around the world

Better Protect Yourself

While doing your star-struck surfing, Intel Security offers some suggestions on How You Can Better Protect Yourself:

  • Katie Perry one 2015s most dangerous celebs onlineBeware of clicking on third-party links. You should access content directly from the official websites of content providers. For example, visit reputable site ComedyCentral.com to find Amy Schumer’s latest episodes.
  • Use web protection that will tell you of risky sites or links before you visit them and it’s too late. Stick to official news sites for breaking news.
  • Only download videos from well-known, legitimate sites. Most news clips you’d want to see can easily be found on official video sites and don’t require you to download anything.
  • Use caution when searching for “HD downloads.” This term is by far the highest virus-prone search term. Consumers searching for videos or files to download should be careful not to unleash unsafe content such as malware onto their computers.
  • Always use password protection on all mobile devices. If you don’t and your phone is lost or stolen, anyone who picks up the device could have access to your personal information online.
  • Don’t “log in” or give other information. If you receive a message, text, or email or visit a third-party website that asks for your information — including your credit card, email, home address, Facebook login — to grant access to an exclusive story, don’t give it out. Such requests are a common tactic for phishing that could lead to identity theft.
  • Search online using a tool, such as McAfee® WebAdvisor software, which protects users from malicious websites and browser exploits.

rb-

Maybe I’m just being grumpy, but McAfee has done this for 9 years and people are still falling for this online celebrity malware staff – sigh – They were right – One born every day.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , ,
| August 4, 2015
Comments Off on You Can Stop Cyber Attacks

You Can Stop Cyber Attacks

You Can Stop Cyber AttacksSeems like every week another major cyber attack is reported. Cyber attacks expose the personal details of millions of users worldwide. Companies are spending over $70 billion to fight off cyber attacks. But even with the best systems in place, hackers can still easily breach the company’s defenses if staff aren’t also being security conscious.

TIntel Security Group (aka McAfee)he Business Insider spoke with Christopher Young, general manager of Intel‘s (INTC) Security Group (aka McAfee) about cybersecurity. He told BI that employees can prevent data theft. The Intel GM says there are two things that every employee should be doing to help keep their company safe from cybercriminals.

Think before you click. That is the number one thing that every average employee in an organization can do,” Intel’s Young said.  He cites a recent Intel survey of security professionals (PDF), which found that humans are still the weakest link when it comes to an organization’s security. According to the report, successful attacks against companies most often stem from three things:

  1. humans are still the weakest linkUser errors caused by lack of awareness,
  2. Unofficial use of online services, and
  3. Using social media sites at work.

Basically, employees are clicking links they shouldn’t be, which can give attackers a way in. One way attackers get in is through the inbox. Mr. Young told BI

Emails are the number one way that attackers are getting in … They [cyber criminals] are crafting emails and attaching malicious files to those emails and their entry points into these organizations is often through tricking the average user or click on an email attachment and launch a malicious file.

employees need to be vigilant and ask questionsI recently wrote how attackers have honed their spear-phishing skills, making dangerous emails less obvious. BI says employees need to be vigilant and ask questions about all the email they receive that raises even the slightest suspicion. Intel’s Young warns staff to question every email.

You should ask why am I getting the email? Why is there a file attached to it? Why am I being asked to click on it? And you should ask all of this before clicking.

The second big thing which Business Insider recommends that employees should do to help keep their company safe is to report any suspicious emails or attachments. And if someone does click on a link or download a file that raises eyebrows, report it as soon as possible so that the company’s security team can investigate quickly. Mr. Young explains that an early alert can help contain an attack. “So if the average employee smells something they should report it.”

rb-

report any suspicious emails or attachmentsThe IT industry needs to develop a mascot like Smokey the Bear who reminds everybody that “Only You Can Prevent Forest Fires.”

Maybe we could put Clippy back to work to pop a little reminder every time you click on an email to open it.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
« Older Entries   Recent Entries »