Computer Kidnappers Are Charging a King's Ransom

Well, if data breaches and phishing weren't bad enough, an emerging cyber threat that came about early in 2016 is Ransomware.  A few months ago an episode of the TV show "Grey's Anatomy" had a Ransomware plot whereby the hacker locked out the staff from their access to the hospital computer systems and wouldn't return control unless a large ransom was paid.  The irony is that the writers of the show only had to be as creative in writing the script as doing a Google search on "Ransomware" to get all the material they needed to write the show's script.

Ransomware is in essence a computer virus that infects a computer network, but instead of disrupting or destroying software and data, it encrypts it, and only the hacker has the key to decrypt it.  If you want the key to get your computer(s) and data back you have to pay the hacker a ransom.

So the question on your mind right now is "How do I defend against this?".

Follow the tips below to reduce your risk of having to deal with Ransomware:

Defensive

• Anti-Virus: Ensure you are running anti-virus software on all of your computers.  The anti-virus software needs to be set to automatically update the virus definition file (which should occur daily).  Ensure that Real-Time Protection is active and schedule a Full Scan daily.  Not having these settings makes your anti-virus only marginally effective.  This should be in addition to Windows Defender (formerly Windows Security Essentials).  This tip goes for Apple, Linux, and Unix computers too.  While there are not as many viruses written for these non-Microsoft operating systems, there are still some out there.  The small annual expense you pay is well worth it.

Preventative

• Operating System Patching: For small businesses and home users running a Microsoft operating system we call it Windows Update. This keeps your operating system up to date with the latest bug fixes, many of which have a security impact.  Windows Update should be set to update automatically on every computer you own (PCs, laptops, tablets, servers).  And then your computer (including servers) need to be restarted after the update is done to have it fully installed on your computer.  Patching needs to be done on Apple, Linux, Unix computers as well.  Also, if you are using VM instances (ex. VMWare or Hyper-V) make sure your virtual operating system instances are also patched, as well as the physical machine that is running the Hyper Visor console.  This is often overlooked.
• Application Patching:  Like the operating system patching, purchased off the shelf software also needs to be kept up to date with patches.  Applications like Apache, Adobe, MySQL, push patches out regularly.  Microsoft applications use Windows Update for your convenience.

Corrective

• Back-ups - At a minimum, on a daily basis you need to backup your critical systems, applications, and data.  Back-ups, if electronic (ie. not to tape, DVD or some other physical media) should be stored to a separate server / storage device, that is on a separate network segment (is walled off from your production network by a switch or router and a firewall).  This will, at a minimum, ensure you can restore a 1 day old back up of your production environment should Ransomware get past the anti-virus and your network security controls.

Keep in mind, the above is not a cafeteria plan.  You need to be doing all of the above processes for this to be an effective defense.

FYI - Earlier this week, a hospital in Indiana had to pay $55,000 in Bitcoin to a hacker due to Ransomware.

http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/

Be Secure!

 

Vishing, It's not Just for Kids Anymore.

When I was a kid, it was common practice to phone scam your grumpy neighbors.  Calling and asking; "Is your refrigerator running?", and getting the response "Uh yes it is.", and then saying "Then you better go catch it!", was something that gave us hours of childish joy at the expense of our severely annoyed neighbors.

I had thought those days were behind me, but I guess not.  So in addition to phishing, another attack vector that scam artists and hackers are starting to employ with greater frequency is Vishing or Voice Phishing.

The common approach is that they get a list of names and phone numbers and will call folks and pose as their electric utility, their cell phone provider, or the water company.  They will be calling because they either didn't get your last payment and now have to shut off your service, or have some other urgent matter to speak with you about.   I have also seen where this is automated using a phone dialer and a recorded message instructing you to call another phone number immediately to resolve the issue.  They will then try to get you to provide them with your personal information in order to "verify" who they are speaking with.  They will structure the call in a way so they get your information in pieces so it doesn't raise any suspicions.  They may try to get your banking or credit card information in order to "pay your overdue balance".  Remember, if one of your service providers is calling you, they should already have your information as they are calling your phone number of record.

Red Flags to look for:

1. Your utility companies will give you multiple late notices and you will need to be 2+ months late on paying your bill before they shut off your service.
2. If you get one of these calls and are not sure if it is a scam, hang up and call the phone number on your last bill.  This way you will know if it's legit.

Another popular vishing scheme is to call posing as the IRS.  This scam has been targeting businesses and individuals alike.  The "agent" will claim that you have an outstanding tax debt and it has to be paid immediately or you will be taken to court, lose your house, business, car, and bank account.  As with "turning your service off" above, this scam preys upon most people's fear, and who isn't fearful of getting into trouble with the IRS?  In some cases the scam is more about getting your social security number and date of birth rather than payment.  Either way, don't give any information over the phone.

Red Flags to look for:

1. The IRS will never call or e-mail you about a tax debt, they will send you notice via certified mail.
2. The IRS will never ask you to pay your tax debt using Western Union, Money Gram, or by getting a prepaid debit card at your corner drug store.

While the above two schemes have been known to target both individuals and businesses, the last one I'll be discussing is just focused on individuals.  

In this scenario, the caller will tell you they are calling from the local courthouse, and you had been sent a notice for jury duty months ago, but you did not show up to court today, so you are now in contempt.  If you want to get out of going to jail, you need to immediately send money to pay the fine using Western Union (or one of their competitors).  Again the fear factor is used to create panic and a sense of urgency.

So the lesson here is you need to authenticate the person on the other end of the phone.  When in doubt, hang up and call back using a phone number you know is legitimate.

If only my grumpy old neighbor could see me now.

Be Secure!

How long it takes a Hacker to notice your website?

Like most small business owners, I did all of the SEO things one does when they have a new business website up and get noticed by search engines and clients.  I set up my descriptions, keywords, signed up for Google My Business, and created a profile on Manta.  With my website up for only 1 day, per Google Analytics I got my first visitor.  Can you guess from where?  You guessed it, Russia.  Not really part of my geographic profile, but what the heck, a website visitor, is a website visitor.  The individual had spent about a minute on each of my pages.  That’s great, I’m getting noticed the first day my website is up. 

And then on day 2, it happened.  I had an e-mail in my Spam folder.  I looked at the subject line, and sure enough, it was a phishing e-mail.  The e-mail was in the name of an individual and the subject line read “Your Monthly Statement document is ready for review”   Keep in mind, my website had been up for only 2 days.  My website and the listing websites were the only places my newly created company e-mail was posted.  And when I hovered my cursor above the displayed e-mail address, yes you guessed it, it had a .ru domain. 

A week later I got my first spear phishing attempt.  This e-mail was also displaying the name of an individual and the subject line read; “Please DocuSign: Order Form for tjmprofessional.com” and the body stated; “ accounting@tjmprofessional.com has sent you a document to review and sign. “.  Ironically, I don’t have a separate generic e-mail address called “accounting”.  But to give credit to the hacker, it did look more enticing and believable.  And yes, again the e-mail had a Russian domain.

So if you are wondering if your a 6 month old startup, or your 50 year old family business is at risk for a cyber attack?  The answer is most definitely "Yes!".  My business was found, researched, and attacked within 2 days of its online existence. 

Now if only my clients could develop these hacker skills, and find my website as easily.  Who would need to pay for Google AdWords?   J