What is Real Story on Default Passwords?

Is it really as bad as some say? People are not changing default passwords and thus hackers control their machines if remote access is enabled in some way.

i think it is VERY BAD – as people are really looking for ways to make bad decisions:



My apologies to this person who maybe innocently was trying to make some administration easier for him, but the lack of security knowledge is apparent. One should NOT even think of creating a scenario where there is a blank password on a machine (ever – even worse for remote access).

If this machine was connected to a Credit Card Machine now you are in PCI compliance violation.

Ok, we know not to have default or blank passwords…

Or is it that people don’t need to change the default password as the system is not remote accessible?

Even then the default password should be changed, because physical access needs to thought of, and is not 100% foolproof.

Or is it that people think the system is not remote accessible but it really is in some way?

The last scenario may be likely if the level of sophistication is not good.

And the hackers are looking for these machines as a post from last year notes the Verizon data breach Investigations Report  http://oversitesentry.com/why-are-there-cyber-security-issues/

Mentions that Remote Command Execution was found on scanned machines more than at other times.

Human error is one of the main reasons for security failures. in 2014 IBM ‘s Cyber Security Intelligence index notes “95% of all security incidents involve human error”


So how does a stakeholder (the board, CEO, exec team) make sure that human error is minimized (as it will likely never be 100% gone). It is to obvious to most: Bring in outside help to get a second or third opinion, and perform tests to see where human error can be minimized.  The CISA (Certified Information Systems auditor) would review the potential risks and set up  an audit to methodically find security issues.

Contact us to discuss

Email at Yahoo? You were hacked! Will be Phished!!

Yes we know yahoo had millions of email addresses hacked or rather the email address password database was stolen by an ingenious hacker.


Also according to this story(TechCrunch) the full disclosure over several years is 1 Billion email addresses and passwords were stolen

Updated 3/14  later in day:  also keep in mind if you have an ATT email account that is tied into Yahoo due to a connection the two companies made – aand that includes Verizon. CNET news story “Yahoo hack: It’s not just verizon. AT&T should be worried too”

So we know of about a million email addresses being sold on the Dark Web, and this is just the first 100k being sold on a dark web interface:

Image from hackread.com

In this ad for 10.75$ you can obtain 100k  email addresses and the decrypted password.



So your Yahoo email and password is in many places now, Where did you use the Yahoo email to login? Banks, credit card.

The hackers are not just buying emails and passwords to check your email. First they will check your email and then see what bank and other accounts they can take over.

Or they can use this information to create more focused phishing campaigns. I.e.  the information in emails within all the yahoo emails can be used to create targeted phishing campaigns (also called spear phishing)

So what should you do?

Get rid of your Yahoo email address ASAP, should you require all employees to remove any vestiges of Yahoo emails in their lives?

How can you make this claim? Because the longer they keep the Yahoo email account the more likely the criminal hacker will access the email account and steal information to phish more effectively, especially into a company account.


Have you ever sent something from work email to the Yahoo email? If this is a Yes  now the hacker knows your work email. and can create highly sophisticated phishing attacks with malware that may have an adverse affect on your company.

So owning a personal Yahoo Account may enable criminal hackers to get access to your company in the months ahead as the criminals are just now digesting  how the new information and are setting their attack plans in place.

Remember this OODA Loop image.. from my post a few days ago(Feb 28 Post “What Cybersecurity Methods to Use”).

Right now both the criminals(Attackers in red) and you have been given information what is more likely the attacker will Observe, Orient, Decide and Act first or you will process the OODA loop and ultimately ACT!

In the past it has been the aggressive criminals making moves and getting the into company networks.

What will be your move?

Contact Us to discuss.


Planning Security? You must know TTP







Planning Security? You must know TTP

In this new year of 2017 it is good to know your past so as not create the same situation in the future.

But what is TTP you say?

TTP – Tactics, Techniques, and Procedures.

By that I mean the tactics and procedures of you and your IT team of course.

Some call this acronym Tools, Techniques, and Procedures. Which is very close if not the same thing, as your IT team must have some tools to use within their tactics of defending the network and computer devices.

Interesting to note that TTP is not just in Cybersecurity, but also Terrorist security as well:

Oodaloop discusses a form of TTP,

OODA stands for Observe, Orient, Decide, and Act and this was originally developed by Col Boyd during the Korean war for use in Air-to-Air combat.

Image above from hroarr.com webpage

The OODA loop can apply to Cybersecurity with a small amount of tweaking.

The above image equates Observe with looking at network traffic and logs on the firewall and computer systems.

Orient is  where we analyze the logs and network traffic with a certain time delay, as it takes time and manpower to review these items. (this is also a place to do pentest or vulnerability analysis)

Decide is next where we have to decide what to do with the data we are analyzing. Of course Analyzing and deciding what to do can take time especially in large environments.

The final point in the process is to Act – Test, patch, and reconfigure .

As this video from Derbycon last year mentions we have to find ways to reduce our time to detection – use new methods, learn new methods.

As Marines say – Adapt, Overcome, Improvise, and get the job done.

So we need to continue to learn new methods of detecting threats into our environments.


The devil is in the details… as we have to find actual new threats to detect.  Testing those threats is a good idea and time is actually on the attackers side. As they only have to get in once and then the game changes. Once attackers are in your network now it is harder to deny more information and access to the data we are defending.

TTP is Tactics, Techniques and Procedure, and if the IT department is not aware of the new attacks the bad guys are coming in with, then the current actions are not good enough.  Knowing your TTP means understanding the OODA loop and it’s weaknesses.  Knowing your weaknesses should also allow you to review the areas where we need to review the most.

Notice the time delay in Boyd’s rule OODA and how I specifically added it in my drawing to signify our lack of forthright ability sometimes and general malaise. Especially when we don’t know the baseline for example (what is good and bad traffic?).

Is it enough to go about your day to entrust your network to a blue team (a blue team is the combined efforts to defend your network)

If we knew all the exact ways the attackers would attack we would never be breached. But we have to find new ways to find the new attacks that we don’t know about yet.

Remember more military axioms:

  1. Your best plans will change contact with the enemy
  2. What you really need to worry about is the unknown unknown… i.e. the breach that you cant see in any logs.


You don’t want to see your company in lights, in the papers, the online journals that explain how companies get breached.

Contact Us to help you with the process of improving detection of attackers, and improving your security policy.



What Else Happened on Nov 8th? Patch Day.

Yes November 8th was election day in the USA.

And in the Computer World it is yet another Microsoft Patch Day (2nd Tuesday of month).  So what is so important about yet another patch day?

As a Security pro we must focus on the vulnerabilities that may change our Risk analysis.

So Internet Storm Center tells us that one patch in particular is the most dangerous one – A remote execution vulnerability MS16-132 Graphics componenthttps://isc.sans.edu/forums/diary/November+2016+Microsoft+Patch+Day/21689/


A remote execution vulnerability can spawn very dangerous malware for all that can be developed by bad actors to infect our machines.

Bad actors take these announcements and develop malware if they so desire.



Why would they desire it? To make money of course. So there are programmers every day that are looking for vulnerabilities to make money on unsuspecting users.

If I click on an unknown spam email or from a supposed known business deal this malware will bypass ALL antivirus software and slam you to the ground. This software vulnerability can cause problems at Microsoft:


Which Microsoft software?

Let’s make a list:

Windows Vista, Windows Server2008, Windows 7, Windows Server 2008R2, Windows8.1, Windows 2012, WindowsRT8.1, Windows10, Windows Server2016,

Every single operating system had the following;

Remote Code Execution


And finally near the bottom we find the jucy tidbits:

There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the ATMFD component handle objects in memory.

There are no mitigating factors only a potential workaround by renaming the atmfd.dll file.   Adobe Type Manager and the description says “Windows NT OpenType/Type 1 Font Driver”


This is the current culprit. So prepare and test the patches in your environment before updating your environment.

Contact Us if you need help in Devising a new Risk Assessment.


Hidden Hacks In Network

I’m often thinking where the next attack can come in and unfortunately it may come where we least expect it.

Spiceworks blogpost has an interesting angle:

How often have cloud services been installed by users without IT department knowledge?


The survey by Spiceworks has found that many IT people have found their users installing cloud services 78% of the time from 2 times to over 5 times.


The Cloud applications that IT people are worried about:

  • Cloud Storage (Dropbox, Google Drive, OneDrive) – 35%
  • Webmail (Gmail,Microsoft Exchange Online, Yahoo) – 27%
  • Messaging Services (Google hangouts, Slack, Yammer) – 9%
  • Finance/Accounting applications (Quickbooks Online, FreshBooks) – 8%
  • Productivity Tools(Office Online, Google Docs) – 4%
  • CRM& SFA (Salesforce, Zoho CRM) – 3%
  • Other – 4%

I would think games are also a big portion. Bigger than 4% inside of others.


As you read down the list of cloud applications, some are easier to access than others. Gmail, Google hangouts and Google Docs are accessed with a login on a browser.  I think that Google applications are not inherently unsafe it is only when a document is downloaded within Gmail or Google Drive is when the danger goes up. Although many online cloud apps do not require plugins or other software to be downloaded, many do so that is one way of infection (downloaded plugins).

Accessing personal email in the company network with Yahoo, online Exchange, Gmail or any other email service is not just a “breach of protocol”. The user may unknowingly add streams of spam and phishing emails which will try to take over the machine of the user.

So let’s say you invested into  a program or service which checks company emails for viruses and other malware, obviously the personal emails accessed will not be using your ‘safety’ program.  Now all of a sudden more viruses and malware are installed (in a hidden manner).

The same goes for messaging services.  I think it is hard to see that online accounting programs could have malware,  the chance may be less, but it could happen where files are downloaded which have malware in their files.

This is the reason an IPS(Intrusion Prevention System)  is needed.


It is very hard to accurately predict all user actions so another layer of defense at the Firewall/network would be a good thing.

We know how to do our jobs of defending the network and perimeter, and the hacker finds any nook and cranny to get through this defense.

On the network we have TTP: Tactics Techniques and Procedures. Technology (firewall and endpoint protection), and the procedures are where people are using their personal email in a company computer.

More attacks come on where hackers can get in that is least defended. Like your unknown network devices:

And then if a system (like an IoT – Internet of Things) i.e  a new refrigerator, TV, Lightbulb, and really any other device (like a camera attacking using DDOS in this post) that is on the network can be hacked.

The hacker has tools like ncat and other innocuous  programs that can be used by an enterprising person.

IPS systems properly configured can at least provide some defense to these odd attacks. But there is no foolproof defense – just constant surveillance and review as well as patching, configuration updates as needed.

Not to mention that GRC(Governance, Risk , Compliance)  is also important to keep track of all programs and devices on your network. GRC provides context and priority for attention.

Contact Us to discuss