By Karen Andersen
September 10, 2018
Looking to make sense of the fluid nature of cybersecurity?
Each month, we strive to bring you the hacks, vulnerabilities and challenges of securing your daily habits and work environment. This brief is intended to help you make sense of the ever-changing world of cybersecurity so you can avoid similar scenarios.
Read on for the latest stories.
What is your risk tolerance? While on a recent bicycle ride, I started analyzing my ride in terms of risk. What is the likelihood the person coming at me on a narrow path will stay on their side of the trail? Is the approaching rider looking up or are they distracted? A few riders had bike helmets but they were not wearing them; the helmet was attached to a handlebar or sitting in a basket. I realized this is similar to what is often observed in cybersecurity. If you purchase a tool or device that is intended to protect you, unless you actively use it as designed, the odds of it protecting you during an actual incident are greatly diminished. Or completely. To me, the behavior is perplexing - why make the investment yet not utilize the benefit? Why do people engage in risky behavior and not heed precautions? Be aware of the actions you are taking both at work and in your personal life. Are you consciously avoiding risk or are you moving forward and hoping for the best?
A bike helmet won't protect you at the office; knowing how to spot and avoid risky scenarios will go a long ways in offering protection. Pause before responding to an unusual email, before opening a link or attachment, and confirm with a colleague, in person, before agreeing to change a bank routing number or sending a wire transfer. If you suspect something doesn't seem right, follow your intuition. If you accidently make a mistake, such as sending an email to the wrong recipient or accidentally deleting data, let someone know so it can be corrected. Accidents can happen to anyone; it's how you recover that matters.
Have you ever Googled yourself? You should. It’s important to understand what information about you is readily available on the internet.
However, personal information isn’t just gathered online. Think about items you often carry. Are they personalized? For example, jackets, luggage tags, your computer screen, or a boarding pass. Maybe your job requires a security badge, or maybe you’re wearing a company issued items with logos or your company names. If these things are visible, they may be revealing information about you. Social engineering involves learning about people and using that personalized information to manipulate or build a sense of familiarity with unsuspecting people.
Other methods often used to gain personal details include calling someone and purposely stating incorrect information. If the caller states the wrong answer, people will often correct them and provide relevant information. Some callers will ask personal questions under the guise of a survey, while others will even knock on your door at home, armed with personal information, acting as if they are trying to persuade you to vote a certain way or support a cause.
By understanding what data is available both online and in person and limiting the information you share, you can better protect yourself and lower the risk of personal data being used to target you. It’s all about security awareness.
Cyber extortion is not a new topic, however there is a new scam, sextortion. Here is an overview of the scheme. A “bad actor” sends an email, with a message similar to this:
Your email address is <actual email address>; your password is <corresponding password>
I recently placed malware on a site hosting sexual content; I caught you visiting the site. As proof, your email is <email> and your password is <password>. I was able to connect to your computer, and I've copied all of your contacts. I also made a split-screen video; one video is the activity on your computer of websites visited. The second video is your webcam recording you watching online content.
The sender demands a bitcoin ransom be paid within 24 hours, or he will release the footage to all of your contacts. The “bad actor” also includes additional graphic and threatening language. Ransom amounts vary, but are typically around $1,000 to $2,700.
This is extortion. This scam may be automated, with the goal of actually finding people who fall for the scheme. Due to the number of data breaches, it is relatively easy to obtain a valid email and password, especially if they have been reused. Some people who have received this threat noted the email/password combinations appear to be from previous data breaches, some as old as 10 years ago.
If a susceptible person receives this email, they may feel guilty, panic, and decide to pay the ransom. The extortionist is purposely looking to exploit personal fears. In extreme cases, the fear of exposure may lead to suicide.
According to the FBI, here are some things you can do to avoid becoming a victim:
The FBI advises that in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you. Contact your local FBI office or toll-free at 1-800-CALL-FBI.
And of course, continue to help build awareness.
If you have any questions about cybersecurity, please contact Anders Erickson, Director of Cybersecurity Services, at firstname.lastname@example.org or (208)383-4731.
School is out and it's a great time for a family vacation! Travelers aren't the only ones who look forward to this time of year. It's common sense not to announce that you're going out of town. This is also a great time to share with family the potential dangers of social media and how it can be used against you.
Whenever you're working at your desk, and you need to step away, get in the habit of locking your PC. It's just three little buttons Ctrl + Alt + Del. By locking your screen, you let coworkers know you are away from your desk. It's helpful to know you aren't at your desk if you use Communicator or an Instant Messenger. Secondly, it protects any applications you currently have open such as a sensitive document or a spreadsheet. Establishing good habits such as locking your PC every time youstep away, are simple ways to improve your security posture.
Next time you walk down the hall at work or you're in a public space, see if you notice any unattended and/or unlocked PCs. It's interesting to observe the number of PCs left wide open. It also prevents anyone from tampering with your PC or seeing data that isn't meant to be seen by others. Do you ever use a PC in a public area? It is important to ensure an unintended user doesn't access your data.
It also demonstrates to others that you take protecting company assets seriously and are trying to avoid unintended access. It may be unlikely that someone would use your PC in your absence but then again, why wait until something bad happens. Make it a habit to lock your PC on a regular basis. Organizations should also set an auto lock after a short period of inactivity.
This tip also applies to cell phones. It's easy to inadvertently set a phone down. By getting in the habit of locking your phone, you help protect the data, the applications, and the phone from misuse by a stranger.
The internet is filled with people looking for ways to obtain personal information about you. Facebook has been in the news lately as a source for other organizations to "scrape" personal data. Another common scam technique often masquerades as a friendly, unassuming survey or a game. Sometime they are featured as part of another webpage where you're reading a news article, it may be on social media, it may also come in an email as a link. It may encourage you to share the survey with family and friends!
In person, if you were asked a very private question, you may object or not respond. Surveys are a clever way to obtain data without the responder even realizing the information they are providing. Historical information is particularly valuable - what year were you born? It may be a fun survey about pets and ask - what was your first pet and what was its name? What was your first job? These are also common security questions to gain access to an account if you forget your password.
If you would like to see other examples of how fun and innocent surveys appear, click here.
If your phone suddenly switches to "emergency calls only" mode, you better act fast. A new scam has fraudsters targeting individuals to gather personal information including name, cellphone number and carrier, in addition to the usual date of birth, Social Security number and address. The fraudster contacts the cell service provider and reports the phone as stolen, and requests to have the cell number "ported" or assigned to a new phone and/or a new carrier.
Once the cell number has been moved to a new device, hackers attempt to access accounts that utilize a text message as part of authentication. Victims have had their bank accounts drained, credit card accounts hacked and other instances of fraud.
If you suddenly receive a text thanking you for signing up for a new cellphone carrier or your cell service drops, contact your cellphone carrier immediately. Also change passwords to any online accounts as soon as possible and take steps to recover your identity. As a preventative measure, you can institute a pin number on your cellphone account. Please share the details of this scam with others to help increase awareness.
For more on the story check out the Better Business Bureau’s advice, here.
Brian Krebs writes a security blog, KrebsonSecurity.com, which recently shared details of tax preparer fraud to help people be aware:
"On Feb. 2, 2018, the IRS issued a warning to tax preparers, urging them to step up their security in light of increased attacks. On Feb. 13, the IRS warned that phony refunds through hacked tax preparation accounts are a “quickly growing scam.” "
Basically, identity thieves focused on tax fraud, hack online accounts at tax preparers, and file phony tax returns. Clients receive tax refunds they were not expecting. Then the victim receives notification from a fraudster, posing as a debt collector or even as the IRS, stating they have received funds in error, and demanding that the funds are repaid immediately. The scam may also include a website with a posted video, explaining the error and how to return the funds via wire transfer along with instructions. Some scams even assign a case worker along with telephone number and email address, to “help resolve the issue.” The hackers provide the social security number of the targeted individual along with other personal information such as date of birth, address, to make the scam appear official.
“Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions,” the agency noted in the Feb. 2 alert. “Generally, criminals find alternative ways to get the fraudulent refunds delivered to themselves rather than the real taxpayers.”
One last note of caution, if you go to file taxes and receive a notice that your taxes have already been filed, it is a good indicator that a scam artist may have beat you to it. Tax fraud is so prevalent, the IRS provides documentation "Taxpayer Guide to Identity Theft" along with a form to file in the event you are a victim.
Brian's original blog can be found here.
If you suspect you are a victim of tax fraud contact your Eide Bailly team immediately.
A team of researchers from Google, who refer to themselves as Project Zero, have released information regarding two significant vulnerabilities in the Central Processing Units (CPUs) – the primary computer chips – produced by all major chip manufacturers. Referred to as Meltdown and Spectre, these vulnerabilities threaten almost all personal computers, laptops, tablets, and smartphones produced in the past 20 years. Once a hacker has access to a computer or device, they can exploit these vulnerabilities to extract data from that system’s memory, including even sensitive personal information or passwords. Many software vendors have released patches (updates and instructions) to help prevent hackers from exploiting these vulnerabilities; however, the fixes can be very complex. It has been determined that specific versions of anti-virus software prevent the patch from being applied. The result is a “blue screen of death” which renders a computer unusable without further recovery efforts. In addition, because these vulnerabilities are so deeply embedded in processes a computer chip uses to manage data, it is unclear how long it will take to truly develop a complete solution.
These new revelations of flaws that reside at the very heart of our systems provide a timely reminder of the importance of cybersecurity. Organizations need additional emphasis and due diligence on basic security activities, including:
The Cybersecurity Team at Eide Bailly helps clients navigate the often complex process of implementing critical software updates to mitigate the Meltdown and Spectre vulnerabilities. In addition, we help organizations establish the basic security practices and activities that will strengthen their internal culture of security.
If you have any questions about these services, please contact Anders Erickson, Director of Cybersecurity Services, at email@example.com or (208)383-4731.
Email spoofing is a trick that has been employed by hackers for a long time. The hacker alters the “From” field in an email so that it appears to originate from someone other than the hacker. The objective is to trick the recipient into believing the email is from a trusted source, such as a friend or coworker.
Security researchers recently discovered a set of vulnerabilities that could be exploited to perform email spoofing on several widely-used email applications. They have called this collection of email vulnerabilities MailSploit. Recently, a number of organizations and individuals have been victims of MailSpoit attacks.
How can you help protect yourself from email spoofing? Here are five helpful tips:
If you are concerned that you may have already been the victim of email spoofing, please contact your local IT team immediately. They can help to identify and limit the impact of any data breach that may have occurred.
The credit monitoring service Equifax experienced a data security breach that could affect as many as 143 million people. Hackers exploited a flaw on the Equifax website to gain unauthorized access to files that contained consumer identity and credit card information.
The breach provides us with two important reminders:
The firm offers a foundational risk assessment – Cybersecurity Compass® – that provides non-IT leaders with an overview of how their organization has addressed these and other cybersecurity risks. This assessment also outlines recommendations and priority projects to help direct risk remediation efforts.
If you have any questions about these services, please contact Anders Erickson, Director of Cybersecurity Services, at firstname.lastname@example.org or (208)383-4731.
Google recently notified its employees and the state of California that they had been victims of a cybersecurity breach. One of their travel agencies, Carlson Wagonlit Travel (CWT), utilizes the system called SynXis Central Reservation System (CRS), which is owned and operated by Sabre Hospitality Solutions. Sabre discovered that hackers had gained unauthorized access to SynXis CRS. The hackers had taken travel reservation data including names, contact information, and payment card information. Google is now managing the impact and cost of a security breach that occurred at a vendor (Sabre) used by their vendor (CWT). This story highlights a significant challenge all organizations face as they enter into vendor relationships – how to ensure they partner with organizations who treat their data in a secure manner.
We live in an increasingly outsourced world. Organizations are eager to capitalize on the cost savings that result from contracting with third-parties to perform anything from payroll processing to software development. The common thread throughout all these outsourced activities is the sharing of data, and if those third-parties don’t have adequate security practices, then that shared data is at risk of being compromised. Cybersecurity experts at Eide Bailly recently conducted a risk assessment at a manufacturing client where they identified over five vendors who had significant access to the company’s systems or data with little or no oversight. The team is now assisting this client in establishing a vendor management program to regulate the data and access provided to third-parties and to hold vendors accountable for the security of data with which they are entrusted.
A plastic surgery clinic in Lithuania recently had their customers’ personal health records stolen in a phishing attack conducted by a group of hackers who call themselves “Team Tsar”. These records included personal information along with images of patients from both before and after their surgery. The hackers threatened to release these sensitive health records to the general public if the clinic didn’t pay a ransom. Once this clinic refused to pay the ransom, the hackers followed through on their threat and released the records. As could be expected, the fallout was swift and heavy, resulting in significant loss of consumer trust and revenue. The experience of this clinic demonstrates an important cybersecurity principle – Much, if not all, data can be exploited to create value. In this instance, the hackers used extortion in an attempt to increase the value of data.
Clinics and smaller medical practices carry a heavy burden when it comes to cybersecurity. They operate under the same risks as larger hospitals and medical institutions but often don’t have the resources to implement sound cybersecurity practices. Cybersecurity experts at Eide Bailly recently completed Cybersecurity Compass risk assessments at six local access hospitals in South Dakota. These professionals brought extensive healthcare experience to these engagements and helped these institutions identify risks that could place their patient’s personal health records at risk. The reports from these assessments provided non-IT executives and board members with a clear understanding of their organization’s cybersecurity risks and outlined recommendations for remediation. Using our recommendations, these organizations are now prepared to make strategic cybersecurity investments.
On Friday, May 12, organizations all around the world were victims of ransomware attacks. Cybersecurity experts tracked more than 75,000 coordinated ransomware attacks in 99 countries. Ransomware locks the files on an infected computer rendering them inaccessible. The victim is then instructed to pay the hackers a “ransom” before the files can be unlocked. The British National Health System was one of these victims, causing hospitals across the United Kingdom to turn away patients. Other victims included Russia’s Interior Ministry and Telefonica (one of the largest private telecommunications companies in the world). The attackers demanded ransoms of only $300, indicating that their goal was to infect as many organizations as possible – irrespective of size. Even small and mid-sized organizations were targeted.
Organizations face ever-increasing risk of attacks to their computer systems and networks. Without appropriate preparation, monitoring, and response, their operations could be negatively impacted or their critical data lost. Eide Bailly’s Cybersecurity team has the experience and tools necessary to prepare and educate clients so they are not the next victim of ransomware. If an organization has experienced a ransomware attack, we can provide response management and risk assessment services to give clients peace of mind.
You may recall the 1983 movie “War Games” in which Matthew Broderick plays a high school student who, at one point, uses a stolen password to hack into the school’s computer system to change his grades. Just recently this scene played out in real life. A high school sophomore attending a Spring Branch Independent School District school in Houston, Texas was arrested on March 31, 2017 and charged with a felony for hacking the District’s computer system with the purpose of changing student grades. Just like in the movie, this student used a stolen password to hack into the system and took it even a step further by offering to change other students’ grades for a fee.
School systems and higher education face a significant challenge when it comes to cybersecurity. Their young students know as much or more about their computer systems than those charged with administering them. Eide Bailly’s Cybersecurity team recently completed a Cybersecurity Compass assessment at a school district in Idaho. With over 14,500 students, 1,500 employees, and thousands of computers and tablets, the district’s leadership was seriously concerned about their organization’s cybersecurity readiness. The Cybersecurity Compass provided them a clear understanding of their cybersecurity risks and gave recommendations to help them begin strategically tackling these risks.
In the most recent Threat Intelligence Report publish by Nokia, researchers found that software viruses or malware infecting mobile devices (e.g., cell phones and tablets) had increased 83 percent in the second half of 2016. The report suggests that this increase represents a shift from hackers targeting traditional computers to going after mobile devices. One of the most common methods of infecting mobile devices is through “Trojan” apps. Like the Trojan Horse of Greek mythology, these apps look like a game or something harmless but when they are installed on a mobile device, they execute malware that allows a hacker to access or steal data from that device. One thing users can do to protect themselves from these types of viruses is to avoid downloading apps from locations other than the Apple or Android app store.
Most organizations allow their employees to access organizational data through their mobile devices. Whether that’s emails, files, or the corporate directory, the access they provide to their employees represents a significant business risk. If not properly protected, malware infecting an employee’s mobile device can place our client’s data in jeopardy. Eide Bailly’s Cybersecurity team can assist your clients in protecting their data on mobile devices by:
If you have any questions about these services or would like to better understand how we help our clients feel more confident about their cybersecurity, please contact Anders Erickson, Director of Cybersecurity Services, at email@example.com or (208)383-4731.