Casino

Fixvirus Security show – Privacy-NetNeutrality plus improving Cybersecurity

the video itself;

 

 

Here is a story on how to improve your privacy on your iPhones

http://www.zdnet.com/pictures/new-iphone-ipad-change-these-ios-8-privacy-settings-immediately/

 

Bruce Schneier’s post on privacy in general:

https://www.schneier.com/blog/archives/2015/02/everyone_wants_.html

 

We also need more Cybersecurity  http://oversitesentry.com/how-do-we-improve-security/  We need more Ethical hackers in every company understanding the issues

 

Use the principle of Philotimo to be an Ethical Hacker. The friend of Honor will “do the right thing”

Also an apt Youtube video (regarding ΦΙΛΟΤΙΜΟ)  http://youtu.be/DaPF4_-gH4g

 

To listen and educate yourself on the Netneutrality is:

Interesting economist (Professor Hazlett of economics) explains the Nuts and bolts of the net neutrality

Minute 44 is DSL sales growth and usage in the telecom industry.

I saw the Internet industry grow and change like Hazlett is talking about from 1996 until today

Minute 51 had an example of a Net neutrality violation (Metro PCS streaming Youtube but not others – like Netflix or Hulu)

At about an hour questions start.

 

As in my video – even after listening to Hazlett discuss this for an hour, I still think it will depend on the political power of the various factions. Of course the law is going to come down on NetNeutrality as well.

Hmmm  there are a 1000 phone companies in America (2-4 we can name) the rural companies get government subsidies.

Must have a Good Cybersecurity Strategy

Either that or the criminals and “events” will cause you to react in ways that you will regret.

There is a good presentation from last year’s Arch Con(Saint Louis Arch): http://www.youtube.com/watch?v=7GCC-0a_mVs

The opening keynote by Richard Bejtlich (@Taosecurity) – Applying Strategic Thought to Digital Defense

Is very interesting to contemplate after the Sony and Anthem breaches and the coming year ( the convention was on September 24, 2014)

taosecurityopeningkeynote

Of course when discussing with executives a “Cyber Security Strategy” consider the following:  CEO and CFO execs do not really understand the computer and Internet they use every day. They want it to work and be secure period.

Now you need to wake them up :) It is 2015 and remember the Y2K scare if you will… The Y2k issue was when computer people realized there may be a problem with some software as it only accounted for the last two digits in various software when describing the year (such as 98 for 1998) So the wise IT people woke up one day in the late 90’s and said: what happens in the year 2000? When the year 00 is actually greater than 99? So all of a sudden all software that for whatever reason(programmer laziness etc.) only had 2 digits for the year now needs to be 4 digits.

The switch from 2 to 4 digits was not a fast switch, all programs had to be rewritten to 4 digits. The ones most scary were what is called the BIOS (Basic Input Output System) it is the program that initially connects the operating system to the computer parts (hardware). So if this program quits working nothing will work on the computer. The whole IT industry went into a major overdrive and overtime to fix all the software by 12/31/1999.  And then hoped that all the fixes worked on New Years day Y2000.  Fortunately all the effort paid off, and the few problems that arose were handled.

y2karmageddon  y2kcountdown

 

It is my belief we need a Y2K effort for cyber security for 2015.  There is no time like today – this year this time we will do it.

We must have better security – spend the money this year get to a higher level of security and then it will not be a big deal in the future. Reduce the capabilities of the criminals by upping your security Just as recommended here:

http://www.fixvirus.com/catch-any-malware-including-equationgroup/  (setup an IPS firewall to catch all attacks from inside and out) Also similar http://oversitesentry.com/your-cyberdefense-still-2000s-thinking/

We need a new level of security testing and thinking, otherwise we will have worse and more serious attacks than Sony, which means the attackers will try and delete and disrupt actual commerce.  Do you really want to live with http://www.fixvirus.com/what-if-the-hacker-is-in-your-network/ ?

Richard Bejtlich has a good Outline to follow for all of hte people in the company to improve security:

theme                  Who is in charge?      Actions – goals

Program Goals    Board And CEO     Minimize loss due to intrusions

Strategies            CEO/CIO                Rapid detection, response, and containment

Operations/campaigns     CISO or security director                match and hunt for intruders

Tactics                       Security Staff               Collect, analyze, escalate & resolve incidents

Tools                        Vendors                         Various software

 

The Directors and CEOs have an important role and have to be brought up to speed. It is up to us the IT people to talk their language.

Y2015Securityeffort

Contact Us to get your security up to speed Y2015 and beyond don’t go back to Y2000.

 

 

Catch Any Malware Including EquationGroup

The Fixvirus video show that explains it:

According to Kaspersky Group  report:

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Equation_group_questions_and_answers.pdf

There is malware that can infect hard drive firmware and then perform other tasks

At page 23 #14 says:

23

 

“14.
What C&C infrastructure do the Equation group implants use?
The Equation group uses a vast C&C infrastructure that includes more than
300 domains and more than 100 servers. The servers are hosted in multiple countries, including the US, UK, Italy, Germany, Netherlands, Panama, Costa Rica, Malaysia, Colombia and Czech Republic.
All C&C domains appear to have been registered through the same two major
registrars, using “Domains By Proxy” to mask the registrant’s information.
Kaspersky Lab is currently sinkholing a couple dozen of the 300 C&C servers.”
C&C means command & control.
The infected hard drive means nothing without being able to “phone home”.  So since it has to contact its C&C server we can detect that. Once we detect it we can stop the transmission – Use an IPS system firewall (a Next Gen FireWall) properly configured can protect against the malware.
Contact Us to help you with setting up your IPS or purchasing an IPS system that works for you.

What If the Hacker Is In Your Network?

 

NSAharddrive-researchers   Bloomberg screenshot this morning.

The news reports are out – a Stuxnet malware was installed in your firmware thus infecting your hard drives and you cant do anything about it.

the news reports are everywhere:

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

As usual The Storm Center has the detailed information:

https://isc.sans.edu/forums/diary/A+Different+Kind+of+Equation/19345/

This is the money quote:

You can find the original blog post here: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

 

This is also the true detail: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

 

But my point will be I dont care if the NSA has ” listening device” on my hard drive. You can shut down the NSA completely by running an IPS system as I discussed in my blog post at oversitesentry.com

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

commandandcontrol

Check that communication out the client (your computer) running the malware(NSA or other) always wants to talk to C^2 or Command&Control.

 

You can stop C&C communications!

All you have to do is install an IPS (Intrusion Prevention System) and configure it correctly. It will reset the network connection and thus drop the connection.

 

The IPS can be built into the firewall (they are now called NGFW or Next Generation Firewalls) to save on the amount of problems and

The problem that this disclosure created is the idea in the criminal mindset to create a stuxnet clone. So it is going to be even more important for all businesses to install a firewall

with IPS capabilities.

 

Contact Me for more…

TonyZ

 

 

 

What is Your Hacked Computer Worth?

People keep asking me… what can someone possibly use on my computer, I have nothing on it.

We are trying to explain this with some images

The hacked computer could have a value of about $30

 

compromisedcomputervalue

 

tonyz-hackedemailacctworth

A hacked computer (now is called a Zombie) when it is used as an attack vehicle.

This system can be on the corporate network, could be a phone, or an “Internet of things”

Any device on the Internet has the potential to become a Zombie, and to be used as an attack vehicle.

 

When controlled from a single machine to reflectors one can control hundreds even thousands of computers.

Here is an analysis of using reflectors in DDOS  http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html

ddos-reflectorattacks1

(Image from Datasoft: https://www.datasoft.ws/ds_whatisddos.php)

The above image is a good representation of what a DDOS reflector attack consists of.

 

So yes your hacked machine is worth $30 or more even if you do not have “valuable” data on it.  the problem is, any password that you saved on the system could be used by the hacker to penetrate your life identity on the Internet

 

 

 

New videos – what is an Ethical Hacker and Thursday Fixvirus Security show

First we made a special short video on what an Ethical hacker does:

Second the Video for the Fixvirus Security show:

News of Day is about this week’s  patch Tuesday, there are several critical patches for Microsoft software and your IT department should patch multiple patches, as they are remote code execution (and thus very dangerous). Hackers can create attacks any time now, and if you do not patch your machine then it will be hacked by criminal Hackers.

 

Tip of Day: We need to move to a Six Sigma IT methodology – which means we need to

A. Define

B. Measure

C. Analyze

D. Improve

E. Control

 

So we need to test your IT environment to ensure it is performing as prescribed.

The only way to create an environment where only 1 mistake in a million can occur is if you are constantly testing from the outside.

that is where we can help: http://www.fixvirus.com/contact-us/

 

 

PCI Compliance Affects Legal Liabilities

What does PCI compliance really mean?

There are similarities with ISO27001, PCI compliance is set up as an audit of the IT department with a specific emphasis of credit card security as well. Whereas ISO27001 is more of an audit of the processes of a company. This makes sense in a manufacturing environment where it is important that your processes show what occurs in the manufacturing and delivery of a product. A product that has to be created can have errors introduced in the creation step. And this is where Six Sigma(Quality Assurance standard) has come into place.

Our blogpost(at Oversitesentry.com) where we say Six Sigma security is needed.

But as the title mentions, the real reason for PCI compliance adherence are legal liabilities as will be proved.

The 106 page pdf (plus 6 pages in appendix) document of the latest PCI standards (DSS3.0) by pcistandards.org at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

 

The document outlines many aspects of the Payment Card Industry (PCI) expectations of security. Which are security practices made up of common sense:

1. Implement a firewall, with good access control in all connections to the Internet – including DMZ (DeMilitarized Zone). If you have a single connection and single location it is straight forward, but if it is not, then the standard still tries to keep in mind the additional complexity without losing security aspects.

2. The network defense is not complete without a discussion of a personal firewall on the desktop, and later in the document an antivirus solution. The Microsoft Global Policy should also be discussed. (where all aspects of the desktop can be controlled if so desired.

3. A lot of points are made about changing default configurations and passwords in all systems, this is another good common sense item.

4. Any protocols so deemed “insecure” should be shored up as best as possible (there is a lot of latitude here, since there can be many different potential issues)

5. Using proper logs is important

6. Encrypt where necessary, as the credit card numbers should be encrypted over the Internet or wireless access points. And this has to be “verified”. Again this is due to legal concerns.

Later in document – use an intrusion detection system so as to know what is being attacked and how you are attacked. Keeping the logs is important not just for reasons like finding out what is going on in your network, but it is important to reconstruct in case of legal liability. Whenever the document says “Verify” it means if you do not, then a lawyer will make you pay for it in the future.

How do I say this with certainty?

http://www.bankinfosecurity.com/retail-breach-compromised-millions-cards-a-5688/op-1 has a sentence in here of note:

The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard.”

How about this link?

https://www.paylinedata.com/payments/schnuck-markets-files-sealed-lawsuit-two-payment-processors-data-breach/

In St. Louis Missouri, Schnuck Grocery store recently sued two payment processing companies. Currently the details of the lawsuit have not been released, but many can speculate that this is due to the recent breach of credit card data that impacted millions of customers at the the large grocery chain.”

How could Schnucks end up suing the payment processors? if they had not done their due diligence in the PCI compliance audits as required by the industry. I believe this does not require the knowledge of the outcome.

So that is why we are confident in saying: PCI compliance has to do with legal liability.

What are you waiting for?  The ambulance attorneys will chase you when(not if) a breach occurs.

 

Contact Us as we can help you with the future audit and legal liabilities beckon.

 

In the end it is the criminals versus the legal liabilities that you must wrestle with

Kmart-logowithscales of justice I post this doctored image of Kmart’s logo, as they were hacked as well – although I am not sure of their PCI compliance.

Ransomware on Your Databases Could be a Catastrophe

Sophos has a good article detailng some potential methods the hackers can use to extort money out of companies:   Nakedsecurity Sophos Blogsite

This is the important part:

1. Hackers hack and penetrate your systems, including customer databases

2. Customer data will be encrypted – a ransom will be put on the data (that is the old method)

2a. now the new method is to modify only some of the data like usernames or passwords (sometimes passwords and usernames are set by the customer) so it is impossible to find this encryption until customers call saying they cannot access their accounts.

3. Customers log onto your site and they get infected with ransomware themselves on their personal computers.

 

So what just happened?

A. your server inattention has caused your customers their data and the relationship with you is now harmed.

B. The fix to this is not a restore of data, since it may have been done some time ago. And thus is in your backups as well.

cryptolocker-ransomwaremessage  This is a Cryptolocker2.0 message

We must figure out how to restore before the hack.

How do you know? Test, test, and test keep your datapoints

We are all about  testing here at Fixvirus.com   Contact us to help you in this new cybersecurity environment

 

Here is the Fixvirus Security Show explaining this and Risk Management problems.

The video expounds on the Risk Management failure as well (in tip of day segment)

That was started on our blog post:  http://oversitesentry.com/?p=1400 “Risk Management does not work”

 

What is your email address worth to Criminal Hackers?

Brian Krebs has updated his Blog: and his famous picture (how much is your hacked computer worth):

http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

becstats IC3 data – Internet Crime http://www.ic3.gov /about/default.aspx  ic3-banner4

The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every US state and 45 countries. from 10/1/2013 to 12/1/2014 the following stats were reported(now look at image above):

total US victims: 1198

total US dollar loss: $179mil

total nonUS victims: 928

total nonUS dollar loss: $35mil

combined victims: 2126

combined dollar loss: $214mil

So Brian Krebs has updated his how much is your computer worth to hackers image:

HE-1-Krebsonsecurity.com

So Brian reviews what can happen to your email account if somebody is able to take it over and use it for their own money making schemes.

If I attempted to put a small dollar amount on these accounts, how much is your email account worth?

Google: $2

Facebook: $2

iTunes: $3

Amazon: $3

Walmart: $3

Netflix: $2

Dropbox: $2

Salesforce: $2

Fedex:$1.50

UPS: $1.50

Bank acct: $4

Steam:$2.50

Total:  $28.50 ? or more?

this is my image:

tonyz-hackedemailacctworth

 

My list is only a partial one, but I am trying to make it more personal – and give the hack a certain dollar amount. I am trying to create awareness, also note the comments in BrianKrebs post:

briankrebscomments

You can click on the image or go to Brian’s site to read them, but I qwant to transcribe one of them in specific(bottom one):

Almost word for word what happened to an affiliate company of ours. Slightly altered domain name appearing as someone’s VP, email request to wire funds, funds were sent, fund transfer frantically reversed at the 11th hour.”

This attack is used in a manner that was not even a hacked email account, just a slightly modified domain name with a wire transfer fund using the name of the VIP. What are the odds that 2 comments similar in nature one after the other? Criminals are preying on our good graces and naivety.

 

If you need help in working on your compliance on passwords, or testing other aspects of your security policy, i can help with the Omega Scan service:

http://oversitesentry.com/solutions/omega/

Omega-Logo-819x1024  It is a unique service.

 

Here is the video to go along with this post

Have some Philotimo – setup PCI compliance

Pentesting every 3 months for entities with more than 20k transactions

annually for less than 20k transactions.

Why do you need to pentest?

Because things happen, and it is good to review your security profile

 

Have some Philotimo –

philotimogreekbreathing  philotimopeterpappas

philotimohuffingtondo the right thing – defend your site by scanning. http://oversitesentry.com/solutions/

Philotimo video:

 

Today’s Fixvirus security show video:

 

Also discussing the Oversitesentry blog post about QWERTY keylogger: http://oversitesentry.com/?p=1351