How to defend Against phishing attacks and more

 

What better way to discuss phishing than an infographic?

First: consider the From: field in an email

In most emails they make sense – like  an email that comes from Netflix should say abc@netflix.com  not tello.com

The from field is very important clue as to whether this is spam or phishing email or not.

Second: read the text twice, and note spelling, grammar mistakes.  does not seem right? It is spam or phishing email.

Third: Is there an attachment? That is always a problem because one can see if there is malware, (using virustotal.com) but it is timeconsuming and dangerous. so unless you absolutely know the person sending you the attachment I would not click on it no matter what (unfamiliar email? do not click).

Fourth:  Do not click on shady links – especially short links, you can unpack a short link  https://urlex.org/ 

Fifth:  always have a backup available just in case things go wrong.   make sure to have a backup that is offline? I.e. not on the system.

 

Contact Us to discuss

 

Password Managers are Impossible to Hack?

How paranoid should you be when you want to devise methods of defending passwords?

If someone accesses your computer (with malware or otherwise) and can now read off the RAM  it is possible to read the password manager  stream of data as it comes off/or on.

So what is the best way to handle passwords?

Should you just have a written password list(offline) on pen and paper?

It seems to me that to get into the password manager you need a complex password.

I just set up Dashlane password manager to see what the standard is, and they make you enter at least an 8 digit password, upper case, lower case , and a number.

So the example in xkcd above would not work: correcthorsebatterystaple  is 25 digits and is easy to remember, but does not have a number or caps. It would be very hard to guess this number with brute force password guessing programs. But Dashlane has the old method of creating a password(complex but shorter).  the reason these passwords do not work is that over time, one forgets the complex passwords, and resetting the password periodically may be good if you want to do it (like 2x per year), but if you forget 6x per year than this system is no good.

This is why everyone has to figure out their own password management system.

In my estimable opinion, it is wise to have an entry in both systems (offline and online). Keep the offline with a date next to it so you can decide when to change it.

The problem with password managers is that you are using less of your memory. The more of your memory you use, the longer you will keep it. Of course one has to be capable of learning new things and remembering a number of passwords without writing them down.

So make it relatively easy to use for some passwords like certain locations (like games or other items that are not monetized).  Then for bank sites, other financial websites, one could keep those offline.

When I set up Dashlane it imported 500 passwords into  the software from the browser storage. I looked through the list, and many of those sites are defunct or I no longer use them. So realistically a good 100-200 sites are now in Dashlane. And a bunch of useless passwords  that are no longer being used.

So which is my most important password? The one that can unlock all of them? Or my email?  Using my email and phone a thief can re-create my digital world. Unless there is no digital setup.  My phone reboot password is not in Dashlane, since one has to be booted in to use Dashlane.  So there are a few passwords that can’t or should not be on Dashlane.

Keep your offline passwords in a spot that says passwords in big letters (just kidding). Obviously do not make it easy to see what it is.

I am sure Dashlane or any of the other password management softwares are good and will not succumb to consistent hacker attacks (hmm maybe – maybe not).  Should we take that risk?  It depends on your net worth and what you are defending. How paranoid are you really?

If you want to discuss this with someone else, let me know.

Contact Us  to review your situation

 

 

Top Cybersecurity Problem for Small Business

The top Cybersecurity problem (or risk) is phishing emails and ransomware downloaded to your computer or your website.

 

When a phishing email somehow gets you to click a link that then downloads an infected “payload” into your computer you can only hope that the anti-virus you have (and/or firewall) will protect you from the payload.   So that a dangerous payload may not be able to take advantage of your inaction.  The bad software is either in an attachment (in email) or on a website that you download (from a link).

 

Obviously if you can learn to recognize phishing scams that  would be a good thing. but there are other things to do even if you click on a bad link or attachment.

4 things to help prevent getting hacked:

  1. Phishing email spotting  (this is the trickiest one)
  2. Update your computer and software (easiest to setup and manage)
  3. Use multi-factor authentication wherever you can
  4. Backup your computer regularly

if you are up-to-date with your patching with as much software as possible, many attacks will fail. There are some ‘zero-day’ attacks that would still be successful against you, but those are expensive for hackers ‘usually’, so the risk is low for a ‘silver bullet attack’.

Osterman Research created a white paper for Trend Micro: “New Methods for Solving Phishing, Business Email Compromise, Account Takeovers and Other Security Threats”.

First the paper explains how ineffective a number of people have been in managing phishing attacks.

The central theme in the paper are phishing attempts that reach end users and employees who fail to recognize phishing and social engineering attacks.

One of the paper’s recommendations is to move your security operation to the cloud. The plan is that the cloud provider is more advanced than you and will reduce your risk.

What is clear though is that even on the cloud certain scams are always going to take advantage of any system. For example if someone calls you and you give them your credentials after some story that seems believable then any new technology that you paid for is useless. because now the bad guys can log in with your username and password.

You can set up MFA (Multi-factor Authentication) which means the hacker has to defeat another level of authentication (connected to your cellphone or a physical secure id mechanism).

 

I do not want to get into the technical details of MFA, since that  is beyond the scope of this article.  But MFA would cut down attacks by a large percentage.

So education and MFA with a better anti-phishing  email solution would reduce successful attacks and a proper patching environment may cover the rest.

Contact me to discuss this.

 

 

 

 

Active Directory Defense – A must review these days

Active directory is the Microsoft software that manages all the information of objects on the network . (from docs.microsoft.com )

“A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.”

Image from http://bucarotechelp.com/computers/winadmin/89001102.asp

You can see that the Active Directory(AD) is in the middle of all Windows network functions.  So it goes almost without saying that if AD is not configured correctly then there will either be problems to do with some windows software functionality or it will be easy to hack the network configuration.

There are a number of online information sites to help you learn what not to do. Like from Sean Metcalf a frequent security conference speaker like at Derbycon 2019:  “Beyond the Easy Button

For example: Service accounts sometimes are installed by vendors, these need to be removed eventually.

Also sometimes System administrators (or your IT guy/gal) do not always have different tiers for managing systems (workstations, servers, and domain controllers). Instead they may have it set up to be ‘easier’ which also means they are easier to take advantage of. It all depends on how many people are managing the environment and how large the environment is.

Do you have several ‘forests’? Is this a problem?

Forest trust  can be a problem, especially  when a problem in one forest can manifest itself into problems in the other forest. And sometimes because one has to manage both forests, if they are not administered correctly then it can be a security problem.don’t forget to review the backup of your active directory information, as a hacker can copy the NTDS.DIT (which is the file that keeps all of the information for AD). If you search for NTDS.DIT around the net, the first website that comes up is Insider Threat Security Blog: ‘Extracting Password Hashes from the NTDS.DIT file’

With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused on exfiltrating the Ntds.dit file from Active Directory Domain Controllers.

So be aware that this file Ntds.dit is wanted by the hackers,  as they can try to guess username passwords that are in it. and more.

If you are not looking at possible theft of this file, and you have a significant investment to protect, then you should spend money on tools to help you to see if this file was taken or not.

Needless to say this is a topic that is much larger than a single post. if you are interested in discussing this topic let me know.

Exim, Internet Mail Software, Flaw Causes Problems

Needless to say a flaw in an older version of Exim (4.92.1) had a serious problem or flaw that became CVE-2019-15846:

I like to point out some problems that come up that are interesting… This Software is needed in Mail servers and is not obviously known to most people. But if a company does have it now needs to be upgraded.

Notice there were many releases of this software before someone found the vulnerability , here is the CVE information from Bugtraq:

Description- Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

 

Bugtraq has an interesting explanation :

"Zerons" and Qualys discovered that a buffer overflow triggerable in the
TLS negotiation code of the Exim mail transport agent could result in the
execution of arbitrary code with root privileges.


 

So it seems that hackers found the flaw and it was patched quickly… But the administrators still need to install and update. So as usual here is the weak point – administrators which are already stressed have to do some off-hours updates sooner than later.

Contact Us to discuss